Skip to end of banner
Go to start of banner

Assign Permissions to the App Service

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

As the app service you created for the Azure AD SCIM microservice calls Microsoft Graph, you need to assign to the service principal permissions required for your use case. You assign these permissions using the Azure Cloud Shell, which is a browser-accessible shell for managing Azure resources.

Please note that Azure Cloud Shell requires an Azure file share to persist files. Using Azure Cloud Shell requires a storage account, which Azure creates for you on first use of the shell. This will incur a small monthly cost.

To assign permissions to the service principal, you need to complete the following tasks:

  1. Start an Azure Cloud Shell session.

  2. Run the permissions script included in this topic.

Set Permissions

  1. In Azure, select Cloud Shell.

  2. Select PowerShell as the script language.

  3. From the shell, open the editor.

  4. Copy the below script and paste it into the editor.

    The permissions in the script are for read/inventory only. If your use case requires additional permissions like create, update, delete, etc., you must update the script with those permissions. Additional permissions are shown in Table 1 below.

    $webApp=<"Web-App-Name">
    $sprincipal_id=$(az resource list -n $webApp --query [*].identity.principalId --out tsv)
    $graphResourceId=$(az ad sp list --display-name "Microsoft Graph" --query [0].id --out tsv)
    $uri="https://graph.microsoft.com/v1.0/servicePrincipals/$sprincipal_id/appRoleAssignments"
    $PermissionsToAdd = @("Directory.Read.All","Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.Read.All", "Reports.Read.All", "AuditLog.Read.All","Policy.Read.All","Policy.ReadWrite.ConditionalAccess","Application.Read.All","Domain.Read.All" )
    
    $PermissionsToAdd | foreach {
    
        $appRoleId=$(az ad sp list --display-name "Microsoft Graph" --query "[0].appRoles[?value=='$($_)' && contains(allowedMemberTypes, 'Application')].id" --output tsv)
        $body="{'principalId':'$sprincipal_id','resourceId':'$graphResourceId','appRoleId':'$appRoleId'}"
        az rest --method post --uri $uri --body $body --headers "Content-Type=application/json"
    }
    


    The editor should look similar to that shown below. The value of $PermissionsToAdd will differ according to your permissions.

  5. Set the value of $webApp to the name of the app service you created to host the Azure AD SCIM microservice.

    Be sure to enclose the name in quotation marks

    $webApp="The name of your app service"
  6. Save the script as apply-perms.ps1

  7. Back in the shell, return the name of the subscription with the app service.

    az account show
  8. Copy the name.

  9. Run the below command to set the subscription name to the value you just copied.

    az account set -s "Your Subscripton Name"
  10. Run the permissions script.

    .\apply-perms.ps1

Table 1: Permissions

 Graph API Least Privileged Permission

Access Granted by Permissions

Group.Read.All

Get group

User.Read.All

List users

Group.Create

Create group

User.ReadWrite.All

Create User

User.Read.All

Get delta (group)

User.Read.All

Get delta (user)

Contacts.Read

Get contact

Application.ReadWrite.OwnedBy

Get application

Directory.Read.All

Get appRoleAssignment

RoleManagement.Read.Directory

List members

RoleManagement.ReadWrite.Directory

Add or Remove directory role member

Group.Read.All

Get group

Group.ReadWrite.All

Delete group

Group.ReadWrite.All

Update group

Application.ReadWrite.OwnedBy

Get servicePrincipal

Application.ReadWrite.OwnedBy

Delete servicePrincipal

Application.ReadWrite.OwnedBy

Update servicePrincipal

User.ReadWrite.All

Create a User

User.Read.All

Get a User

User.ReadWrite.All

Delete a user

User.ReadWrite.All

Update a user

RoleManagement.Read.Directory

List members

RoleManagement.Read.Directory

List unifiedRoleDefinitions

RoleManagement.Read.Directory

Get directoryRole

RoleManagement.ReadWrite.Directory

Activate directoryRole

RoleManagement.ReadWrite.Directory

Add or Remove member

Directory.Read.All

List domains

User.Read.All

List members

GroupMember.ReadWrite.All

Add members

Group.Read.All

Get delta (group)

User.Read.All

Get delta (user)

Organization.Read.All

Get subscribedSku

Application.ReadWrite.OwnedBy

Get service principal

RoleManagment.Read.Directory

Get unifiedRoleAssignment

AuditLog.Read.All

List sign-ins

Group.Read.All

Get group

Group.ReadWrite.All

Delete group

Group.ReadWrite.All

Update group

User.Read.All

Get a User

User.Read.Write.All

Update a User

User.ReadWrite.All

Delete a user

Directory.AccessAsUser.All

Update a User

Microsoft.ManagedIdentity/userAssignedIdentities/write

User Assigned Identities - Create 

Microsoft.Authorization/roleAssignments/write

Role Assignments - Create

Microsoft.Authorization/roleAssignments/read

Role Assignments - Delete

Microsoft.Authorization/classicAdministrators/read

Classic Administrators - List

Microsoft.ManagedIdentity/userAssignedIdentities/read

User Assigned Identities - List By Resource Group / Subscription

Microsoft.ManagedIdentity/userAssignedIdentities/delete

User Assigned Identities - Delete

Microsoft.ManagedIdentity/userAssignedIdentities/write

User Assigned Identities - Create Or Update (UPDATE)

