Blog Post

Azure Integration Services Blog
3 MIN READ

Grant Graph API Permission to Azure Automation System assigned Managed Identity

Vladimir_Dronov's avatar
Oct 25, 2024

Azure Managed Identity is an identity automatically managed by Azure for applications to use when connecting to resources that support Microsoft Entra (formerly Azure Active Directory) authentication. It eliminates the need to manage credentials and secrets, as the identity is created and managed by Azure.

Use Case

Use PowerShell scripts that are making certain Microsoft Graph API calls to manage Entra ID users and groups as Azure Automation runbooks.

Problem

After turning on the system assigned Managed Identity it does not have any permissions to access Microsoft Graph API.

And any call to Microsoft Graph API leads to an error.

The script can successfully log in with Connect-MgGraph -Identity but fails on insufficient privileges to make any call.

 

When it comes to system assigned Managed Identity, we can't grant Microsoft Graph permissions using Azure Portal user interface.
The Grant admin consent button is disabled.

 

Solution

Fortunately, we can easily do it with scripting. 

Here are two PowerShell scripts that assign and remove three Microsoft Graph permissions to system assigned managed identity. You can run them locally or in Cloud Shell. You need to be a Global Administrator in your Tenant.

Assign-MgGraphPermissions.ps1

 

#Requires -Modules "Az.Accounts", "Az.Resources", "Microsoft.Graph.Applications"
[CmdletBinding()]
param (
    [Parameter(Mandatory=$true)]
    [string]$AutomationAccountName,
    [Parameter(Mandatory=$true)]
    [string]$Tenant,
    [Parameter(Mandatory=$true)]
    [string]$Subscription
)

$GRAPH_APP_ID = "00000003-0000-0000-c000-000000000000"

Connect-AzAccount -TenantId $Tenant -Subscription $Subscription  | Out-Null
Connect-MgGraph -TenantId $Tenant -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -NoWelcome

Write-Host "AZ context"
Get-AzContext | Format-List
Write-Host "MG context"
Get-MgContext | Format-List

$GraphPermissions = "User.Read.All", "Group.ReadWrite.All", "Directory.ReadWrite.All"
$AutomationMSI = (Get-AzADServicePrincipal -Filter "displayName eq '$AutomationAccountName'")
Write-Host "Assigning permissions to $AutomationAccountName ($($AutomationMSI.Id))"

$GraphServicePrincipal = Get-AzADServicePrincipal -Filter "appId eq '$GRAPH_APP_ID'"
$GraphAppRoles = $GraphServicePrincipal.AppRole | Where-Object {$_.Value -in $GraphPermissions -and $_.AllowedMemberType -contains "Application"}

if($GraphAppRoles.Count -ne $GraphPermissions.Count)
{
    Write-Warning "App roles found: $($GraphAppRoles)"
    throw "Some App Roles are not found on Graph API service principal"
}

foreach ($AppRole in $GraphAppRoles) {
    Write-Host "Assigning $($AppRole.Value) to $($AutomationMSI.DisplayName)"
    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id -PrincipalId $AutomationMSI.Id -ResourceId $GraphServicePrincipal.Id -AppRoleId $AppRole.Id | Out-Null
}

 

 

Remove-MgGraphPermissions.ps1

 

#Requires -Modules "Az.Accounts", "Az.Resources", "Microsoft.Graph.Applications"
[CmdletBinding()]
param (
    [Parameter(Mandatory=$true)]
    [string]$AutomationAccountName,
    [Parameter(Mandatory=$true)]
    [string]$Tenant,
    [Parameter(Mandatory=$true)]
    [string]$Subscription
)

Connect-AzAccount -TenantId $Tenant -Subscription $Subscription  | Out-Null 
Connect-MgGraph -TenantId $Tenant -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -NoWelcome

Write-Host "AZ context"
Get-AzContext | Format-List
Write-Host "MG context"
Get-MgContext | Format-List

$AutomationMSI = (Get-AzADServicePrincipal -Filter "displayName eq '$AutomationAccountName'")
Write-Host "Removing permissions from $AutomationAccountName ($($AutomationMSI.Id))"

Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id | 
ForEach-Object {
    Write-Host "Removing $($_.Id)"
    Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id -AppRoleAssignmentId $_.Id
}

 

 

As a result, Microsoft Graph permissions are added despite that the Grant admin consent button is still disabled and we can continue using the comfort and security of system assigned Managed Identity in Automation Account.

 

PS: This post is inspired by Grant Graph API Permission to Managed Identity Object - Microsoft Community Hub.

 

Updated Oct 24, 2024
Version 1.0
No CommentsBe the first to comment