Creating Azure App registration
Setup Microsoft Entra ID side as described in our Microsoft Entra ID integration guide Here
Creating a Custom Role:
Open the Azure portal and navigate to "Management Groups".
Select your desired management group.
Go to the "Access control (IAM)" blade and choose the "Role assignments" tab.
Click "Add" and then "Add custom role".
In "Baseline permissions" choose "Start from JSON" and use the attached JSON file, axiom-integration-role.
Go to the "Assignable scopes" tab and select your Management Group.
Click "Review + Create" to create the custom role.
Adding a New Role Assignment:
Click "Add" and then "Add role assignment".
In the "Members" section, select the "Service principal" that represents the app.
Choose the app by searching for its name or resource ID.
Select the custom role for the app. You can browse roles by category or use the search bar.
Review the details and click "Save" to create the role assignment.
Verifying the Assignment:
The created role assignment will appear in the "Role assignments" list.
You can click on the assignment to see its details, including the assigned role, app, and scope.
Turn off Microsoft Entra ID alerts (Optional):
"Roles are being assigned outside of Microsoft Entra Privileged Identity Management" alert
Go to Identity Governance > Alerts > Microsoft Entra roles > Alerts.
Click on Settings.
Locate the "Roles are being assigned outside of Microsoft Entra Privileged Identity Management" alert and click Edit.
Under Enabled, select No.
Click Save.
"Weekly PIM digest" alert
Go to Microsoft Entra ID > Security > Identity Protection > Weekly digest.
Under Send weekly digest email, select No.
Click Save.
β