You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

Set Permissions for the Azure AD SCIM Managed Identity

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

After you have published the SCIM microservice app to Azure, run the following PowerShell script to assign Graph API permissions to the app service managed identity.

Set Graph API Permissions

Permissions follow the least-privilege principle and include the following:

Graph API / Permissions name

Access Granted by Permissions

Used By

AuditLog.Read.All

Read audit log data

App Service Managed Identity

Group.Read.All

Read group data

App Service Managed Identity

GroupMember.ReadWrite.All

Read and write group memberships

App Service Managed Identity

User.Read.All

Read user profile

App Service Managed Identity

Reports.Read.All

Read report data

App Service Managed Identity

Organization.Read.All

Read organization information

App Service Managed Identity

The above permissions have been added to the script's PermissionsToAdd parameter, shown below. In addition to adding the permissions, you need to enter values for these parameters:

  • tenantID — Your Tenant ID

  • appServiceObjectID — Object ID of the SCIM App Service

When running the script, be sure to authenticate to Azure as a user with adequate permissions to execute it in Azure AD (owner at the tenant level).

###############
## GRAPH API ##
###############
Param(
    $tenantId = "",
    $appServiceObjectID = "", 
    $PermissionsToAdd = @("Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.ReadWrite.All", "Reports.Read.All", "AuditLog.Read.All")
)

# Install AzureAD module if not installed
if (-Not(Get-Module -ListAvailable -Name AzureAD)) {
    try {
        Install-Module AzureAD -Force
    }
    catch {
        if ($_.Exception.Message.Contains("Administrator rights")) {
            Write-Host "You must run the script with administrator rights"
            
        }
        else {
            Write-Error $_.Exception.Message
        }
        
    }
}


if (Get-Module -ListAvailable -Name AzureAD) {
    # Check if connected to the target Azure AD Tenant
    try { 
        $tenantDetail = Get-AzureADTenantDetail 
    } 
    catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] 
    { 
        Write-Host "You're not connected."; 
        Connect-AzureAD -TenantId $tenantId;
        $tenantDetail = Get-AzureADTenantDetail 
    }

    if ($tenantDetail.ObjectId -ne $tenantId) {
        Write-Host "You're not connected to the tenant: " $tenantId; 
        Connect-AzureAD -TenantId $tenantId;
    }


    # Managed Identity for the SCIM App Service | Found in App Service -> Identity 
    $ManagedIdentitiesServicePrincipal = Get-AzureADServicePrincipal -Filter "ObjectId eq `'$appServiceObjectID`'"
    if ($ManagedIdentitiesServicePrincipal -eq $null) {
        throw "Managed Identity for the app service is not found. `nApp Service Object ID: $appServiceObjectID "
    }

    # Resource Name : Microsoft Graph | Resource URI : https://graph.microsoft.com | Application ID : 00000003-0000-0000-c000-000000000000
    $GraphAppId = "00000003-0000-0000-c000-000000000000"
    $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"

    # Permissions
    foreach ($PermissionToAdd in $PermissionsToAdd) {
        $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionToAdd.Trim() -and $_.AllowedMemberTypes -contains "Application"}
        if ($AppRole -eq $null) {
            Write-Error "Invalid Permission `nPermission name: $PermissionToAdd"
        }
        else {
            # Assigns a Graph API service principal to an application role
            try {
                New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentitiesServicePrincipal.ObjectId -PrincipalId $ManagedIdentitiesServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id -ErrorAction Stop
            }
            catch {
                if ($_.Exception.ErrorContent.Message.Value.Contains("Permission being assigned already")) {
                    Write-Host "`""$AppRole.DisplayName"`"" " Permission is already assigned on the app service"
                }
                else {
                    Write-Error $_
                }
            }
        }
    }
}

Error rendering macro 'excerpt-include' : No link could be created for 'IL:External Stylesheet - Test'.
Set Azure REST API Permissions

If you are managing Azure roles in EmpowerID, in addition to setting the above permissions via PowerShell, you need to create a custom role in Azure and add the below permissions scoped to the appropriate Azure subscription(s) you want to manage in EmpowerID. These permissions allow EmpowerID to call the relevant Azure REST API endpoints needed to manage Azure roles.

