...
If you are managing Azure roles and management groups in EmpowerID, in addition to setting the above permissions for user, group, and license management via PowerShell, you need to add the below permissions scoped to the appropriate Azure subscription(s) you want to manage in EmpowerID. These permissions allow EmpowerID to call the relevant Azure REST API endpoints needed to manage Azure roles and management groups.
...
Azure REST API / Permissions name | Access Granted by Permissions | Used By |
Microsoft.ManagedIdentity/userAssignedIdentities/write | User Assigned Identities - Create | App service managed identity |
Microsoft.Authorization/roleAssignments/write | Role Assignments - Create | App service managed identity |
Microsoft.Authorization/roleAssignments/read | Role Assignments - Delete | App service managed identity |
Microsoft.Authorization/classicAdministrators/read | Classic Administrators - List | App service managed identity |
Microsoft.ManagedIdentity/userAssignedIdentities/read | User Assigned Identities - List By Resource Group / Subscription | App service managed identity |
Microsoft.ManagedIdentity/userAssignedIdentities/delete | User Assigned Identities - Delete | App service managed identity |
Microsoft.ManagedIdentity/userAssignedIdentities/write | User Assigned Identities - Create Or Update (UPDATE) | App service managed identity |
Microsoft.Authorization/roleAssignments/read | Role Assignments - Get | App service managed identity |
Microsoft.Authorization/roleAssignments/delete | Role Assignments - Delete | App service managed identity |
Microsoft.Authorization/roleAssignments/write | Role Assignments - Create | App service managed identity |
Microsoft.Authorization/roleDefinitions/read | Role Definitions - Get | App service managed identity |
Microsoft.Authorization/roleDefinitions/write | Role Definitions - Create | App service managed identity |
Microsoft.Authorization/roleDefinitions/delete | Role Definitions - Delete | App service managed identity |
Microsoft.Authorization/roleDefinitions/write | Role Definitions - Update | App service managed identity |
Microsoft.ManagedIdentity/userAssignedIdentities/read | User Assigned Identities - List By Resource Group / Subscription | App service managed identity |
Microsoft.Management/managementGroups/read | Management Groups - Get | App service managed identity |
Microsoft.Management/managementGroups/read | Management Groups - Get | App service managed identity |
Microsoft.Resources/subscriptions/resourceGroups/read | Resource Groups - List | App service managed identity |
Microsoft.Resources/subscriptions/resources | Resources - List | App service managed identity |
Microsoft.Authorization/roleAssignments/read | Role Assignments - List | App service managed identity |
Microsoft.Authorization/roleDefinitions/read | Role Definitions - List | App service managed identity |
Microsoft.Resources/tenant/read | Tenants - List | App service managed identity |
Microsoft.Resources/subscriptions/read | Subscriptions | App service managed identity |
Usage Details - List | Microsoft.Consumption/usageDetails/read | App service managed identity |
The permissions needed to manage Azure licenses have been added to the script's PermissionsToAdd parameter, shown below. To add permissions for role management, add the permission name from the To set the Azure REST API / Permissions name column of Table 2: Permissions needed to manage Azure roles in EmpowerID.
In addition to adding the permissions, you need to enter values for the below parameters:
webApp — Name of the app service you created for the Azure AD SCIM microservice
appServiceObjectID — Object ID of the Azure AD SCIM app service you created. This can be found on the Identities blade on the app service.
...
To set the Azure REST API Permissions for the target subscription, do the following:
...
Permissions for the target subscription, do the following:
In Azure, navigate to the target subscription and select Access control (IAM) from the Azure navbar.
On the Access Control (IAM) page, click Add and select Add custom role.
Under Basics, enter a Custom role name.
Select the Permissions tab and click Add permissions.
Search for Microsoft.ManagedIdentity and click the Microsoft Managed Identity tile.
For Actions, under Microsoft.ManagedIdentity/userAssignedIdentities, select the following:
Read : Get User Assigned Identity
Write : Create/Update User Assigned Identity
Delete : Delete User Assigned Identity
Click Add.
Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Authorization.
Click the Microsoft Authorization tile and then add the below permissions:
Microsoft.Authorization/roleAssignments
Read : Get role assignment
Write : Create role assignment
Delete : Delete role assignment
Microsoft.Authorization/roleDefinitions
Read : Get role definition
Write : Create or update custom role definition
Delete : Delete custom role definition
Click Add.
Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Authorization.
Click the Microsoft Management tile and select Read : List Groups under Microsoft.Management/managementGroups.
Click Add.
Back on the Create a custom role page, click Add permissions again, and then search for Microsoft.Resources.
Click the Microsoft Resources tile and then select the following permissions:
Microsoft.Resources/subscriptions/resourcegroups
Read : Get Resource Group
Microsoft.Resources/subscriptions/resources
Read : Get Subscription Resources
Microsoft.Resources/tenant
Read : Get Tenants
Click Add.
Back on the Create a custom role page, select the Assignable scopes tab and verify the scope.
Click Review + Create.
Review the permissions and then click Create.
Click OK to close the “created custom role” message.
Now that you have created the custom role with the needed permissions, you need to assign the Azure AD SCIM microservice to the role.On the Access control (IAM) page, click Add > Add role assignment.
In the Add role assignment pane that appears, enter the following:
Role – Select the custom role you just created
Assign access to – App Service
Subscription – Target subscription
Select – The SCIM app service you created earlier.
Click Save to add the role assignment.
On the Access control (IAM) page, select the Role assignments tab. You should see the SCIM app service you created assigned to the custom role.
...