After you have published the SCIM microservice app to Azure, you need to run the following PowerShell script to assign several required permissions to the App Service managed identity. Required permissions follow the least-privilege principle and include the following:
Graph API / Permissions name | Access Granted by Permissions | Used By |
AuditLog.Read.All | Read audit log data | App Service Managed Identity |
Group.Read | Read group data | App Service Managed Identity |
GroupMember.ReadWrite.All | Read and write group memberships | App Service Managed Identity |
User.Read | Read user profile | App Service Managed Identity |
Reports.Read.All | Read report data | App Service Managed Identity |
Organization.Read.All | Read organization information | App Service Managed Identity |
The above permissions have been added to the script's PermissionsToAdd parameter, shown below. In addition to adding the permissions, you need to enter values for these parameters:
tenantID — Your Tenant ID
appServiceObjectID — Object ID of the SCIM App Service
When running the script, be sure to authenticate to Azure as a user with adequate permissions to execute it in Azure AD (owner at the tenant level).
############### ## GRAPH API ## ############### Param( $tenantId = "", $appServiceObjectID = "", $PermissionsToAdd = @("Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.ReadWrite.All", "Reports.Read.All") ) # Install AzureAD module if not installed if (-Not(Get-Module -ListAvailable -Name AzureAD)) { Install-Module AzureAD -Force } # Check if connected to the target Azure AD Tenant try { $tenantDetail = Get-AzureADTenantDetail } catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] { Write-Host "You're not connected."; Connect-AzureAD -TenantId $tenantId; $tenantDetail = Get-AzureADTenantDetail } if ($tenantDetail.ObjectId -ne $tenantId) { Write-Host "You're not connected to the tenant: " $tenantId; Connect-AzureAD -TenantId $tenantId; } # Managed Identity for the SCIM App Service | Found in App Service -> Identity $ManagedIdentitiesServicePrincipal = Get-AzureADServicePrincipal -Filter "ObjectId eq `'$appServiceObjectID`'" if ($ManagedIdentitiesServicePrincipal -eq $null) { throw "Managed Identity for the app service is not found. `nApp Service Object ID: $appServiceObjectID " } # Resource Name : Microsoft Graph | Resource URI : https://graph.microsoft.com | Application ID : 00000003-0000-0000-c000-000000000000 $GraphAppId = "00000003-0000-0000-c000-000000000000" $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'" # Permissions foreach ($PermissionToAdd in $PermissionsToAdd) { $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionToAdd.Trim() -and $_.AllowedMemberTypes -contains "Application"} if ($AppRole -eq $null) { Write-Error "Invalid Permission `nPermission name: $PermissionToAdd" } else { # Assigns a Graph API service principal to an application role try { New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentitiesServicePrincipal.ObjectId -PrincipalId $ManagedIdentitiesServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id -ErrorAction Stop } catch { if ($_.Exception.ErrorContent.Message.Value -eq "Permission being assigned already exists on the object") { Write-Host "`""$AppRole.DisplayName"`"" " Permission is already assigned on the app service" } else { Write-Error $_ } } } }