Assign Permissions to the App Service

As the app service calls Microsoft Graph, you need to assign to the service principal permissions required for your use case. You assign these permissions using the Azure CLI, which is a command-line tool that use to connect to Azure and execute administrative commands on Azure resources.

To assign permissions to the service principal, you need to complete the following tasks:

1. Install Azure CLI on your machine (if not already installed).

2. Open an administrative command prompt or PowerShell session and run the permissions script included in this topic.

Install Azure CLI

If Azure CLI is not installed on your machine, please see Microsoft’s instructions for doing so here: Install the Azure CLI for Windows | Microsoft Docs.

Set Graph API Permissions

To set Graph API permissions, execute the below script in either an administrative command prompt or PowerShell session. When executing the script, Azure prompts you to log in to your tenant. Be sure to authenticate with the credentials of a user who can add Microsoft Graph permissions to the App Service managed identity (owner at the tenant level).

The default script assigns the permissions listed in Table 1 to the managed identity. Before executing the script, change the permissions as needed for your scenario. For example, one of the permissions being assigned is Directory.Read.All. This allows the app to read data in your organization's directory, such as users, groups, and apps. If you want both to read and write data in your organization's directory, such as creating and deleting Azure users and groups in EmpowerID, then you would change the permission to Directory.ReadWrite.All.

Table 1: Default Permissions included with the Permissions script. Change the permissions from Read to ReadWrite according to your needs. For example, change GroupMember.Read.All to GroupMember.ReadWrite.All if you want to both read and update group memberships in EmpowerID.

In addition to adding the permissions, you need to enter values for the below parameters:

• webApp – Name of the app service you created for the Azure AD SCIM microservice

az login 

$webApp=<"Web-App-Name">
$sprincipal_id=$(az resource list -n $webApp --query [*].identity.principalId --out tsv)
$graphResourceId=$(az ad sp list --display-name "Microsoft Graph" --query [0].objectId --out tsv)
$uri="https://graph.microsoft.com/v1.0/servicePrincipals/$sprincipal_id/appRoleAssignments"
$PermissionsToAdd = @("Directory.Read.All","Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.Read.All", "Reports.Read.All", "AuditLog.Read.All","Policy.Read.All","Policy.ReadWrite.ConditionalAccess","Application.Read.All","Domain.Read.All" )

$PermissionsToAdd | foreach {

    $appRoleId=$(az ad sp list --display-name "Microsoft Graph" --query "[0].appRoles[?value=='$($_)' && contains(allowedMemberTypes, 'Application')].id" --output tsv)
    $body="{'principalId':'$sprincipal_id','resourceId':'$graphResourceId','appRoleId':'$appRoleId'}"
    az rest --method post --uri $uri --body $body --headers "Content-Type=application/json"
}

Verify Permissions

After setting permissions for the app service, you can verify them by doing the following:

1. In Azure, navigate to your Azure Active Directory.

2. On the Azure Active Directory navbar, click Enterprise applications.

3. For Application type, select Managed Identities to filter the applications.
   

   

4. Click Apply.

5. Click the Name link for your application.
   

   

6. Under Security on the navbar, click Permissions.
   

   

   
   You should see the permissions you set in the script granted to the application. Note that Admin consent has been granted for each permission.
   

   

Set Azure REST API Permissions

If you are managing Azure roles and management groups in EmpowerID, in addition to setting the above permissions for user, group, and license management, you need to add the below permissions scoped to the appropriate Azure subscription(s) you want to manage in EmpowerID. These permissions allow EmpowerID to call the relevant Azure REST API endpoints needed to manage Azure roles and management groups.

Table 2: Permissions needed to manage Azure roles in EmpowerID

To set the Azure REST API Permissions for the target subscription, do the following:

1. In Azure, navigate to the target subscription and select Access control (IAM) from the Azure navbar.

2. On the Access Control (IAM) page, click Add and select Add custom role.
   

   

3. Under Basics, enter a Custom role name.

4. Select the Permissions tab and click Add permissions.
   

   

5. Search for Microsoft.ManagedIdentity and click the Microsoft Managed Identity tile.
   

   

6. For Actions, under Microsoft.ManagedIdentity/userAssignedIdentities, select the following:

   • Read : Get User Assigned Identity

   • Write : Create/Update User Assigned Identity

   • Delete : Delete User Assigned Identity

7. Click Add.
   

   

8. Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Authorization.

9. Click the Microsoft Authorization tile and then add the below permissions:

   • Microsoft.Authorization/roleAssignments

     • Read : Get role assignment

     • Write : Create role assignment

     • Delete : Delete role assignment

   • Microsoft.Authorization/roleDefinitions

     • Read : Get role definition

     • Write : Create or update custom role definition

     • Delete : Delete custom role definition

10. Click Add.
    

    

11. Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Authorization.

12. Click the Microsoft Management tile and select Read : List Groups under Microsoft.Management/managementGroups.

13. Click Add.
    

    

14. Back on the Create a custom role page, click Add permissions again, and then search for Microsoft.Resources.

15. Click the Microsoft Resources tile and then select the following permissions:

    • Microsoft.Resources/subscriptions/resourcegroups

      • Read : Get Resource Group

    • Microsoft.Resources/subscriptions/resources

      • Read : Get Subscription Resources

    • Microsoft.Resources/tenant

      • Read : Get Tenants

16. Click Add.

17. Back on the Create a custom role page, select the Assignable scopes tab and verify the scope.
    

    

18. Click Review + Create.

19. Review the permissions and then click Create.
    

    

20. Click OK to close the “created custom role” message.
    

    

    
    Now that you have created the custom role with the needed permissions, you need to assign the Azure AD SCIM microservice to the role.

21. On the Access control (IAM) page, click Add > Add role assignment.
    

    

22. In the Add role assignment pane that appears, enter the following:

    • Role – Select the custom role you just created

    • Assign access to – App Service

    • Subscription – Target subscription

    • Select – The SCIM app service you created earlier.

23. Click Save to add the role assignment.
    

    

24. On the Access control (IAM) page, select the Role assignments tab. You should see the SCIM app service you created assigned to the custom role.
    

    

Next Steps

Connect EmpowerID to Azure Active Directory