In order for the app service to access the Microsoft Graph API on your behalf, you need to add the needed permissions to the service principal application you registered for the SCIM app service in Azure, as well as assign the app service to the Owner role for the Tenant Root group and grant the app service the Global reader role for the tenant.
Assign Graph API Permissions to the Service Principal application
Permissions follow the least-privilege principle and include the following:
Table 1: Graph API Permissions required for the Service Principal application
Graph API / Permissions name | Access Granted by Permissions | Used By |
AuditLog.Read.All | Read audit log data | App Service Managed Identity |
Group.Read.All | Read group data | App Service Managed Identity |
GroupMember.ReadWrite.All | Read and write group memberships | App Service Managed Identity |
User.Read.All | Read user profile | App Service Managed Identity |
User.Read | Sign in and read user profile | App Service Managed Identity |
Reports.Read.All | Read report data | App Service Managed Identity |
Organization.Read.All | Read organization information | App Service Managed Identity |
To assign Graph API permissions to the service principal application, do the following:
In your Azure tenant, navigate to Azure Active Directory and select App registrations from the Azure sidebar.
Search for the service principal application you registered for the SCIM app service and click the Display Name link for it.
Navigate to the API permissions page for the application.
Click Add a permission.
Click Microsoft Graph.
Select Application permissions.
Search for AuditLog and then expand the AuditLog permission and select AuditLog.Read.All.
Search for Group.Read.All and then expand the Group permission and select Group.Read.All.
Search for GroupMember.ReadWrite.All and then expand the GroupMember permission and select GroupMember.ReadWrite.All.
Search for User.Read.All and then expand the User permission and select User.Read.All.
Search for Reports.Read.All and then expand the Reports permission and select Reports.Read.All.
Search for Organization.Read.All and then expand the Organization permission and select Organization.Read.All.
Click Add permissions.
You should see the new permissions add to the application.
Click Grand admin consent for
<Your Tenant Name>.
Click Yes to confirm admin consent.
Assign the App service to the owner role for the Tenant Root Group
In Azure, navigate to Management Groups and select the Tenant Root Group.
Select Access Control (IAM) from the Azure navbar and then click Add role assignment (Preview).
Select Owner and click Next.
For Assign access to select User, group, or service principal.
Click Select members and then search for and select the SCIM app service you created for the Azure AD SCIM microservice.
Click Select.
Review and assign the role assignment.
Assign the App service to the Global Reader role for the tenant
Navigate to Azure Active Directory and select Roles and administrators from the navbar.
Search for and select the Global Reader role and go to Description.
Click Add assignments and then search for and select the SCIM app service you created for the Azure AD SCIM microservice.
Click Add.
Set Azure Rest API Permissions
If you are managing Azure roles in EmpowerID, in addition to setting the above permissions, you need to create a custom role in Azure and add the below permissions scoped to the appropriate Azure subscription(s) you want to manage in EmpowerID. These permissions allow EmpowerID to call the relevant Azure REST API endpoints needed to manage Azure roles.
Table 2: Permissions needed to manage Azure roles in EmpowerID
Azure REST API / Permissions name | Access Granted by Permissions | Used By |
Microsoft.ManagedIdentity/userAssignedIdentites/read | Gets an existing user assigned identity | App Service Managed Identity |
Microsoft.ManagedIdentity/userAssignedIdentites/write | Create a new user assigned identity or updates the tags associated with an existing user assigned identity | App Service Managed Identity |
Microsoft.ManagedIdentity/userAssignedIdentites/delete | Delete an existing user assigned identity | App Service Managed Identity |
Microsoft.Authorization/roleAssignments/read | Get information about a role assignment | App Service Managed Identity |
Microsoft.Authorization/roleAssignments/write | Create a role assignment at the specified scope | App Service Managed Identity |
Microsoft.Authorization/roleAssignments/delete | Delete a role assignment at the specified scope | |
Microsoft.Authorization/roleDefinitions/read | Get information about a role definition | App Service Managed Identity |
Microsoft.Authorization/roleDefinitions/write | Create or update a custom role definition with specified permissions and assignable scopes | App Service Managed Identity |
Microsoft.Authorization/roleDefinitions/delete | Delete the specified custom role definition | App Service Managed Identity |
Microsoft.Management/managementGroups/read | View management groups | App Service Managed Identity |
Microsoft.Resources/subscriptions/resourceGroups/read | Get resource groups | App Service Managed Identity |
Microsoft.Resources/subscriptions/resources/read | Gets resources of a subscription | App Service Managed Identity |
To set the Azure REST API Permissions for the target subscription, do the following:
In Azure, navigate to the target subscription and select Access control (IAM) from the Azure navbar.
On the Access Control (IAM) page, click Add and select Add custom role.
Under Basics, enter a Custom role name.
Select the Permissions tab and click Add permissions.
Search for Microsoft.ManagedIdentity and click the Microsoft Managed Identity tile.
For Actions, under Microsoft.ManagedIdentity/userAssignedIdentities, select the following:
Read : Get User Assigned Identity
Write : Create/Update User Assigned Identity
Delete : Delete User Assigned Identity
Click Add.
Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Authorization.
Click the Microsoft Authorization tile and then add the below permissions:
Microsoft.Authorization/roleAssignments
Read : Get role assignment
Write : Create role assignment
Delete : Delete role assignment
Microsoft.Authorization/roleDefinitions
Read : Get role definition
Write : Create or update custom role definition
Delete : Delete custom role definition
Click Add.
Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Management.
Click the Microsoft Management tile and select Read : List Groups under Microsoft.Management/managementGroups.
Click Add.
Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Resources.
Click the Microsoft Resources tile and then select the following permissions:
Microsoft.Resources/subscriptions/resourcegroups
Read : Get Resource Group
Microsoft.Resources/subscriptions/resources
Read : Get Subscription Resources
Click Add.
Back on the Create a custom role page, select the Assignable scopes tab and verify the scope.
Click Review + Create.
Review the permissions and then click Create.
Click OK to close the “created custom role” message.
Now that you have created the custom role with the needed permissions, you need to assign the Azure AD SCIM microservice to the role.On the Access control (IAM) page, click Add > Add role assignment.
In the Add role assignment pane that appears, enter the following:
Role – Select the custom role you just created
Assign access to – App Service
Subscription – Target subscription
Select – The SCIM app service you created earlier.
Click Save to add the role assignment.
On the Access control (IAM) page, select the Role assignments tab. You should see the SCIM app service you created assigned to the custom role.
Next Steps
IN THIS ARTICLE