Microsoft-Graph

How to Assign permissions to a Managed Identity

Microsoft-Graph, PowerShell, Automation, Office-365

Assigning permissions to a Managed Identity is more complex than an app registration; the only way is thru PowerShell or Microsoft Graph. So this time, I created a simple script to add permissions to a Managed Identity using the Graph PowerShell modules.

Prerequisites

You need two modules for this:

  • Microsoft.Graph.Applications
  • Microsoft.Graph.Authentication

Rights

The rights that are needed to assign rights and find the correct IDs are

  • Directory.Read.All
  • AppRoleAssignment.ReadWrite.All

The script

$objectID = "<ObjectID of the Managed Identity>"
$ServicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
$approle = $ServicePrincipal.AppRoles | Where-Object {$_.Value -eq "Sites.Selected" -and $_.AllowedMemberTypes -contains "Application"}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $objectID -PrincipalId $objectID -ResourceId $ServicePrincipal.Id -AppRoleId $appRole.Id

You need to find some Identifiers before assigning permission to the Managed Identity. In the above script, Microsoft.Graph application permission ‘sites.selected’ is given to the Managed Identity. The resourceId is the id of Microsoft.Graph ServicePrincipal.

Move scripts from Azure AD modules to Microsoft Graph Modules

Microsoft-Graph, PowerShell, Automation, Office-365

In the last few weeks, I took some time to refactor most of my scripts and Azure Automation script to use the Microsoft Graph Modules over the Azure AD Module. As I explained in my previous blog, the Azure AD module is declared deprecated.

How to start updating

The first thing to do of course is to install the latest Microsoft Graph Modules with:

Install-Module Microsoft.Graph

Connecting to the Graph

Connecting to the Microsoft Graph is almost the same as via Azure AD, except there are a few extra options