Grant Graph API Permission to Azure Automation System assigned Managed Identity by info.odysseyx@gmail.com October 25, 2024 written by info.odysseyx@gmail.com October 25, 2024 0 comment 5 views 5 Azure managed identities are identities that Azure automatically manages for applications to use when connecting to resources that support Microsoft Entra (formerly Azure Active Directory) authentication. Azure creates and manages your identity so you don’t have to manage credentials and secrets. Use cases Manage Entra identity users and groups with Azure Automation runbooks using PowerShell scripts that make specific Microsoft Graph API calls. problem When you turn on a system with a managed identity assigned, it does not have permission to access the Microsoft Graph API. And when I call Microsoft Graph API I get an error: The script can log in successfully using: Connect-MgGraph-ID However, the call fails due to insufficient permissions to make the call. For system-assigned managed identities, you cannot grant Microsoft Graph permissions using the Azure portal user interface. that Grant administrator consent The button is disabled. way out Fortunately, scripting makes this easy. Below are two PowerShell scripts that assign and remove three Microsoft Graph permissions to a system-assigned managed identity. You can run it locally or from Cloud Shell. You must be a global administrator for your tenant. Allocation-MgGraphPermissions.ps1 #Requires -Modules "Az.Accounts", "Az.Resources", "Microsoft.Graph.Applications" [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [string]$AutomationAccountName, [Parameter(Mandatory=$true)] [string]$Tenant, [Parameter(Mandatory=$true)] [string]$Subscription ) $GRAPH_APP_ID = "00000003-0000-0000-c000-000000000000" Connect-AzAccount -TenantId $Tenant -Subscription $Subscription | Out-Null Connect-MgGraph -TenantId $Tenant -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -NoWelcome Write-Host "AZ context" Get-AzContext | Format-List Write-Host "MG context" Get-MgContext | Format-List $GraphPermissions = "User.Read.All", "Group.ReadWrite.All", "Directory.ReadWrite.All" $AutomationMSI = (Get-AzADServicePrincipal -Filter "displayName eq '$AutomationAccountName'") Write-Host "Assigning permissions to $AutomationAccountName ($($AutomationMSI.Id))" $GraphServicePrincipal = Get-AzADServicePrincipal -Filter "appId eq '$GRAPH_APP_ID'" $GraphAppRoles = $GraphServicePrincipal.AppRole | Where-Object {$_.Value -in $GraphPermissions -and $_.AllowedMemberType -contains "Application"} if($GraphAppRoles.Count -ne $GraphPermissions.Count) { Write-Warning "App roles found: $($GraphAppRoles)" throw "Some App Roles are not found on Graph API service principal" } foreach ($AppRole in $GraphAppRoles) { Write-Host "Assigning $($AppRole.Value) to $($AutomationMSI.DisplayName)" New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id -PrincipalId $AutomationMSI.Id -ResourceId $GraphServicePrincipal.Id -AppRoleId $AppRole.Id | Out-Null } Remove-MgGraphPermissions.ps1 #Requires -Modules "Az.Accounts", "Az.Resources", "Microsoft.Graph.Applications" [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [string]$AutomationAccountName, [Parameter(Mandatory=$true)] [string]$Tenant, [Parameter(Mandatory=$true)] [string]$Subscription ) Connect-AzAccount -TenantId $Tenant -Subscription $Subscription | Out-Null Connect-MgGraph -TenantId $Tenant -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -NoWelcome Write-Host "AZ context" Get-AzContext | Format-List Write-Host "MG context" Get-MgContext | Format-List $AutomationMSI = (Get-AzADServicePrincipal -Filter "displayName eq '$AutomationAccountName'") Write-Host "Removing permissions from $AutomationAccountName ($($AutomationMSI.Id))" Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id | ForEach-Object { Write-Host "Removing $($_.Id)" Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id -AppRoleAssignmentId $_.Id } As a result, Microsoft Graph permissions are added (even though the Grant Admin Consent button is still disabled) and your Automation account can still use the comfort and security of a system-assigned managed identity. PS: This post was inspired by: Grant Graph API permissions to managed identity objects – Microsoft Community Hub. Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Quick actions with Copilot now at your fingertips in OneNote on Windows next post Festival Web You may also like 7 Disturbing Tech Trends of 2024 December 19, 2024 AI on phones fails to impress Apple, Samsung users: Survey December 18, 2024 Standout technology products of 2024 December 16, 2024 Is Intel Equivalent to Tech Industry 2024 NY Giant? December 12, 2024 Google’s Willow chip marks breakthrough in quantum computing December 11, 2024 Job seekers are targeted in mobile phishing campaigns December 10, 2024 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.