I have a user assigned managed managed identity in Azure called ‘TestMI‘. I want to give this managed identity permissions to run Microsoft Graph PowerShell cmdlets.

As a managed identity in Azure, this appears under enterprise applications in Entra. Normally with the old service principals, as these appeared under app registrations, you’d simply go into the Azure portal and navigate to API permissions, where you can assign the necessary Microsoft Graph permissions. But, managed identities in Azure are slightly different and fall under enterprise applications.

As such, we don’t have the option in the Azure portal to assign API permissions e.g. Microsoft Graph permissions.

Overview

• App Registrations: Think of this as the blueprint or plan for your application. This is where you tell Azure AD about your application, what it’s called, what it does, and what kind of permissions it needs. It’s like a recipe for a cake, where you list all the ingredients and steps needed to make the cake.
• Enterprise Applications: Now, think of this as the actual cake that you’ve baked following the recipe. This is an instance of your application that has been registered and is ready to be used. It’s like the actual cake that you can eat.

Now, coming to Managed Identities, these are a special type of service principal, which are essentially identities for applications. A managed identity is automatically managed by Entra – you don’t need to worry about managing credentials or rotating secrets.

As for assigning Microsoft Graph API permissions to a managed identity, it’s important to note that managed identities are designed to be used with Azure resources. The Microsoft Graph API is not an Azure resource, so you can’t directly assign permissions from the Graph API to a managed identity.

However, you can use the managed identity to acquire an access token, and then use that token to call the Microsoft Graph API. The permissions or roles would need to be assigned to the service principal of the managed identity.

For running cmdlets like Get-MgGroup, Remove-MgGroup and Get-MgUser, you would need to have the necessary permissions assigned to your managed identity. These cmdlets require Group.Read.All, Group.ReadWrite.All, and User.Read.All permissions respectively.

When executing this script below, it is important to ensure that at least the Cloud Application Administrator directory role has been assigned. This role grants necessary permissions for managing all aspects of app registrations and enterprise apps within Microsoft Graph, excluding App Proxy functionalities. By following these steps in sequence, you can effectively assign the required Microsoft Graph permissions to the user’s managed identity.

	$UserAssignedManagedID_DisplayName = "TestMI"
	#——————————————————————————
	# Install required modules
	#——————————————————————————
	if (-not(Get-Module -ListAvailable -Name Az)) {
	Install-Module -Name Az -Scope CurrentUser -AllowClobber -Force
	Import-Module Az
	}
	if (-not(Get-Module -ListAvailable -Name Microsoft.Graph)) {
	Install-Module -Name Microsoft.Graph -Scope CurrentUser -AllowClobber -Force
	Import-Module Microsoft.Graph
	}
	#——————————————————————————
	# Connect to Azure & Entra
	#——————————————————————————
	# Connect to Azure & MgGraph
	Connect-AzAccount -UseDeviceAuthentication
	Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -UseDeviceCode
	# Get the managed identity's ObjectId
	$managedIdentity = Get-AzADServicePrincipal -DisplayName $UserAssignedManagedID_DisplayName
	# Define the required Microsoft Graph API permissions
	$graphSPN = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
	#——————————————————————–
	# Set permissions – "User.Read.All", "Group.Read.All", "Group.ReadWrite.All", "Directory.Read.All"
	#——————————————————————–
	$permissions = @()
	# Set permission scope
	$permissions = @("User.Read.All", "Group.Read.All", "Group.ReadWrite.All", "Directory.Read.All")
	foreach ($permission in $permissions) {
	# Find app role with those permissions
	$appRole = $graphSPN.AppRoles |
	Where-Object Value -eq $permission |
	Where-Object AllowedMemberTypes -contains "Application"
	$bodyParam = @{
	PrincipalId = $managedIdentity.Id
	ResourceId = $graphSPN.Id
	AppRoleId = $appRole.Id
	}
	New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentity.Id -BodyParameter $bodyParam
	}

view raw AssignMG_ToMIs.ps1 hosted with ❤ by GitHub