This article will guide you through the process to add your AzOps service principal to the Azure Active Directory Directory Readers role.
Note: The steps below requires you to use an identity that is local to the Azure AD, and not Guest user account due to known restrictions.
The service principal used by the Enterprise-Scale reference implementation requires Azure AD directory reader permissions to be able to discover Azure role assignments. These permissions are used to enrich data around the role assignments with additional Azure AD context such as ObjectType and Azure AD Object DisplayName.
1.1 Sign in to the Azure portal or the Azure Active Directory admin center as a Global Administrator. If you are using Azure AD Privileged Identity Management, activate your Global Administrator role assignment.
1.2 Open Azure Active Directory.
1.3 Under Manage > Roles and administrators, select Directory readers.
1.4 Under Manage > Assignments > Add assignments, find for and select your AzOps service principal and finally add it to the directory role.
Note: In case you are using Azure AD Privileged Identity management, ensure you add the service principal to the role with a permanent assignment.
Ensure that you have the AzureAD PowerShell module installed on your machine and that you have connected to Azure AD with the Connect-AzureAD cmdlet.
#Get AzOps Service Principal from Azure AD
$ServicePrincipal = Get-AzureADServicePrincipal -Filter "DisplayName eq '<Replace-Me>'"
#Get Azure AD Directory Role
$DirectoryRole = Get-AzureADDirectoryRole -Filter "DisplayName eq 'Directory Readers'"
#Add service principal to Directory Role
Add-AzureADDirectoryRoleMember -ObjectId $DirectoryRole.ObjectId -RefObjectId $ServicePrincipal.ObjectIdPlease note, it may take up to 15-30 minutes for permission to propagate in Azure AD.
Please proceed with deploying reference implementation.