Grant Graph API Permission to Managed Identity Object

Published Sep 28 2021 01:20 PM 1,034 Views
Microsoft

Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. We can access Graph API either using service principal object in Azure or using Managed Identity.   

 

When it comes to service Principal, we can grant API Permissions to the service principal object in Azure but incase of Managed Identity, we do not have option to provide Graph API permission for Managed Identity object via portal.  Hence we need to use the below PowerShell script to grant Graph API Permission (Application Permission) to the managed Identity object.

 

 In this blog, we will see how to grant graph API permission to the Managed Identity object

 

Note: To provide Graph API Permission you need to be Global Administrator in Azure Active Directory

 

Below Parameters needs to be modified as per your resources:

  • TenantID : Provide the tenantID of your subscription
  • GraphAppId : This parameter is optional. We don’t have to change this value. This corresponds to Graph API Guid.
  • DisplayNameofMSI :  Provide your Logic App name. Since managed identity will be created in the same name as the resource on which identity is enabled, we can provide the Logic App name
  • Permissions : Provide the appropriate Graph API Permission. https://docs.microsoft.com/en-us/graph/permissions-reference. Note: These are application permission.

 

Powershell Script:

 

$TenantID="provide the tenant ID"

$GraphAppId = "00000003-0000-0000-c000-000000000000"

$DisplayNameOfMSI="Provide the Logic App name"

$PermissionName = "Directory.Read.All"

 

 

# Install the module

Install-Module AzureAD

 

Connect-AzureAD -TenantId $TenantID

$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")

Start-Sleep -Seconds 10

$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"

$AppRole = $GraphServicePrincipal.AppRoles | `

Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}

New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId `

-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id

 

 

Logic App:

 

Joyce_Dorothy_0-1632842255372.png

 

 Execute the Powershell script to grant appropriate Graph API Permission to the Managed Identity object

 

Joyce_Dorothy_1-1632842255390.png

 

 Once the Powershell is executed, you will be able to see the below Graph API permission added.

 

Joyce_Dorothy_2-1632842255400.png

 

 

