You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

Assign Permissions to the App Service

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

As the app service calls Microsoft Graph, you need to assign to the service principal permissions required for your use case. You assign these permissions using the Azure CLI, which is a command-line tool that use to connect to Azure and execute administrative commands on Azure resources.

To assign permissions to the service principal, you need to complete the following tasks:

  1. Install Azure CLI on your machine (if not already installed).

  2. Open an administrative command prompt or PowerShell session and run the permissions script included in this topic.

Install Azure CLI

If Azure CLI is not installed on your machine, please see Microsoft’s instructions for doing so here: Install the Azure CLI for Windows | Microsoft Docs.

Set Graph API Permissions

To set Graph API permissions, execute the below script in either an administrative command prompt or PowerShell session. When executing the script, Azure prompts you to log in to your tenant. Be sure to authenticate with the credentials of a user who can add Microsoft Graph permissions to the App Service managed identity (owner at the tenant level).

The default script assigns the permissions listed in Table 1 to the managed identity. Before executing the script, change the permissions as needed for your scenario. For example, one of the permissions being assigned is Directory.Read.All. This allows the app to read data in your organization's directory, such as users, groups, and apps. If you want both to read and write data in your organization's directory, such as creating and deleting Azure users and groups in EmpowerID, then you would change the permission to Directory.ReadWrite.All.

Table 1: Default Permissions included with the Permissions script. Change the permissions from Read to ReadWrite according to your needs. For example, change GroupMember.Read.All to GroupMember.ReadWrite.All if you want to both read and update group memberships in EmpowerID.

Graph API / Permissions name

Access Granted by Permissions

Used By

AuditLog.Read.All

Read audit log data

App Service Managed Identity

Group.Read.All

Read group data

App Service Managed Identity

GroupMember.Read.All

Read group memberships

App Service Managed Identity

User.Read.All

Read user profile

App Service Managed Identity

Reports.Read.All

Read report data

App Service Managed Identity

Organization.Read.All

Read organization information

App Service Managed Identity

Policy.Read.All

Read your organization’s policies

App Service Managed Identity

Policy.ReadWrite.ConditionalAccess

Read and write your organization’s conditional access policies

App Service Managed Identity

Domain.Read.All

List domains

App Service Managed Identity

Directory.Read.All

Read data in your organization’s directory, such as users, groups and apps

App Service Managed Identity

Application.Read.All

Read applications and service principals

App Service Managed Identity

In addition to adding the permissions, you need to enter values for the below parameters:

  • webApp — Name of the app service you created for the Azure AD SCIM microservice

When running the script, Azure will open your default browser and prompt you for credentials. Be sure to authenticate to Azure as a user with adequate permissions to execute it in Azure AD (owner at the tenant level). Once you have authenticated, the rest of the script will execute.

az login 

$webApp=<"Web-App-Name">
$sprincipal_id=$(az resource list -n $webApp --query [*].identity.principalId --out tsv)
$graphResourceId=$(az ad sp list --display-name "Microsoft Graph" --query [0].objectId --out tsv)
$uri="https://graph.microsoft.com/v1.0/servicePrincipals/$sprincipal_id/appRoleAssignments"
$PermissionsToAdd = @("Directory.Read.All","Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.Read.All", "Reports.Read.All", "AuditLog.Read.All","Policy.Read.All","Policy.ReadWrite.ConditionalAccess","Application.Read.All","Domain.Read.All" )

$PermissionsToAdd | foreach {

    $appRoleId=$(az ad sp list --display-name "Microsoft Graph" --query "[0].appRoles[?value=='$($_)' && contains(allowedMemberTypes, 'Application')].id" --output tsv)
    $body="{'principalId':'$sprincipal_id','resourceId':'$graphResourceId','appRoleId':'$appRoleId'}"
    az rest --method post --uri $uri --body $body --headers "Content-Type=application/json"
}

Next Steps

Connect EmpowerID to Azure Active Directory

  • No labels