Perms Azure AAD SCIM Resource System Config
- Phillip Hanegan
Inventory data and required permissions include the following:
Inventory Data | Least privileged permission | Higher privileged permissions |
|---|---|---|
Azure Applications | Application.ReadWrite.OwnedBy | Application.ReadWrite.All, Directory.Read.All |
Azure Application Templates | No additional permissions required | No additional permissions required |
Conditional Access Policies | Policy.Read.All | No additional permissions required |
Service Principals | Application.ReadWrite.OwnedBy | Application.ReadWrite.All, Directory.Read.All |
Application Role Assignments for Service Principals | Directory.Read.All | Directory.ReadWrite.All |
Inventory data and required permissions include the following:
Inventory Data | Least privileged permission | Higher privileged permissions |
|---|---|---|
Azure Directory Roles | RoleManagement.Read.Directory | RoleManagement.ReadWrite.Directory, Directory.Read.All, Directory.ReadWrite.All |
Azure Directory Role Templates | Same as above | Same as above |
Azure Directory Role Members | Same as above | Same as above |
Inventory data and required permissions include the following:
Inventory Data | Least privileged permission | Higher privileged permissions |
|---|---|---|
Subscribed SKU | Organization.Read.All | Directory.Read.All, Organization.ReadWrite.All, Directory.ReadWrite.All |
Inventory data and required permissions include the following:
Inventory Data | Permissions |
|---|---|
Management Groups | Microsoft.Management/managementGroups/read |
Subscriptions | Subscriptions |
Resource Groups | Microsoft.Resources/subscriptions/resourceGroups/read |
RBAC Role Definitions | Microsoft.Authorization/roleDefinitions/read |
Resources | Microsoft.Resources/subscriptions/resources |
RBAC Role Assignments | Microsoft.Authorization/roleAssignments/read |
Managed Identities | Microsoft.ManagedIdentity/userAssignedIdentities/read |
Classic Administrators | Microsoft.Authorization/classicAdministrators/read |
Inventory Data | Least privileged permission | Higher privileged permissions |
|---|---|---|
Org Contact | Contacts.Read | Contacts.ReadWrite |
Inventory data and required permissions include the following:
Inventory Data | Least privileged permission | Higher privileged permissions |
|---|---|---|
Directory Role Members Scoped to Directory | RoleManagement.Read.Directory | Directory.Read.All, Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory |
Directory Role Members Scoped to Application | Same as above | Same as above |
Inventory data and required permissions include the following:
Inventory Data | Permissions |
|---|---|
Azure Sign-In Activity | Reports.Read.All |
Â
Â