...
If Azure CLI is not installed on your machine, please see Microsoft’s instructions for doing so here: Install the Azure CLI for Windows | Microsoft Docs.
Set
...
Permissions
To set Graph API permissions, execute the below script in either an administrative command prompt or PowerShell session. When executing the script, Azure prompts you to log in to your tenant. Be sure to authenticate with the credentials of a user who can add Microsoft Graph permissions to the App Service managed identity (owner at the tenant level).
Page Properties | ||
---|---|---|
| ||
The default script assigns the permissions listed in Table 1 to the managed identity. Before executing the script, change the permissions as needed for your scenario. For example, one of the permissions being assigned is Table 1: |
...
Graph API / Permissions name
...
Access Granted by Permissions
...
Used By
...
AuditLog.Read.All
...
Read audit log data
...
App Service Managed Identity
...
Group.Read.All
...
Permissions
|
In addition to adding the permissions, you need Before running the script, be sure to enter the values for the below parameters:following:
SubscriptionID – Subscription ID of the subscription with the app service
webApp – Name of the app service you created for the Azure AD SCIM microservice
Tipinfo |
---|
When running the script, Azure will open your default browser and prompt you for credentials. Be sure to authenticate to Azure as a user with adequate permissions to execute it in Azure AD (owner at the tenant level). Once you have authenticated, the rest of the script will execute. Additionally, change the permissions from |
Note |
---|
The permissions in the script are for read/inventory only. If your use case requires additional permissions like create, update, delete, etc., you must update the script with those permissions. |
Code Block | ||
---|---|---|
| ||
az login az account set -s <'SubscriptionID’> $webApp=<"Web-App-Name"> $sprincipal_id=$(az resource list -n $webApp --query [*].identity.principalId --out tsv) $graphResourceId=$(az ad sp list --display-name "Microsoft Graph" --query [0].objectId --out tsv) $uri="https://graph.microsoft.com/v1.0/servicePrincipals/$sprincipal_id/appRoleAssignments" $PermissionsToAdd = @("Directory.Read.All","Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.Read.All", "Reports.Read.All", "AuditLog.Read.All","Policy.Read.All","Policy.ReadWrite.ConditionalAccess","Application.Read.All","Domain.Read.All" ) $PermissionsToAdd | foreach { $appRoleId=$(az ad sp list --display-name "Microsoft Graph" --query "[0].appRoles[?value=='$($_)' && contains(allowedMemberTypes, 'Application')].id" --output tsv) $body="{'principalId':'$sprincipal_id','resourceId':'$graphResourceId','appRoleId':'$appRoleId'}" az rest --method post --uri $uri --body $body --headers "Content-Type=application/json" } |
Verify Permissions
After setting permissions for the app service, you can verify them by doing the following:
...
In Azure, navigate to your Azure Active Directory.
...
On the Azure Active Directory navbar, click Enterprise applications.
...
For Application type, select Managed Identities to filter the applications.
...
...
Click Apply.
...
Click the Name link for your application.
...
Under Security on the navbar, click Permissions.
...
Set Azure REST API Permissions
If you are managing Azure roles and management groups in EmpowerID, in addition to setting the above permissions for user, group, and license management, you need to add the below permissions scoped to the appropriate Azure subscription(s) you want to manage in EmpowerID. These permissions allow EmpowerID to call the relevant Azure REST API endpoints needed to manage Azure roles and management groups.
Table 2: Permissions needed to manage Azure roles in EmpowerID
...
Azure REST API / Permissions name
...
Access Granted by Permissions
...
