You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Skip to end of banner
Go to start of banner

Azure Permissions Required by Azure License Manager

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Azure License Manager leverages EmpowerID’s Azure AD SCIM Microservice Connector. This microservice is a fully compliant SCIM 2.0 Server to which EmpowerID communicates to inventory and manage your Azure tenant licenses and security. In order to use Azure License Manager, you need to configure Azure for the SCIM microservice. Part of this configuration involves creating an App Service in Azure that has App service authentication turned on, Login with Azure Active Directory enabled for unauthenticated requests to the App service, and Azure Active Directory selected as the identity provider. This deployment model enables secure fine-grained Graph API access, requiring read access to organization, user, group, and license data in Azure AD, as well as read and write access to license groups. The microservice leverages a system-assigned managed identity and app service authentication.

Required Permissions for the Managed Identity

Required permissions for the managed identity follow the least-privilege principle and include the following:

Graph API / Permissions name

Access Granted by Permissions

Used By

AuditLog.Read.All

Read audit log data

App Service Managed Identity

Group.Read

Read group data

App Service Managed Identity

GroupMember.ReadWrite.All

Read and write group memberships

App Service Managed Identity

User.Read

Read user profile

App Service Managed Identity

Reports.Read.All

Read report data

App Service Managed Identity

Organization.Read.All

Read organization information

App Service Managed Identity

  • No labels