Microsoft.Authorization/roleAssignments/read

Role Assignments - Get

Microsoft.Authorization/roleAssignments/delete

Role Assignments - Delete

Microsoft.Authorization/roleAssignments/write

Role Assignments - Create

Microsoft.Authorization/roleDefinitions/read

Role Definitions - Get

Microsoft.Authorization/roleDefinitions/write

Role Definitions - Create

Microsoft.Authorization/roleDefinitions/delete

Role Definitions - Delete

Microsoft.Authorization/roleDefinitions/write

Role Definitions - Update

Microsoft.ManagedIdentity/userAssignedIdentities/read

User Assigned Identities - List By Resource Group / Subscription

Microsoft.Management/managementGroups/read

Management Groups - Get

Microsoft.Management/managementGroups/read

Management Groups - Get

Microsoft.Resources/subscriptions/resourceGroups/read

Resource Groups - List

Microsoft.Resources/subscriptions/resources

Resources - List

Microsoft.Authorization/roleAssignments/read

Role Assignments - List

Microsoft.Authorization/roleDefinitions/read

Role Definitions - List

Microsoft.Resources/tenant/read

Tenants - List

Microsoft.Resources/subscriptions/read

Subscriptions

Microsoft.Consumption/usageDetails/read

Usage Details - List

Create Custom Role in Azure if Managing Azures roles and Management Groups from EmpowerID

If you are managing Azure roles and management groups in EmpowerID, in addition to adding the needed permissions in the above script, you need to create a custom role and add those permissions to the role as shown in the below procedure.

  1. In Azure, navigate to the target subscription and select Access control (IAM) from the Azure navbar.

  2. On the Access Control (IAM) page, click Add and select Add custom role.

  3. Under Basics, enter a Custom role name.

  4. Select the Permissions tab and click Add permissions.

  5. Search for Microsoft.ManagedIdentity and click the Microsoft Managed Identity tile.

  6. For Actions, under Microsoft.ManagedIdentity/userAssignedIdentities, select the following:

    • Read : Get User Assigned Identity

    • Write : Create/Update User Assigned Identity

    • Delete : Delete User Assigned Identity

  7. Click Add.

  8. Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Authorization.

  9. Click the Microsoft Authorization tile and then add the below permissions:

    • Microsoft.Authorization/roleAssignments

      • Read : Get role assignment

      • Write : Create role assignment

      • Delete : Delete role assignment

    • Microsoft.Authorization/roleDefinitions

      • Read : Get role definition

      • Write : Create or update custom role definition

      • Delete : Delete custom role definition

  10. Click Add.

  11. Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Authorization.

  12. Click the Microsoft Management tile and select Read : List Groups under Microsoft.Management/managementGroups.

  13. Click Add.

  14. Back on the Create a custom role page, click Add permissions again, and then search for Microsoft.Resources.

  15. Click the Microsoft Resources tile and then select the following permissions:

    • Microsoft.Resources/subscriptions/resourcegroups

      • Read : Get Resource Group

    • Microsoft.Resources/subscriptions/resources

      • Read : Get Subscription Resources

    • Microsoft.Resources/tenant

      • Read : Get Tenants

  16. Click Add.

  17. Back on the Create a custom role page, select the Assignable scopes tab and verify the scope.

  18. Click Review + Create.

  19. Review the permissions and then click Create.

  20. Click OK to close the “created custom role” message.


    Now that you have created the custom role with the needed permissions, you need to assign the Azure AD SCIM microservice to the role.

  21. On the Access control (IAM) page, click Add > Add role assignment.

  22. In the Add role assignment pane that appears, enter the following:

    • Role – Select the custom role you just created

    • Assign access to – App Service

    • Subscription – Target subscription

    • Select – The SCIM app service you created earlier.

  23. Click Save to add the role assignment.

  24. On the Access control (IAM) page, select the Role assignments tab. You should see the SCIM app service you created assigned to the custom role.

Verify Permissions

After setting permissions for the app service, you can verify them by doing the following:

  1. In Azure, navigate to your Azure Active Directory.

  2. On the Azure Active Directory navbar, click Enterprise applications.

  3. For Application type, select Managed Identities to filter the applications.

  4. Click Apply.

  5. Click the Name link for your application.

  6. Under Security on the navbar, click Permissions.


    You should see the permissions you set in the script granted to the application. Note that Admin consent has been granted for each permission.


Next Steps

Connect EmpowerID to Azure Active Directory

  • No labels