After you have published the SCIM microservice app to Azure, run the following PowerShell script to assign Graph API and Azure REST API permissions to the app service managed identity.
Set Graph API Permissions
Permissions follow the least-privilege principle and include the following for managing Azure Licenses:
Table 1: Permissions needed to manage Azure licenses in EmpowerID
Graph API / Permissions name | Access Granted by Permissions | Used By |
AuditLog.Read.All | Read audit log data | App Service Managed Identity |
Group.Read.All | Read group data | App Service Managed Identity |
GroupMember.ReadWrite.All | Read and write group memberships | App Service Managed Identity |
User.Read.All | Read user profile | App Service Managed Identity |
Reports.Read.All | Read report data | App Service Managed Identity |
Organization.Read.All | Read organization information | App Service Managed Identity |
Set Azure REST API Permissions
If you are managing Azure roles and management groups in EmpowerID, in addition to setting the above permissions for license management via PowerShell, you need to add the below permissions scoped to the appropriate Azure subscription(s) you want to manage in EmpowerID. These permissions allow EmpowerID to call the relevant Azure REST API endpoints needed to manage Azure roles and management groups.
Table 2: Permissions needed to manage Azure roles in EmpowerID
SCIM Endpoint | Azure REST API / Permissions name | Access Granted by Permissions | Used By |
/v1/{0}:{1}/managedidentities | Microsoft.ManagedIdentity/userAssignedIdentities/write | User Assigned Identities - Create | App service managed identity |
/v1/{0}/roleAssignment | Microsoft.Authorization/roleAssignments/write | Role Assignments - Create | App service managed identity |
/v1/{0}/roleAssignment/{1} | Microsoft.Authorization/roleAssignments/read | Role Assignments - Delete | App service managed identity |
/v1/classicadministrator/{0} | Microsoft.Authorization/classicAdministrators/read | Classic Administrators - List | App service managed identity |
v1/{0}:{1}/managedidentities/{2} | Microsoft.ManagedIdentity/userAssignedIdentities/read | User Assigned Identities - List By Resource Group / Subscription | App service managed identity |
v1/{0}:{1}/managedidentities/{2} | Microsoft.ManagedIdentity/userAssignedIdentities/delete | User Assigned Identities - Delete | App service managed identity |
v1/{0}:{1}/managedidentities/{2} | Microsoft.ManagedIdentity/userAssignedIdentities/write | User Assigned Identities - Create Or Update (UPDATE) | App service managed identity |
/v1/{0}/roleAssignment/{1} | Microsoft.Authorization/roleAssignments/read | Role Assignments - Get | App service managed identity |
/v1/{0}/roleAssignment/{1} | Microsoft.Authorization/roleAssignments/delete | Role Assignments - Delete | App service managed identity |
/v1/{0}/roleAssignment/{1} | Microsoft.Authorization/roleAssignments/write | Role Assignments - Create | App service managed identity |
/v1/ManagementGroup/roleDefinition/{0} | Microsoft.Authorization/roleDefinitions/read | Role Definitions - Get | App service managed identity |
/v1/ManagementGroup/roleDefinition/{0} | Microsoft.Authorization/roleDefinitions/write | Role Definitions - Create | App service managed identity |
/v1/ManagementGroup/roleDefinition/{0} | Microsoft.Authorization/roleDefinitions/delete | Role Definitions - Delete | App service managed identity |
/v1/ManagementGroup/roleDefinition/{0} | Microsoft.Authorization/roleDefinitions/write | Role Definitions - Update | App service managed identity |
/v1/{0}/managedidentities | Microsoft.ManagedIdentity/userAssignedIdentities/read | User Assigned Identities - List By Resource Group / Subscription | App service managed identity |
/v1/managementgroups/{0} | Microsoft.Management/managementGroups/read | Management Groups - Get | App service managed identity |
/v1/managementgroups | Microsoft.Management/managementGroups/read | Management Groups - Get | App service managed identity |
/v1/{0}/resourcegroups | Microsoft.Resources/subscriptions/resourceGroups/read | Resource Groups - List | App service managed identity |
/v1/{0}/resources | Microsoft.Resources/subscriptions/resources | Resources - List | App service managed identity |
/v1/{0}/roleAssignment | Microsoft.Authorization/roleAssignments/read | Role Assignments - List | App service managed identity |
/v1/{0}/roleDefinition | Microsoft.Authorization/roleDefinitions/read | Role Definitions - List | App service managed identity |
v1/tenants | Microsoft.Resources/tenant/read | Tenants - List | App service managed identity |
v1/subscriptions | Microsoft.Resources/subscriptions/read | Subscriptions | App service managed identity |
v1/{0}/SubscriptionUsages | Usage Details - List | Microsoft.Consumption/usageDetails/read | App service managed identity |
The permissions needed to manage Azure licenses have been added to the script's PermissionsToAdd parameter, shown below. To add permissions for role management, add the permission name from the Azure REST API / Permissions name column of Table 2: Permissions needed to manage Azure roles in EmpowerID.
In addition to adding the permissions, you need to enter values for the below parameters:
tenantID — Tenant ID of the tenant being managed
appServiceObjectID — Object ID of the Azure AD SCIM app service you created. This can be found on the Identities blade on the app service.
When running the script, be sure to authenticate to Azure as a user with adequate permissions to execute it in Azure AD (owner at the tenant level).
############### ## GRAPH API ## ############### Param( $tenantId = "", $appServiceObjectID = "", $PermissionsToAdd = @("Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.ReadWrite.All", "Reports.Read.All", "AuditLog.Read.All") ) # Install AzureAD module if not installed if (-Not(Get-Module -ListAvailable -Name AzureAD)) { try { Install-Module AzureAD -Force } catch { if ($_.Exception.Message.Contains("Administrator rights")) { Write-Host "You must run the script with administrator rights" } else { Write-Error $_.Exception.Message } } } if (Get-Module -ListAvailable -Name AzureAD) { # Check if connected to the target Azure AD Tenant try { $tenantDetail = Get-AzureADTenantDetail } catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] { Write-Host "You're not connected."; Connect-AzureAD -TenantId $tenantId; $tenantDetail = Get-AzureADTenantDetail } if ($tenantDetail.ObjectId -ne $tenantId) { Write-Host "You're not connected to the tenant: " $tenantId; Connect-AzureAD -TenantId $tenantId; } # Managed Identity for the SCIM App Service | Found in App Service -> Identity $ManagedIdentitiesServicePrincipal = Get-AzureADServicePrincipal -Filter "ObjectId eq `'$appServiceObjectID`'" if ($ManagedIdentitiesServicePrincipal -eq $null) { throw "Managed Identity for the app service is not found. `nApp Service Object ID: $appServiceObjectID " } # Resource Name : Microsoft Graph | Resource URI : https://graph.microsoft.com | Application ID : 00000003-0000-0000-c000-000000000000 $GraphAppId = "00000003-0000-0000-c000-000000000000" $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'" # Permissions foreach ($PermissionToAdd in $PermissionsToAdd) { $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionToAdd.Trim() -and $_.AllowedMemberTypes -contains "Application"} if ($AppRole -eq $null) { Write-Error "Invalid Permission `nPermission name: $PermissionToAdd" } else { # Assigns a Graph API service principal to an application role try { New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentitiesServicePrincipal.ObjectId -PrincipalId $ManagedIdentitiesServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id -ErrorAction Stop } catch { if ($_.Exception.ErrorContent.Message.Value.Contains("Permission being assigned already")) { Write-Host "`""$AppRole.DisplayName"`"" " Permission is already assigned on the app service" } else { Write-Error $_ } } } } }