After you have published the SCIM microservice app to Azure, run the following PowerShell script to assign Graph API and Azure REST API permissions to the app service managed identity.
Set Graph API Permissions
As the service principal is the identity that the Azure AD SCIM app service runs as it calls Microsoft Graph, you need to assign the service principal permissions required for your use case. You assign these permissions using the Azure CLI, which is a command-line tool that use to connect to Azure and execute administrative commands on Azure resources.
To assign permissions to the service principal, you need to complete the following tasks:
Install Azure CLI on your machine (if not already installed). For instructions, see Install the Azure CLI for Windows | Microsoft Docs.
Sign in to your tenant with Azure CLI using .
Open an administrative command prompt or PowerShell session and set assign permissions to the service principal for your use case.
Create an application in Azure AD and associate it with the certificate you generated in EmpowerID.
Install Azure CLI
If Azure CLI is not installed on your machine, please see Microsoft’s instructions for doing so here: Install the Azure CLI for Windows | Microsoft Docs. Once you install the CLI, sign in to your tenant with the Azure CLI using the credentials of a user with adequate permissions to execute the permissions script in Azure AD (owner at the tenant level).grant the service principal the appropriate access in Azure by running the permissions script shown in the Set Graph API Permissions section of this article.
Set Graph API Permissions
To set Graph API permissions, sign in to your tenant with the Azure CLI using the credentials of a user with adequate permissions to execute the script in Azure AD (owner at the tenant level) and then execute the script against the tenant. run the below script in either an administrative command prompt or PowerShell session. The script
Permissions follow the least-privilege principle and include the following for managing Azure Licenses:
Table 1: Permissions needed to manage Azure licenses in EmpowerID
Graph API / Permissions name | Access Granted by Permissions | Used By |
AuditLog.Read.All | Read audit log data | App Service Managed Identity |
Group.Read.All | Read group data | App Service Managed Identity |
GroupMember.ReadWrite.All | Read and write group memberships | App Service Managed Identity |
User.Read.All | Read user profile | App Service Managed Identity |
Reports.Read.All | Read report data | App Service Managed Identity |
Organization.Read.All | Read organization information | App Service Managed Identity |
Policy.Read.lAll | ||
Policy.ReadWrite.ConditionalAccess | ||
Domain.Read.All |
In addition to adding the permissions, you need to enter values for the below parameters:
webApp — Name of the app service you created for the Azure AD SCIM microservice
Tip |
---|
When running the script, be sure to authenticate to Azure as a user with adequate permissions to execute it in Azure AD (owner at the tenant level). |
Code Block | ||
---|---|---|
| ||
$webApp="<Web-App-Name>"
$sprincipal_id=$(az resource list -n $webApp --query [*].identity.principalId --out tsv)
$graphResourceId=$(az ad sp list --display-name "Microsoft Graph" --query [0].objectId --out tsv)
$uri="https://graph.microsoft.com/v1.0/servicePrincipals/$sprincipal_id/appRoleAssignments"
$PermissionsToAdd = @("RoleManagement.ReadWrite.Directory","Directory.ReadWrite.All","Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.ReadWrite.All", "Reports.Read.All", "AuditLog.Read.All","Policy.Read.All","Policy.ReadWrite.ConditionalAccess","Application.Read.All","Domain.Read.All")
$PermissionsToAdd | foreach {
$appRoleId=$(az ad sp list --display-name "Microsoft Graph" --query "[0].appRoles[?value=='$($_)' && contains(allowedMemberTypes, 'Application')].id" --output tsv)
$body="{'principalId':'$sprincipal_id','resourceId':'$graphResourceId','appRoleId':'$appRoleId'}"
az rest --method post --uri $uri --body $body --headers "Content-Type=application/json"
} |
Page Properties | ||
---|---|---|
| ||
Set Azure REST API PermissionsIf you are managing Azure roles and management groups in EmpowerID, in addition to setting the above permissions for license management via PowerShell, you need to add the below permissions scoped to the appropriate Azure subscription(s) you want to manage in EmpowerID. These permissions allow EmpowerID to call the relevant Azure REST API endpoints needed to manage Azure roles and management groups. Table 2: Permissions needed to manage Azure roles in EmpowerID |
...