%3CLINGO-SUB%20id%3D%22lingo-sub-2792127%22%20slang%3D%22en-US%22%3EGrant%20Graph%20API%20Permission%20to%20Managed%20Identity%20Object%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2792127%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3EManaged%20identities%20provide%20an%20identity%20for%20applications%20to%20use%20when%20connecting%20to%20resources%20that%20support%20Azure%20Active%20Directory%20(Azure%20AD)%20authentication.%20We%20can%20access%20Graph%20API%20either%20using%20service%20principal%20object%20in%20Azure%20or%20using%20Managed%20Identity.%20%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3EWhen%20it%20comes%20to%20service%20Principal%2C%20we%20can%20grant%20API%20Permissions%20to%20the%20service%20principal%20object%20in%20Azure%20but%20incase%20of%20Managed%20Identity%2C%20we%20do%20not%20have%20option%20to%20provide%20Graph%20API%20permission%20for%20Managed%20Identity%20object%20via%20portal.%26nbsp%3B%20Hence%20we%20need%20to%20use%20the%20below%20PowerShell%20script%20to%20grant%20Graph%20API%20Permission%20(Application%20Permission)%20to%20the%20managed%20Identity%20object.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%26nbsp%3BIn%20this%20blog%2C%20we%20will%20see%20how%20to%20grant%20graph%20API%20permission%20to%20the%20Managed%20Identity%20object%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E%3A%20To%20provide%20Graph%20API%20Permission%20you%20need%20to%20be%20Global%20Administrator%20in%20Azure%20Active%20Directory%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3EBelow%20Parameters%20needs%20to%20be%20modified%20as%20per%20your%20resources%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3ETenantID%3CSPAN%20data-offset-key%3D%22b709622718a940839112b2a3c4a547a2%3A1%22%3E%20%3A%20%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3EProvide%20the%20tenantID%20of%20your%20subscription%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3EGraphAppId%3C%2FSTRONG%3E%3CSPAN%3E%20%3A%20This%20parameter%20is%20optional.%20We%20don%E2%80%99t%20have%20to%20change%20this%20value.%20This%20corresponds%20to%20Graph%20API%20Guid.%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%20data-slate-leaf%3D%22true%22%3E%3CSPAN%20data-key%3D%2235c08add42b641469016875c2097f9bf%22%3EDisplayNameofMSI%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3E%20%3A%20%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EProvide%20your%20Logic%20App%20name.%20Since%20managed%20identity%20will%20be%20created%20in%20the%20same%20name%20as%20the%20resource%20on%20which%20identity%20is%20enabled%2C%20we%20can%20provide%20the%20Logic%20App%20name%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%20data-slate-leaf%3D%22true%22%3E%3CSPAN%20data-key%3D%22adab7fc4ebb74288a094813f38b6d236%22%3EPermissions%20%3A%20%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3EProvide%20the%20appropriate%20Graph%20API%20Permission%3C%2FSTRONG%3E%3CSTRONG%3E.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fpermissions-reference%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fpermissions-reference%3C%2FA%3E.%20Note%3A%20%3C%2FSTRONG%3E%3CSTRONG%3EThese%20are%20application%20permission.%20%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3E%3CU%3EPowershell%20Script%3A%20%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%24TenantID%3D%22provide%20the%20tenant%20ID%22%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%24GraphAppId%20%3D%20%2200000003-0000-0000-c000-000000000000%22%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%24DisplayNameOfMSI%3D%22Provide%20the%20Logic%20App%20name%22%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%24PermissionName%20%3D%20%22Directory.Read.All%22%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%23%20Install%20the%20module%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3EInstall-Module%20AzureAD%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3EConnect-AzureAD%20-TenantId%20%24TenantID%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%24MSI%20%3D%20(Get-AzureADServicePrincipal%20-Filter%20%22displayName%20eq%20'%24DisplayNameOfMSI'%22)%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3EStart-Sleep%20-Seconds%2010%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%24GraphServicePrincipal%20%3D%20Get-AzureADServicePrincipal%20-Filter%20%22appId%20eq%20'%24GraphAppId'%22%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%24AppRole%20%3D%20%24GraphServicePrincipal.AppRoles%20%7C%20%60%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3EWhere-Object%20%7B%24_.Value%20-eq%20%24PermissionName%20-and%20%24_.AllowedMemberTypes%20-contains%20%22Application%22%7D%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3ENew-AzureAdServiceAppRoleAssignment%20-ObjectId%20%24MSI.ObjectId%20-PrincipalId%20%24MSI.ObjectId%20%60%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E-ResourceId%20%24GraphServicePrincipal.ObjectId%20-Id%20%24AppRole.Id%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3ELogic%20App%3A%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Joyce_Dorothy_0-1632842255372.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F313353iC1984FB6226D56FC%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Joyce_Dorothy_0-1632842255372.png%22%20alt%3D%22Joyce_Dorothy_0-1632842255372.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3CFONT%20size%3D%222%22%3EExecute%20the%20Powershell%20script%20to%20grant%20appropriate%20Graph%20API%20Permission%20to%20the%20Managed%20Identity%20object%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Joyce_Dorothy_1-1632842255390.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F313355iBCB51B817AC167D9%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Joyce_Dorothy_1-1632842255390.png%22%20alt%3D%22Joyce_Dorothy_1-1632842255390.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3CFONT%20size%3D%222%22%3EOnce%20the%20Powershell%20is%20executed%2C%20you%20will%20be%20able%20to%20see%20the%20below%20Graph%20API%20permission%20added.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Joyce_Dorothy_2-1632842255400.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F313354i9859E6DF92253575%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Joyce_Dorothy_2-1632842255400.png%22%20alt%3D%22Joyce_Dorothy_2-1632842255400.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2792127%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ELogic%20Apps%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Sep 28 2021 08:36 AM
Updated by: