...
In Azure, select Cloud Shell.
Select PowerShell as the script language.
From the shell, open the editor.
Copy the below script and paste it into the editor.
Insert excerpt IL:Azure Bits IL:Azure Bits name Permissions Script nopanel true Code Block language powershell $webApp=<"Web-App-Name"> $sprincipal_id=$(az resource list -n $webApp --query [*].identity.principalId --out tsv) $graphResourceId=$(az ad sp list --display-name "Microsoft Graph" --query [0].objectIdid --out tsv) $uri="https://graph.microsoft.com/v1.0/servicePrincipals/$sprincipal_id/appRoleAssignments" $PermissionsToAdd = @("Directory.Read.All","Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.Read.All", "Reports.Read.All", "AuditLog.Read.All","Policy.Read.All","Policy.ReadWrite.ConditionalAccess","Application.Read.All","Domain.Read.All" ) $PermissionsToAdd | foreach { $appRoleId=$(az ad sp list --display-name "Microsoft Graph" --query "[0].appRoles[?value=='$($_)' && contains(allowedMemberTypes, 'Application')].id" --output tsv) $body="{'principalId':'$sprincipal_id','resourceId':'$graphResourceId','appRoleId':'$appRoleId'}" az rest --method post --uri $uri --body $body --headers "Content-Type=application/json" }
The editor should look similar to that shown below. The value of $PermissionsToAdd will differ according to your permissions.Set the value of
$webApp
to the name of the app service you created to host the Azure AD SCIM microservice.Insert excerpt IL:Azure Bits IL:Azure Bits name Enclose in quotes nopanel true Code Block language powershell $webApp="The name of your app service"
Click the ellipsis button (…) and then click Save.
Save the script as
apply-perms.ps1
Back in the shell, return the name of the subscription with the app service.
Code Block az account show
Copy the name.
Run the below command to set the subscription name to the value you just copied.
Code Block az account set -s "Your Subscripton Name"
Run the permissions script.
Code Block .\apply-perms.ps1
...