-
Notifications
You must be signed in to change notification settings - Fork 14
Required Graph API Permissions
The below Microsoft Graph API permissions are necessary for the operation of this web app.
To grant these permissions, you will need to have Global Administrator rights in Azure AD.
-
User.Read.All
Used to list all users so that they can be added to security groups and device configurations. -
Group.ReadWrite.All
Used to Manage security group existence and their membership in Azure AD. -
Device.ReadWrite.All
Used to list all AAD devices so that end users can select from a list instead of having to manually put in a GUID.
Also used for tagging the extension attribute of the PAW device so that CA can pick it up properly on the hardware enforcement side of things. -
DeviceManagementManagedDevices.Read.All
Used to list all AAD devices so that end users can select from a list instead of having to manually put in a GUID. -
DeviceManagementConfiguration.ReadWrite.All
Used to manage configuration profiles and their assignments in MS Endpoint manager. -
DeviceManagementServiceConfig.ReadWrite.All
Used to manage Autopilot Profiles and read Autopilot device data -
DeviceManagementManagedDevices.PrivilegedOperations.All
Used to issue Wipe commands to devices -
DeviceManagementRBAC.ReadWrite.All
Used to manage the scope tag that the app uses as well as store the app's config in the specified scope tag to eliminate the need for a DB. -
RoleManagement.ReadWrite.Directory
Used to manage role assigned security groups (SGs that can have AAD Roles assigned to them). -
Policy.Read.All
andPolicy.ReadWrite.ConditionalAccess
Used to manage the conditional access policies for individual users during the lifecycle management and for when the initial deployment occurs to implement health checks, and identity partitioning.
Policy.Read.All
is necessary due to a known issue with the current Graph API, in the futurePolicy.ReadWrite.ConditionalAccess
is all that will be necessary: https://docs.microsoft.com/en-us/graph/known-issues#permissions
The Grant MI Graph Permission PowerShell script is an easy way to bulk apply permissions to managed identities using either the command line or a graphical picker.
You can find the script here: https://github.com/elliot-huffman/Powershell-Doodads/blob/main/Apps/Azure%20AD/Grant-MIGraphPermission.ps1
You will need global admin rights or a role/rights that include the following MS GraphAPI permissions to apply the proper permissions to the Managed Identity:
- Directory.Read.All
- AppRoleAssignment.ReadWrite.All
- Application.ReadWrite.All
CLI usage for complete permissions assignment to a MI:
.\Grant-MIGraphPermission.ps1 -CLIMode -ObjectID "885c119e-caa1-4148-bc58-20e28ff4f3ce" -PermissionName "User.Read.All","Group.ReadWrite.All", "Device.ReadWrite.All", "DeviceManagementManagedDevices.Read.All","DeviceManagementConfiguration.ReadWrite.All","DeviceManagementServiceConfig.ReadWrite.All", "DeviceManagementManagedDevices.PrivilegedOperations.All", "DeviceManagementRBAC.ReadWrite.All", "RoleManagement.ReadWrite.Directory", "Policy.Read.All", "Policy.ReadWrite.ConditionalAccess"
Where the parameter "ObjectID"'s value is your Managed Identities' Object ID GUID.
"885c119e-caa1-4148-bc58-20e28ff4f3ce" is not a real value, please replace it.
For more information about script usage, please run:
Get-Help .\Grant-MIGraphPermission.ps1
- Deployment
- Deploy to Azure (todo, Preferred)
- Deploy to Container (todo)
- Deploy to Windows (todo)
- Deploy to Linux (todo)
- Deploy/Run from Source
- Required Graph API Permissions
- Configuration
- Managed Identity
- App Registration (Coming Soon)
- Environmental Variables Reference
- Scope Tag Data Format
- PAW Group Data Format
- Debug Mode (todo)
- Identity Reference (todo)
- Usage
- Architecture Auto Deployment (todo)
- PAW Lifecycle Management (todo)
- Silo Management (todo)
- Configuration Health Check (todo)
- In-app Permissions/RBAC/IAM (todo)
- Updating the App (todo)
- Workflows
- Troubleshooting
- REST API
- Policy List
- Dev Zone
- Troubleshooting (Coming Soon)