Used By
Table 1: Permissions
Graph API Least Privileged Permission | Access Granted by Permissions |
Group.Read.All | Get group |
User.Read.All | List users |
Group.Create | Create group |
User.ReadWrite.All | Create User |
User.Read.All | Get delta (group) |
User.Read.All | Get delta (user) |
Contacts.Read | Get contact |
Application.ReadWrite.OwnedBy | Get application |
Directory.Read.All | Get appRoleAssignment |
RoleManagement.Read.Directory | List members |
RoleManagement.ReadWrite.Directory | Add or Remove directory role member |
Group.Read.All | Get group |
Group.ReadWrite.All | Delete group |
Group.ReadWrite.All | Update group |
Application.ReadWrite.OwnedBy | Get servicePrincipal |
Application.ReadWrite.OwnedBy | Delete servicePrincipal |
Application.ReadWrite.OwnedBy | Update servicePrincipal |
User.ReadWrite.All | Create a User |
User.Read.All | Get a User |
User.ReadWrite.All | Delete a user |
User.ReadWrite.All | Update a user |
RoleManagement.Read.Directory | List members |
RoleManagement.Read.Directory | List unifiedRoleDefinitions |
RoleManagement.Read.Directory | Get directoryRole |
RoleManagement.ReadWrite.Directory | Activate directoryRole |
RoleManagement.ReadWrite.Directory | Add or Remove member |
Directory.Read.All | List domains |
User.Read.All | List members |
GroupMember.ReadWrite.All | Add members |
Group.Read.All | Get delta (group) |
User.Read.All | Get delta (user) |
Organization.Read.All | Get subscribedSku |
Application.ReadWrite.OwnedBy | Get service principal |
RoleManagment.Read.Directory | Get unifiedRoleAssignment |
AuditLog.Read.All | List sign-ins |
Group.Read.All | Get group |
Group.ReadWrite.All | Delete group |
Group.ReadWrite.All | Update group |
User.Read.All | Get a User |
User.Read.Write.All | Update a User |
User.ReadWrite.All | Delete a user |
Directory.AccessAsUser.All | Update a User |
Microsoft.ManagedIdentity/userAssignedIdentities/write | User Assigned Identities - |
Create | |
Microsoft.Authorization/roleAssignments/write | Role Assignments - Create |
App service managed identity
Microsoft.Authorization/roleAssignments/read | Role Assignments - Delete |
Microsoft.Authorization/classicAdministrators/read | Classic Administrators - List |
Microsoft.ManagedIdentity/userAssignedIdentities/read | User Assigned Identities - List By Resource Group / Subscription |
App service managed identity
Microsoft.ManagedIdentity/userAssignedIdentities/delete | User Assigned Identities - Delete |
Microsoft.ManagedIdentity/userAssignedIdentities/write | User Assigned Identities - Create Or Update (UPDATE) |
Microsoft.Authorization/roleAssignments/read | Role Assignments - Get |
App service managed identity
Microsoft.Authorization/roleAssignments/delete | Role Assignments - Delete |
Microsoft.Authorization/roleAssignments/write | Role Assignments - Create |
Microsoft.Authorization/roleDefinitions/read | Role Definitions - Get |
App service managed identity
Microsoft.Authorization/roleDefinitions/write | Role Definitions - Create |
Microsoft.Authorization/roleDefinitions/delete | Role Definitions - Delete |
Microsoft.Authorization/roleDefinitions/write | Role Definitions - Update |
App service managed identity
Microsoft.ManagedIdentity/userAssignedIdentities/read | User Assigned Identities - List By Resource Group / |
Subscription | |
Microsoft.Management/managementGroups/read | Management Groups - Get |
Microsoft.Management/managementGroups/read | Management Groups - Get |
App service managed identity
Microsoft.Resources/subscriptions/resourceGroups/read | Resource Groups - List |
Microsoft.Resources/subscriptions/resources | Resources - List |
Microsoft.Authorization/roleAssignments/read | Role Assignments - List |
App service managed identity
Microsoft.Authorization/roleDefinitions/read | Role Definitions - List |
Microsoft.Resources/tenant/read | Tenants - List |
Microsoft.Resources/subscriptions/read | Subscriptions |
Microsoft.Consumption/usageDetails/read | Usage Details - List |
Microsoft.Consumption/usageDetails/read
App service managed identity
...
Create Custom Role in Azure if Managing Aures roles and Management Groups from EmpowerID
If you are managing Azure roles and management groups in EmpowerID, in addition to adding the needed permissions in the above script, you need to create a custom role and add those permissions to the role as shown in the below procedure.
