As the app service you created for the Azure AD SCIM microservice calls Microsoft Graph, you need to assign to the service principal permissions required for your use case. You assign these permissions using the Azure CLICloud Shell, which is a command-line tool that use to connect to Azure and execute administrative commands on Azure resources.
To assign permissions to the service principal, you need to complete the following tasks:
Install Azure CLI on your machine (if not already installed).
Open an administrative command prompt or PowerShell session and run the permissions script included in this topic.
Install Azure CLI
If Azure CLI is not installed on your machine, please see Microsoft’s instructions for doing so here: Install the Azure CLI for Windows | Microsoft Docs.
Set Permissions
To set permissions, execute the below script in either an administrative command prompt or PowerShell session. When executing the script, Azure prompts you to log in to your tenant. Be sure to authenticate with the credentials of a user who can add Microsoft Graph permissions to the App Service managed identity (owner at the tenant level).
Before running the script, be sure to enter the values for the following:
SubscriptionID – Subscription ID of the subscription with the app service
webApp – Name of the app service you created for the Azure AD SCIM microservice
| Info |
|---|
When running the script, Azure will open your default browser and prompt you for credentials. Be sure to authenticate to Azure as a user with adequate permissions to execute it in Azure AD (owner at the tenant level). Once you have authenticated, the rest of the script will execute. |
| Note |
|---|
The permissions in the script are for read/inventory only. If your use case requires additional permissions like create, update, delete, etc., you must update the script with those permissions. |
...
| language | powershell |
|---|
...
browser-accessible shell for managing Azure resources.
| Info |
|---|
Please note that Azure Cloud Shell requires an Azure file share to persist files. Using Azure Cloud Shell requires a storage account, which Azure creates for you on first use of the shell. This will incur a small monthly cost. |
To assign permissions to the service principal, you need to complete the following tasks:
Start an Azure Cloud Shell session.
Run the permissions script included in this topic.
Set Permissions
In Azure, select Cloud Shell.
Select PowerShell as the script language.
From the shell, open the editor.
Copy the below script and paste it into the editor.
Insert excerpt IL:Azure Bits IL:Azure Bits name Permissions Script nopanel true Code Block language powershell $webApp=<"Web-App-Name"> $sprincipal_id=$(az resource list -n $webApp --query [*].identity.principalId --out tsv) $graphResourceId=$(az ad sp list --display-name "Microsoft Graph" --query [0].
...
id --out tsv) $uri="https://graph.microsoft.com/v1.0/servicePrincipals/$sprincipal_id/appRoleAssignments" $PermissionsToAdd = @("Directory.Read.All","Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.Read.All", "Reports.Read.All", "AuditLog.Read.All","Policy.Read.All","Policy.ReadWrite.ConditionalAccess","Application.Read.All","Domain.Read.All" ) $PermissionsToAdd | foreach { $appRoleId=$(az ad sp list --display-name "Microsoft Graph" --query "[0].appRoles[?value=='$($_)' && contains(allowedMemberTypes, 'Application')].id" --output tsv) $body="{'principalId':'$sprincipal_id','resourceId':'$graphResourceId','appRoleId':'$appRoleId'}
...
" az rest --method post --uri $uri --body $body --headers "Content-Type=application/json" }
The editor should look similar to that shown below. The value of $PermissionsToAdd will differ according to your permissions.
Set the value of
$webAppto the name of the app service you created to host the Azure AD SCIM microservice.Insert excerpt IL:Azure Bits IL:Azure Bits name Enclose in quotes nopanel true Code Block language powershell $webApp="The name of your app service"Save the script as
apply-perms.ps1
Back in the shell, return the name of the subscription with the app service.
Code Block az account showCopy the name.
Run the below command to set the subscription name to the value you just copied.
Code Block az account set -s "Your Subscripton Name"Run the permissions script.
