Azure License Manager leverages EmpowerID’s Azure AD SCIM Microservice Connector. This microservice is a fully compliant SCIM 2.0 Server to which EmpowerID communicates to inventory and manage your Azure tenant licenses and security. In order to use Azure License Manager, you need to configure Azure for the SCIM microservice. Part of this configuration involves creating an App Service in Azure that has App service authentication turned on, Login with Azure Active Directory enabled for unauthenticated requests to the App service, and Azure Active Directory selected as the identity provider. This deployment model enables secure fine-grained Graph API access, requiring read access to user, group and license data in Azure AD as well as access to add and remove users from license groups. The microservice leverages an Azure system-assigned Managed Identity , which keeps credentials securely stored in Azure Key Vaultto keep credentials secure.
Required Permissions for the Managed Identity
...
Graph API / Permissions name | Access Granted by Permissions | Used By |
AuditLog.Read.All | Read all audit log data | SCIM App Service Managed Identity |
Group.Read | Read all group data | SCIM App Service Managed Identity |
GroupMember.ReadWrite.All | Read and write group memberships | SCIM App Service Managed Identity |
User.Read | Read user profile | SCIM App Service Managed Identity |
Reports.Read.All | Read all report data | SCIM App Service Managed Identity |
| Excerpt | ||||
|---|---|---|---|---|
| ||||
Required Permissions for the Service PrincipalIn addition to above required permissions for the managed identity, Azure License Manager requires the service principal (the application registered in Azure AD to represent Azure License Manager) to have an additional permission:
|