Service Principal needs to have at least ‘Contributor’ access assigned either on the CMS instance(s) specific resource group(s) or the subscription level.
A secret needs to be created and provided for use in Service Delivery Hub.
Under the ‘API permissions’ tab the following permissions need to be added:
|
Permission |
Type |
Desc |
Needs admin consent |
|---|---|---|---|
|
user_impersonation |
Delegated |
Access Azure Service Management as organization users |
No |
|
User.Read |
Delegated |
Sign in and read user profile |
No |
|
Directory.Read.All |
Application |
Read directory data |
Yes |
For fully automated CMS instance deployment, these permissions are required as well. If not provided, there will be some manual steps required during the CMS instance deployment.
|
Permission |
Type |
Desc |
Needs admin consent |
|---|---|---|---|
|
Application.ReadWrite.All |
Application |
Read and write all applications |
Yes |
|
Group.ReadWrite.All |
Application |
Read and write all groups |
Yes |
|
User.Read.All |
Application |
Read all users' full profiles |
Yes |
Under the ‘Expose an API’ tab a scope needs the be created in the following format and then used during Service Delivery Hub instance creation:
{Audience URL/Application ID URI}/user_impersonation
Using the default Azure format for the 'Application ID URI, your scope would look like this:
api://00000000-0000-0000-0000-000000000000/user_impersonation