Azure License Manager leverages EmpowerID’s Azure AD SCIM Microservice Connector. This microservice is a fully compliant SCIM 2.0 Server to which EmpowerID communicates to inventory and manage your Azure tenant licenses and security. In order to use Azure License Manager, you need to configure Azure for the SCIM microservice. Part of this configuration involves creating an App Service in Azure that has App service authentication turned on, Login with Azure Active Directory enabled for unauthenticated requests to the App service, and Azure Active Directory selected as the identity provider. This deployment model enables secure fine-grained Graph API access, requiring read access to organization, user, group, and license data in Azure AD, as well as read and write access to license groups. The microservice leverages a system-assigned managed identity and app service authentication.
Required Permissions for the Managed Identity
Required permissions for the managed identity (not service principal) follow the least-privilege principle and include the following:
Graph API / Permissions name | Access Granted by Permissions | Used By |
AuditLog.Read.All | Read audit log data | App Service Managed Identity |
Group.Read.All | Read group data | App Service Managed Identity |
GroupMember.ReadWrite.All | Read and write group memberships | App Service Managed Identity |
User.Read.All | Read user profile | App Service Managed Identity |
Reports.Read.All | Read report data | App Service Managed Identity |
Organization.Read.All | Read organization information | App Service Managed Identity |
Your EmpowerID consulting team can provide a PowerShell script to automate assignment of these permissions to your Managed Identity