1. SDH Service Principal
Service Principal needs to have at least ‘Contributor’ access assigned either on the CMS instance(s) specific resource group(s) or the subscription level.
A secret needs to be created and provided for use in Service Delivery Hub.
Under the ‘API permissions’ tab the following permissions need to be added:
Permission | Type | Desc | Needs admin consent |
|---|---|---|---|
user_impersonation | Delegated | Access Azure Service Management as organization users | No |
User.Read | Delegated | Sign in and read user profile | No |
Directory.Read.All | Application | Read directory data | Yes |
For fully automated CMS instance deployment, these permissions are required as well. If not provided, there will be some manual steps required during the CMS instance deployment.
Permission | Type | Desc | Needs admin consent |
|---|---|---|---|
Application.ReadWrite.All | Application | Read and write all applications | Yes |
Group.ReadWrite.All | Application | Read and write all groups | Yes |
User.Read.All | Application | Read all users' full profiles | Yes |
Under the ‘Expose an API’ tab a scope needs the be created in the following format and then used during Service Delivery Hub instance creation:
{Audience URL/Application ID URI}/user_impersonation
Using the default Azure format for the 'Application ID URI, your scope would look like this:
api://00000000-0000-0000-0000-000000000000/user_impersonation