...
Graph API Least Privileged Permission | Access Granted by Permissions |
Group.Read.All | Get group |
User.Read.All | List users |
Group.Create | Create group |
User.ReadWrite.All | Create User |
User.Read.All | Get delta (group) |
User.Read.All | Get delta (user) |
Contacts.Read | Get contact |
Application.ReadWrite.OwnedBy | Get application |
Directory.Read.All | Get appRoleAssignment |
RoleManagement.Read.Directory | List members |
RoleManagement.ReadWrite.Directory | Add or Remove directory role member |
Group.Read.All | Get group |
Group.ReadWrite.All | Delete group |
Group.ReadWrite.All | Update group |
Application.ReadWrite.OwnedBy | Get servicePrincipal |
Application.ReadWrite.OwnedBy | Delete servicePrincipal |
Application.ReadWrite.OwnedBy | Update servicePrincipal |
User.ReadWrite.All | Create a User |
User.Read.All | Get a User |
User.ReadWrite.All | Delete a user |
User.ReadWrite.All | Update a user |
RoleManagement.Read.Directory | List members |
RoleManagement.Read.Directory | List unifiedRoleDefinitions |
RoleManagement.Read.Directory | Get directoryRole |
RoleManagement.ReadWrite.Directory | Activate directoryRole |
RoleManagement.ReadWrite.Directory | Add or Remove member |
Directory.Read.All | List domains |
User.Read.All | List members |
GroupMember.ReadWrite.All | Add members |
Group.Read.All | Get delta (group) |
User.Read.All | Get delta (user) |
Organization.Read.All | Get subscribedSku |
Application.ReadWrite.OwnedBy | Get service principal |
RoleManagment.Read.Directory | Get unifiedRoleAssignment |
AuditLog.Read.All | List sign-ins |
Group.Read.All | Get group |
Group.ReadWrite.All | Delete group |
Group.ReadWrite.All | Update group |
User.Read.All | Get a User |
User.Read.Write.All | Update a User |
User.ReadWrite.All | Delete a user |
Directory.AccessAsUser.All | Update a User |
Microsoft.ManagedIdentity/userAssignedIdentities/write | User Assigned Identities - Create |
Microsoft.Authorization/roleAssignments/write | Role Assignments - Create |
Microsoft.Authorization/roleAssignments/read | Role Assignments - Delete |
Microsoft.Authorization/classicAdministrators/read | Classic Administrators - List |
Microsoft.ManagedIdentity/userAssignedIdentities/read | User Assigned Identities - List By Resource Group / Subscription |
Microsoft.ManagedIdentity/userAssignedIdentities/delete | User Assigned Identities - Delete |
Microsoft.ManagedIdentity/userAssignedIdentities/write | User Assigned Identities - Create Or Update (UPDATE) |
Microsoft.Authorization/roleAssignments/read | Role Assignments - Get |
Microsoft.Authorization/roleAssignments/delete | Role Assignments - Delete |
Microsoft.Authorization/roleAssignments/write | Role Assignments - Create |
Microsoft.Authorization/roleDefinitions/read | Role Definitions - Get |
Microsoft.Authorization/roleDefinitions/write | Role Definitions - Create |
Microsoft.Authorization/roleDefinitions/delete | Role Definitions - Delete |
Microsoft.Authorization/roleDefinitions/write | Role Definitions - Update |
Microsoft.ManagedIdentity/userAssignedIdentities/read | User Assigned Identities - List By Resource Group / Subscription |
Microsoft.Management/managementGroups/read | Management Groups - Get |
Microsoft.Management/managementGroups/read | Management Groups - Get |
Microsoft.Resources/subscriptions/resourceGroups/read | Resource Groups - List |
Microsoft.Resources/subscriptions/resources | Resources - List |
Microsoft.Authorization/roleAssignments/read | Role Assignments - List |
Microsoft.Authorization/roleDefinitions/read | Role Definitions - List |
Microsoft.Resources/tenant/read | Tenants - List |
Microsoft.Resources/subscriptions/read | Subscriptions |
Microsoft.Consumption/usageDetails/read | Usage Details - List |
Create Custom Role in Azure if Managing
...
Azures roles and Management Groups from EmpowerID
If you are managing Azure roles and management groups in EmpowerID, in addition to adding the needed permissions in the above script, you need to create a custom role and add those permissions to the role as shown in the below procedure.
...