Azure License Manager leverages EmpowerID’s Azure AD SCIM Microservice Connector. This microservice is a fully compliant SCIM 2.0 Server to which EmpowerID communicates to inventory and manage your Azure tenant licenses and security. In order to use Azure License Manager, you need to configure Azure for the SCIM microservice. Part of this configuration involves creating an App Service in Azure that has App service authentication turned on, Login with Azure Active Directory enabled for unauthenticated requests to the App service, and Azure Active Directory selected as the identity provider. This deployment model enables secure fine-grained Graph API access, requiring read access to organization, user, group, and license data in Azure AD, as well as read and write access to add and remove users from license groups. The microservice leverages a system-assigned managed identity and app service authentication.
...
Required permissions for the managed identity (not service principal) follow the least-privilege principle and include the following:
Graph API / Permissions name | Access Granted by Permissions | Used By | Purpose |
AuditLog.Read.All | Read audit log data | App Service Managed Identity | Last sign in inventory for users |
Group.Read.All | Read group data | App Service Managed Identity | Read all groups in Azure AD |
GroupMember.ReadWrite.All | Read and write group memberships | App Service Managed Identity | Read and edit (and / remove) group memberships |
User.Read.All | Read user profile | App Service Managed Identity | Read all users Azure AD |
Reports.Read.All | Read report data | App Service Managed Identity | Read all reports, such as Office 365 Active User Details, etc. |
Organization.Read.All | Read organization information | App Service Managed Identity | Read all subscribed SKUs (license and service plans) |
Code Block | ||
---|---|---|
| ||
##############################################################################################################
###### PowerShell Script to Grant GRAPH API permissions for Azure License Manager Managed Identitity #########
###### Example below grants full permissions needed for both Azure License Manager and RBAC Manager ##########
###### Edit as desired - required permissions for Azure License Manager "Read Access" shown below ############
Param(
$tenantId = "",
$appServiceObjectID = "",
$PermissionsToAdd= @("Directory.ReadWrite.All",
"Directory.AccessAsUser.All",
"Reports.Read.All",
"User.ReadWrite.All",
"Group.ReadWrite.All",
"RoleManagement.ReadWrite.Directory",
"AuditLog.Read.All"
)
)
<#
Read Access
@("Reports.Read.All", "Group.Read.All", "User.Read.All", "Contacts.Read", "Directory.Read.All", "Directory.Read.All", "Group.ReadWrite.All", "AuditLog.Read.All", "GroupMember.ReadWrite.All", "RoleManagement.Read.Directory", "Organization.Read.All", "OrgContact.Read.All")
#>
<#
Full Access
@("Directory.ReadWrite.All",
"Directory.AccessAsUser.All",
"Reports.Read.All",
"User.ReadWrite.All",
"Group.ReadWrite.All",
"RoleManagement.ReadWrite.Directory",
"AuditLog.Read.All"
)
#>
<#
Read Access
#>
# Install AzureAD module if not installed
if (-Not(Get-Module -ListAvailable -Name AzureAD)) {
try {
Install-Module AzureAD -Force
}
catch {
if ($_.Exception.Message.Contains("Administrator rights")) {
Write-Host "You must run the script with administrator rights"
}
else {
Write-Error $_.Exception.Message
}
}
}
if (Get-Module -ListAvailable -Name AzureAD) {
# Check if connected to the target Azure AD Tenant
try {
$tenantDetail = Get-AzureADTenantDetail
}
catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException]
{
Write-Host "You're not connected.";
Connect-AzureAD -TenantId $tenantId;
$tenantDetail = Get-AzureADTenantDetail
}
if ($tenantDetail.ObjectId -ne $tenantId) {
Write-Host "You're not connected to the tenant: " $tenantId;
Connect-AzureAD -TenantId $tenantId;
}
# Managed Identity for the SCIM App Service | Found in App Service -> Identity
$ManagedIdentitiesServicePrincipal = Get-AzureADServicePrincipal -Filter "ObjectId eq `'$appServiceObjectID`'"
if ($ManagedIdentitiesServicePrincipal -eq $null) {
throw "Managed Identity for the app service is not found. `nApp Service Object ID: $appServiceObjectID "
}
# Resource Name : Microsoft Graph | Resource URI : https://graph.microsoft.com | Application ID : 00000003-0000-0000-c000-000000000000
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
# Permissions
foreach ($PermissionToAdd in $PermissionsToAdd) {
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionToAdd.Trim() -and $_.AllowedMemberTypes -contains "Application"}
if ($AppRole -eq $null) {
Write-Error "Invalid Permission `nPermission name: $PermissionToAdd"
}
else {
# Assigns a Graph API service principal to an application role
try {
New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentitiesServicePrincipal.ObjectId -PrincipalId $ManagedIdentitiesServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id -ErrorAction Stop
}
catch {
if ($_.Exception.ErrorContent.Message.Value.Contains("Permission being assigned already")) {
Write-Host "`""$AppRole.DisplayName"`"" " Permission is already assigned on the app service"
}
else {
Write-Error $_
}
}
}
}
} |
Excerpt | ||||
---|---|---|---|---|
| ||||
Required Permissions for the Service PrincipalIn addition to above required permissions for the managed identity, Azure License Manager requires the service principal (the application registered in Azure AD to represent Azure License Manager) to have an additional permission:
|
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|