Table 1: Permissions needed to manage Azure roles in EmpowerID

Azure REST API / Permissions name

Access Granted by Permissions

Used By

Microsoft.ManagedIdentity/userAssignedIdentites/read

Gets an existing user assigned identity

App Service Managed Identity

Microsoft.ManagedIdentity/userAssignedIdentites/write

Create a new user assigned identity or updates the tags associated with an existing user assigned identity

App Service Managed Identity

Microsoft.ManagedIdentity/userAssignedIdentites/delete

Delete an existing user assigned identity

App Service Managed Identity

Microsoft.Authorization/roleAssignments/read

Get information about a role assignment

App Service Managed Identity

Microsoft.Authorization/roleAssignments/write

Create a role assignment at the specified scope

App Service Managed Identity

Microsoft.Authorization/roleAssignments/delete

Delete a role assignment at the specified scope

Microsoft.Authorization/roleDefinitions/read

Get information about a role definition

App Service Managed Identity

Microsoft.Authorization/roleDefinitions/write

Create or update a custom role definition with specified permissions and assignable scopes

App Service Managed Identity

Microsoft.Authorization/roleDefinitions/delete

Delete the specified custom role definition

App Service Managed Identity

Microsoft.Management/managementGroups/read

View management groups

App Service Managed Identity

Microsoft.Resources/subscriptions/resourceGroups/read

Get resource groups

App Service Managed Identity

Microsoft.Resources/subscriptions/resources/read

Gets resources of a subscription

App Service Managed Identity


To set the Azure REST API Permissions for the target subscription, do the following:

  1. In Azure, navigate to the target subscription and select Access control (IAM) from the Azure navbar.

  2. On the Access Control (IAM) page, click Add and select Add custom role.

  3. Under Basics, enter a Custom role name.

  4. Select the Permissions tab and click Add permissions.

  5. Search for Microsoft.ManagedIdentity and click the Microsoft Managed Identity tile.

  6. For Actions, under Microsoft.ManagedIdentity/userAssignedIdentities, select the following:

    • Read : Get User Assigned Identity

    • Write : Create/Update User Assigned Identity

    • Delete : Delete User Assigned Identity

  7. Click Add.

  8. Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Authorization.

  9. Click the Microsoft Authorization tile and then add the below permissions:

    • Microsoft.Authorization/roleAssignments

      • Read : Get role assignment

      • Write : Create role assignment

      • Delete : Delete role assignment

    • Microsoft.Authorization/roleDefinitions

      • Read : Get role definition

      • Write : Create or update custom role definition

      • Delete : Delete custom role definition

  10. Click Add.

  11. Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Authorization.

  12. Click the Microsoft Management tile and select Read : List Groups under Microsoft.Management/managementGroups.

  13. Click Add.

  14. Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Resources.

  15. Click the Microsoft Resources tile and then select the following permissions:

    • Microsoft.Resources/subscriptions/resourcegroups

      • Read : Get Resource Group

    • Microsoft.Resources/subscriptions/resources

      • Read : Get Subscription Resources

  16. Click Add.

  17. Back on the Create a custom role page, select the Assignable scopes tab and verify the scope.

  18. Click Review + Create.

  19. Review the permissions and then click Create.

  20. Click OK to close the “created custom role” message.


    Now that you have created the custom role with the needed permissions, you need to assign the Azure AD SCIM microservice to the role.

  21. On the Access control (IAM) page, click Add > Add role assignment.

  22. In the Add role assignment pane that appears, enter the following:

    • Role – Select the custom role you just created

    • Assign access to – App Service

    • Subscription – Target subscription

    • Select – The SCIM app service you created earlier.

  23. Click Save to add the role assignment.

  24. On the Access control (IAM) page, select the Role assignments tab. You should see the SCIM app service you created assigned to the custom role.

Next Steps

Connect EmpowerID to Azure Active Directory

  • No labels