SCIM Endpoint
|
...
|
...
/v1/{0}/roleAssignment
|
...
/v1/{0}/roleAssignment/{1}
|
...
/v1/classicadministrator/{0}
|
...
|
...
v1/{0}:{1}/managedidentities/{2}
|
...
v1/{0}:{1}/managedidentities/{2}
|
...
|
...
/v1/{0}/roleAssignment/{1}
|
...
|
...
|
...
/v1/ManagementGroup/roleDefinition/{0}
|
...
|
...
/v1/ManagementGroup/roleDefinition/{0}
|
...
|
...
/v1/managementgroups/{0}
|
...
|
...
|
...
/v1/{0}/resources
|
...
|
...
/v1/{0}/roleDefinition
|
...
|
...
|
...
v1/{0}/SubscriptionUsages
The permissions needed to manage Azure licenses have been added to the script's PermissionsToAdd parameter, shown below. To add permissions for role management, add the permission name from the Azure REST API / Permissions name column of Table 2: Permissions needed to manage Azure roles in EmpowerID. In addition to adding the permissions, you need to enter values for the below parameters: |
...
|
...
When running the script, be sure to authenticate to Azure as a user with adequate permissions to execute it in Azure AD (owner at the tenant level).
Code Block | ||
---|---|---|
| ||
###############
## GRAPH API ##
###############
Param(
$tenantId = "",
$appServiceObjectID = "",
$PermissionsToAdd = @("Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.ReadWrite.All", "Reports.Read.All", "AuditLog.Read.All")
)
# Install AzureAD module if not installed
if (-Not(Get-Module -ListAvailable -Name AzureAD)) {
try {
Install-Module AzureAD -Force
}
catch {
if ($_.Exception.Message.Contains("Administrator rights")) {
Write-Host "You must run the script with administrator rights"
}
else {
Write-Error $_.Exception.Message
}
}
}
if (Get-Module -ListAvailable -Name AzureAD) {
# Check if connected to the target Azure AD Tenant
try {
$tenantDetail = Get-AzureADTenantDetail
}
catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException]
{
Write-Host "You're not connected.";
Connect-AzureAD -TenantId $tenantId;
$tenantDetail = Get-AzureADTenantDetail
}
if ($tenantDetail.ObjectId -ne $tenantId) {
Write-Host "You're not connected to the tenant: " $tenantId;
Connect-AzureAD -TenantId $tenantId;
}
# Managed Identity for the SCIM App Service | Found in App Service -> Identity
$ManagedIdentitiesServicePrincipal = Get-AzureADServicePrincipal -Filter "ObjectId eq `'$appServiceObjectID`'"
if ($ManagedIdentitiesServicePrincipal -eq $null) {
throw "Managed Identity for the app service is not found. `nApp Service Object ID: $appServiceObjectID "
}
# Resource Name : Microsoft Graph | Resource URI : https://graph.microsoft.com | Application ID : 00000003-0000-0000-c000-000000000000
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
# Permissions
foreach ($PermissionToAdd in $PermissionsToAdd) {
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionToAdd.Trim() -and $_.AllowedMemberTypes -contains "Application"}
if ($AppRole -eq $null) {
Write-Error "Invalid Permission `nPermission name: $PermissionToAdd"
}
else {
# Assigns a Graph API service principal to an application role
try {
New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentitiesServicePrincipal.ObjectId -PrincipalId $ManagedIdentitiesServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id -ErrorAction Stop
}
catch {
if ($_.Exception.ErrorContent.Message.Value.Contains("Permission being assigned already")) {
Write-Host "`""$AppRole.DisplayName"`"" " Permission is already assigned on the app service"
}
else {
Write-Error $_
}
}
}
}
} |
Page Properties | |||
---|---|---|---|
hidden | trueTo set the Azure REST API Permissions for the target subscription, do the following:
|
...
Next Steps
Connect EmpowerID to Azure Active Directory
...