Code Block .\apply-perms.ps1
Table 1: Permissions
Graph API Least Privileged Permission | Access Granted by Permissions |
Group.Read.All | Get group |
User.Read.All | List users |
Group.Create | Create group |
User.ReadWrite.All | Create User |
User.Read.All | Get delta (group) |
User.Read.All | Get delta (user) |
Contacts.Read | Get contact |
Application.ReadWrite.OwnedBy | Get application |
Directory.Read.All | Get appRoleAssignment |
RoleManagement.Read.Directory | List members |
RoleManagement.ReadWrite.Directory | Add or Remove directory role member |
Group.Read.All | Get group |
Group.ReadWrite.All | Delete group |
Group.ReadWrite.All | Update group |
Application.ReadWrite.OwnedBy | Get servicePrincipal |
Application.ReadWrite.OwnedBy | Delete servicePrincipal |
Application.ReadWrite.OwnedBy | Update servicePrincipal |
User.ReadWrite.All | Create a User |
User.Read.All | Get a User |
User.ReadWrite.All | Delete a user |
User.ReadWrite.All | Update a user |
RoleManagement.Read.Directory | List members |
RoleManagement.Read.Directory | List unifiedRoleDefinitions |
RoleManagement.Read.Directory | Get directoryRole |
RoleManagement.ReadWrite.Directory | Activate directoryRole |
RoleManagement.ReadWrite.Directory | Add or Remove member |
Directory.Read.All | List domains |
User.Read.All | List members |
GroupMember.ReadWrite.All | Add members |
Group.Read.All | Get delta (group) |
User.Read.All | Get delta (user) |
Organization.Read.All | Get subscribedSku |
Application.ReadWrite.OwnedBy | Get service principal |
RoleManagment.Read.Directory | Get unifiedRoleAssignment |
AuditLog.Read.All | List sign-ins |
Group.Read.All | Get group |
Group.ReadWrite.All | Delete group |
Group.ReadWrite.All | Update group |
User.Read.All | Get a User |
User.Read.Write.All | Update a User |
User.ReadWrite.All | Delete a user |
Directory.AccessAsUser.All | Update a User |
Microsoft.ManagedIdentity/userAssignedIdentities/write | User Assigned Identities - Create |
Microsoft.Authorization/roleAssignments/write | Role Assignments - Create |
Microsoft.Authorization/roleAssignments/read | Role Assignments - Delete |
Microsoft.Authorization/classicAdministrators/read | Classic Administrators - List |
Microsoft.ManagedIdentity/userAssignedIdentities/read | User Assigned Identities - List By Resource Group / Subscription |
Microsoft.ManagedIdentity/userAssignedIdentities/delete | User Assigned Identities - Delete |
Microsoft.ManagedIdentity/userAssignedIdentities/write | User Assigned Identities - Create Or Update (UPDATE) |
Microsoft.Authorization/roleAssignments/read | Role Assignments - Get |
Microsoft.Authorization/roleAssignments/delete | Role Assignments - Delete |
Microsoft.Authorization/roleAssignments/write | Role Assignments - Create |
Microsoft.Authorization/roleDefinitions/read | Role Definitions - Get |
Microsoft.Authorization/roleDefinitions/write | Role Definitions - Create |
Microsoft.Authorization/roleDefinitions/delete | Role Definitions - Delete |
Microsoft.Authorization/roleDefinitions/write | Role Definitions - Update |
Microsoft.ManagedIdentity/userAssignedIdentities/read | User Assigned Identities - List By Resource Group / Subscription |
Microsoft.Management/managementGroups/read | Management Groups - Get |
Microsoft.Management/managementGroups/read | Management Groups - Get |
Microsoft.Resources/subscriptions/resourceGroups/read | Resource Groups - List |
Microsoft.Resources/subscriptions/resources | Resources - List |
Microsoft.Authorization/roleAssignments/read | Role Assignments - List |
Microsoft.Authorization/roleDefinitions/read | Role Definitions - List |
Microsoft.Resources/tenant/read | Tenants - List |
Microsoft.Resources/subscriptions/read | Subscriptions |
Microsoft.Consumption/usageDetails/read | Usage Details - List |
...