Versions Compared

Old Version 13

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Graph API / Permissions name

Access Granted by Permissions

Used By

Purpose

AuditLog.Read.All

Read audit log data

App Service Managed Identity

Last sign in inventory for users

Group.Read.All

Read group data

App Service Managed Identity

Read all groups in Azure AD

GroupMember.ReadWrite.All

Read and write group memberships

App Service Managed Identity

Read and edit (and / remove) group memberships

User.Read.All

Read user profile

App Service Managed Identity

Read all users Azure AD

Reports.Read.All

Read report data

App Service Managed Identity

Read all reports, such as Office 365 Active User Details, etc.

Organization.Read.All

Read organization information

App Service Managed Identity

Read all subscribed SKUs (license and service plans)

Code Block
languagepowershell
##############################################################################################################
###### PowerShell Script to Grant GRAPH API permissions for Azure License Manager Managed Identitity #########
###### Example below grants full permissions needed for both Azure License Manager and RBAC Manager ##########
###### Edit as desired - required permissions for Azure License Manager "Read Access" shown below ############

Param(
    $tenantId = "",
    $appServiceObjectID = "", 
    $PermissionsToAdd= @("Directory.ReadWrite.All", 
       "Directory.AccessAsUser.All",
       "Reports.Read.All",
       "User.ReadWrite.All",
       "Group.ReadWrite.All",
       "RoleManagement.ReadWrite.Directory",
       "AuditLog.Read.All"
       )
)

<#
Read Access
@("Reports.Read.All", "Group.Read.All", "User.Read.All", "Contacts.Read", "Directory.Read.All", "Directory.Read.All", "Group.ReadWrite.All", "AuditLog.Read.All", "GroupMember.ReadWrite.All", "RoleManagement.Read.Directory", "Organization.Read.All",  "OrgContact.Read.All") 
#>
<#
Full Access
@("Directory.ReadWrite.All", 
       "Directory.AccessAsUser.All",
       "Reports.Read.All",
       "User.ReadWrite.All",
       "Group.ReadWrite.All",
       "RoleManagement.ReadWrite.Directory",
       "AuditLog.Read.All"
       )
#>

<#
Read Access
#>

# Install AzureAD module if not installed
if (-Not(Get-Module -ListAvailable -Name AzureAD)) {
    try {
        Install-Module AzureAD -Force
    }
    catch {
        if ($_.Exception.Message.Contains("Administrator rights")) {
            Write-Host "You must run the script with administrator rights"
            
        }
        else {
            Write-Error $_.Exception.Message
        }
        
    }
}


if (Get-Module -ListAvailable -Name AzureAD) {
    # Check if connected to the target Azure AD Tenant
    try { 
        $tenantDetail = Get-AzureADTenantDetail 
    } 
    catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] 
    { 
        Write-Host "You're not connected."; 
        Connect-AzureAD -TenantId $tenantId;
        $tenantDetail = Get-AzureADTenantDetail 
    }

    if ($tenantDetail.ObjectId -ne $tenantId) {
        Write-Host "You're not connected to the tenant: " $tenantId; 
        Connect-AzureAD -TenantId $tenantId;
    }


    # Managed Identity for the SCIM App Service | Found in App Service -> Identity 
    $ManagedIdentitiesServicePrincipal = Get-AzureADServicePrincipal -Filter "ObjectId eq `'$appServiceObjectID`'"
    if ($ManagedIdentitiesServicePrincipal -eq $null) {
        throw "Managed Identity for the app service is not found. `nApp Service Object ID: $appServiceObjectID "
    }

    # Resource Name : Microsoft Graph | Resource URI : https://graph.microsoft.com | Application ID : 00000003-0000-0000-c000-000000000000
    $GraphAppId = "00000003-0000-0000-c000-000000000000"
    $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"

    # Permissions
    foreach ($PermissionToAdd in $PermissionsToAdd) {
        $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionToAdd.Trim() -and $_.AllowedMemberTypes -contains "Application"}
        if ($AppRole -eq $null) {
            Write-Error "Invalid Permission `nPermission name: $PermissionToAdd"
        }
        else {
            # Assigns a Graph API service principal to an application role
            try {
                New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentitiesServicePrincipal.ObjectId -PrincipalId $ManagedIdentitiesServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id -ErrorAction Stop
            }
            catch {
                if ($_.Exception.ErrorContent.Message.Value.Contains("Permission being assigned already")) {
                    Write-Host "`""$AppRole.DisplayName"`"" " Permission is already assigned on the app service"
                }
                else {
                    Write-Error $_
                }
            }
        }
    }
}
Excerpt
hiddentrue

Required Permissions for the Service Principal

In addition to above required permissions for the managed identity, Azure License Manager requires the service principal (the application registered in Azure AD to represent Azure License Manager) to have an additional permission:

Graph API / Permissions name

Access Granted by Permissions

Reports.Read.All

Read all report data

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue