Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

After you have published the EmpowerID SCIM Microservice microservice app to Azure, you need to return to Azure to do the following post-publishing steps:

...

Turn on System-assigned managed identity for the App Service

...

run the following PowerShell script to assign several required permissions to the App Service managed identity

...

Assign the App Service to the Global Administrator role for the tenant

These steps ensure that EmpowerID has the appropriate authentication and access to read and write the user information for your Azure tenant.

To turn on System-assigned managed identity for the App Service

  1. Log in to your Azure portal as an administrator and navigate to your App Service.

  2. Under Settings in the sidebar of the App Service, click Identity.

  3. On the Azure navbar, click App registrations.

    Image Removed

  4. On the Identity page, click the System assigned tab and toggle Status to On.

    Image Removed

  5. Copy the Object ID. The Object ID is the ID of the service principal created when the System assigned managed identity feature is enabled. You need to assign to the service principal root level permissions to the App Service as shown below.

To assign to the identity root level permissions to the App Service

  1. In Azure navigate to Management groups.

  2. Click the details link beside Tenant Root Group.

    Image Removed

  3. On the tenant root page, click Access Control (IAM) in the sidebar.

    Image Removed

  4. On the Access Control (IAM) page, click Add and then select Add role assignment.

    Image Removed

  5. In the Add role assignment pane that appears, click Select a role and then select Owner.

    Image Removed

  6. Search for and select the App Service you deployed to the tenant.

    Image Removed

  7. Save the role assignment.

    Image Removed

Assign the App Service to the Global Administrator role for the tenant

  1. Navigate to Azure Active Directory.

  2. In Azure Active Directory, select Roles and administrators (Preview) from the sidebar.

    Image Removed

  3. Enter Global administrator in the search field and then select the Global administrator role.

    Image Removed

  4. On the Global administrator | Assignments page, click Add assignments.

    Image Removed

  5. In the Add assignments pane that appears, search for the App Service and then click the tile for the service to select it.

    Image Removed

  6. Click Add.

    Image Removed

The SCIM App service now has the global administrator role for the tenant. The next step is to connect EmpowerID to Azure AD.. Required permissions follow the least-privilege principle and include the following:

Graph API / Permissions name

Access Granted by Permissions

Used By

AuditLog.Read.All

Read audit log data

App Service Managed Identity

Group.Read.All

Read group data

App Service Managed Identity

GroupMember.ReadWrite.All

Read and write group memberships

App Service Managed Identity

User.Read.All

Read user profile

App Service Managed Identity

Reports.Read.All

Read report data

App Service Managed Identity

Organization.Read.All

Read organization information

App Service Managed Identity

The above permissions have been added to the script's PermissionsToAdd parameter, shown below. In addition to adding the permissions, you need to enter values for these parameters:

  • tenantID — Your Tenant ID

  • appServiceObjectID — Object ID of the SCIM App Service

Tip

When running the script, be sure to authenticate to Azure as a user with adequate permissions to execute it in Azure AD (owner at the tenant level).

Code Block
languagepowershell
###############
## GRAPH API ##
###############
Param(
    $tenantId = "",
    $appServiceObjectID = "", 
    $PermissionsToAdd = @("Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.ReadWrite.All", "Reports.Read.All", "AuditLog.Read.All")
)

# Install AzureAD module if not installed
if (-Not(Get-Module -ListAvailable -Name AzureAD)) {
    try {
        Install-Module AzureAD -Force
    }
    catch {
        if ($_.Exception.Message.Contains("Administrator rights")) {
            Write-Host "You must run the script with administrator rights"
            
        }
        else {
            Write-Error $_.Exception.Message
        }
        
    }
}


if (Get-Module -ListAvailable -Name AzureAD) {
    # Check if connected to the target Azure AD Tenant
    try { 
        $tenantDetail = Get-AzureADTenantDetail 
    } 
    catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] 
    { 
        Write-Host "You're not connected."; 
        Connect-AzureAD -TenantId $tenantId;
        $tenantDetail = Get-AzureADTenantDetail 
    }

    if ($tenantDetail.ObjectId -ne $tenantId) {
        Write-Host "You're not connected to the tenant: " $tenantId; 
        Connect-AzureAD -TenantId $tenantId;
    }


    # Managed Identity for the SCIM App Service | Found in App Service -> Identity 
    $ManagedIdentitiesServicePrincipal = Get-AzureADServicePrincipal -Filter "ObjectId eq `'$appServiceObjectID`'"
    if ($ManagedIdentitiesServicePrincipal -eq $null) {
        throw "Managed Identity for the app service is not found. `nApp Service Object ID: $appServiceObjectID "
    }

    # Resource Name : Microsoft Graph | Resource URI : https://graph.microsoft.com | Application ID : 00000003-0000-0000-c000-000000000000
    $GraphAppId = "00000003-0000-0000-c000-000000000000"
    $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"

    # Permissions
    foreach ($PermissionToAdd in $PermissionsToAdd) {
        $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionToAdd.Trim() -and $_.AllowedMemberTypes -contains "Application"}
        if ($AppRole -eq $null) {
            Write-Error "Invalid Permission `nPermission name: $PermissionToAdd"
        }
        else {
            # Assigns a Graph API service principal to an application role
            try {
                New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentitiesServicePrincipal.ObjectId -PrincipalId $ManagedIdentitiesServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id -ErrorAction Stop
            }
            catch {
                if ($_.Exception.ErrorContent.Message.Value.Contains("Permission being assigned already")) {
                    Write-Host "`""$AppRole.DisplayName"`"" " Permission is already assigned on the app service"
                }
                else {
                    Write-Error $_
                }
            }
        }
    }
}

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue