...
In addition to adding the permissions, you need to enter values for the below parameters:
webApp— Name – Name of the app service you created for the Azure AD SCIM microservice
...
Code Block | ||
---|---|---|
| ||
az login $webApp=<"Web-App-Name"> $sprincipal_id=$(az resource list -n $webApp --query [*].identity.principalId --out tsv) $graphResourceId=$(az ad sp list --display-name "Microsoft Graph" --query [0].objectId --out tsv) $uri="https://graph.microsoft.com/v1.0/servicePrincipals/$sprincipal_id/appRoleAssignments" $PermissionsToAdd = @("Directory.Read.All","Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.Read.All", "Reports.Read.All", "AuditLog.Read.All","Policy.Read.All","Policy.ReadWrite.ConditionalAccess","Application.Read.All","Domain.Read.All" ) $PermissionsToAdd | foreach { $appRoleId=$(az ad sp list --display-name "Microsoft Graph" --query "[0].appRoles[?value=='$($_)' && contains(allowedMemberTypes, 'Application')].id" --output tsv) $body="{'principalId':'$sprincipal_id','resourceId':'$graphResourceId','appRoleId':'$appRoleId'}" az rest --method post --uri $uri --body $body --headers "Content-Type=application/json" } |
Verify Permissions
After setting permissions for the app service, you can verify them by doing the following:
In Azure, navigate to your Azure Active Directory.
On the Azure Active Directory navbar, click Enterprise applications.
For Application type, select Managed Identities to filter the applications.
Click Apply.
Click the Name link for your application.
Under Security on the navbar, click Permissions.
You should see the permissions you set in the script granted to the application. Note that Admin consent has been granted for each permission.
Page Properties | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set Azure REST API PermissionsIf you are managing Azure roles and management groups in EmpowerID, in addition to setting the above permissions for license management via PowerShell, you need to add the below permissions scoped to the appropriate Azure subscription(s) you want to manage in EmpowerID. These permissions allow EmpowerID to call the relevant Azure REST API endpoints needed to manage Azure roles and management groups. Table 2: Permissions needed to manage Azure roles in EmpowerID
The permissions needed to manage Azure licenses have been added to the script's PermissionsToAdd parameter, shown below. To add permissions for role management, add the permission name from the Azure REST API / Permissions name column of Table 2: Permissions needed to manage Azure roles in EmpowerID. In addition to adding the permissions, you need to enter values for the below parameters:
To set the Azure REST API Permissions for the target subscription, do the following:
|
...