In Azure, navigate to the target subscription and select Access control (IAM) from the Azure navbar.
On the Access Control (IAM) page, click Add and select Add custom role.
Under Basics, enter a Custom role name.
Select the Permissions tab and click Add permissions.
Search for Microsoft.ManagedIdentity and click the Microsoft Managed Identity tile.
For Actions, under Microsoft.ManagedIdentity/userAssignedIdentities, select the following:
Read : Get User Assigned Identity
Write : Create/Update User Assigned Identity
Delete : Delete User Assigned Identity
Click Add.
Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Authorization.
Click the Microsoft Authorization tile and then add the below permissions:
Microsoft.Authorization/roleAssignments
Read : Get role assignment
Write : Create role assignment
Delete : Delete role assignment
Microsoft.Authorization/roleDefinitions
Read : Get role definition
Write : Create or update custom role definition
Delete : Delete custom role definition
Click Add.
Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Authorization.
Click the Microsoft Management tile and select Read : List Groups under Microsoft.Management/managementGroups.
Click Add.
Back on the Create a custom role page, click Add permissions again, and then search for Microsoft.Resources.
Click the Microsoft Resources tile and then select the following permissions:
Microsoft.Resources/subscriptions/resourcegroups
Read : Get Resource Group
Microsoft.Resources/subscriptions/resources
Read : Get Subscription Resources
Microsoft.Resources/tenant
Read : Get Tenants
Click Add.
Back on the Create a custom role page, select the Assignable scopes tab and verify the scope.
Click Review + Create.
Review the permissions and then click Create.
Click OK to close the “created custom role” message.
Now that you have created the custom role with the needed permissions, you need to assign the Azure AD SCIM microservice to the role.custom role page, select the Assignable scopes tab and verify the scope.
Click Review + Create.
Review the permissions and then click Create.
Click OK to close the “created custom role” message.
Now that you have created the custom role with the needed permissions, you need to assign the Azure AD SCIM microservice to the role.On the Access control (IAM) page, click Add > Add role assignment.
In the Add role assignment pane that appears, enter the following:
Role – Select the custom role you just created
Assign access to – App Service
Subscription – Target subscription
Select – The SCIM app service you created earlier.
Click Save to add the role assignment.
On the Access control (IAM) page, click Add > Add role assignment.
In the Add role assignment pane that appears, enter the following:
Role – Select the custom role you just created
Assign access to – App Service
Subscription – Target subscription
Select – The SCIM app service you created earlier.
Click Save to add the role assignment.
On the Access control (IAM) page, select the Role assignments tab. You should see the SCIM app service you created assigned to the custom role.
select the Role assignments tab. You should see the SCIM app service you created assigned to the custom role.
Verify Permissions
After setting permissions for the app service, you can verify them by doing the following:
In Azure, navigate to your Azure Active Directory.
On the Azure Active Directory navbar, click Enterprise applications.
For Application type, select Managed Identities to filter the applications.
Click Apply.
Click the Name link for your application.
Under Security on the navbar, click Permissions.
You should see the permissions you set in the script granted to the application. Note that Admin consent has been granted for each permission.
Page Properties | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set Azure REST API PermissionsIf you are managing Azure roles and management groups in EmpowerID, in addition to setting the above permissions for license management via PowerShell, you need to add the below permissions scoped to the appropriate Azure subscription(s) you want to manage in EmpowerID. These permissions allow EmpowerID to call the relevant Azure REST API endpoints needed to manage Azure roles and management groups. Table 2: Permissions needed to manage Azure roles in EmpowerID
The permissions needed to manage Azure licenses have been added to the script's PermissionsToAdd parameter, shown below. To add permissions for role management, add the permission name from the Azure REST API / Permissions name column of Table 2: Permissions needed to manage Azure roles in EmpowerID. In addition to adding the permissions, you need to enter values for the below parameters:
To set the Azure REST API Permissions for the target subscription, do the following:
|
...
Next Steps
Connect EmpowerID to Azure Active Directory
...