Microsoft
Joyce_Dorothy Thank you for sharing.
The cmdlets you're using are out of date. `AzureAD` doesn't work with PowerShell 7 and the new way is using Microsoft Graph.
This is the new current way: https://stackoverflow.com/questions/72904838/how-to-set-microsoft-graph-api-permissions-on-azure-managed-service-identity-wit
$DestinationTenantId = "a3186524-d3d5-4820-8cb5-9ad21badb14a"
$MsiName = "myUserMSI" # Name of system-assigned or user-assigned managed service identity. (System-assigned use same name as resource).
$oPermissions = @(
"Directory.ReadWrite.All"
"Group.ReadWrite.All"
"GroupMember.ReadWrite.All"
"User.ReadWrite.All"
"RoleManagement.ReadWrite.Directory"
)
$GraphAppId = "00000003-0000-0000-c000-000000000000" # Don't change this.
$oMsi = Get-AzADServicePrincipal -Filter "displayName eq '$MsiName'"
$oGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"
$oAppRole = $oGraphSpn.AppRole | Where-Object {($_.Value -in $oPermissions) -and ($_.AllowedMemberType -contains "Application")}
Connect-MgGraph -TenantId $DestinationTenantId
foreach($AppRole in $oAppRole)
{
$oAppRoleAssignment = @{
"PrincipalId" = $oMSI.Id
"ResourceId" = $oGraphSpn.Id
"AppRoleId" = $AppRole.Id
}
New-MgServicePrincipalAppRoleAssignment `
-ServicePrincipalId $oAppRoleAssignment.PrincipalId `
-BodyParameter $oAppRoleAssignment `
-Verbose
}
There is one major issue with the Microsoft.Graph PowerShell module. The Connect-MgGraph doesn't support -Credential, or PSCredential object for authentication, instead requiring the pain of a certificate-based SPN. A bug/feature request has been raised on Github: https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/1366
Please give it the thumbs up.