Grant Graph API Permission to Azure Automation System assigned Managed Identity by info.odysseyx@gmail.com October 25, 2024 written by info.odysseyx@gmail.com October 25, 2024 0 comment 11 views 11 Azure managed identities are identities that Azure automatically manages for applications to use when connecting to resources that support Microsoft Entra (formerly Azure Active Directory) authentication. Azure creates and manages your identity so you don’t have to manage credentials and secrets. Use cases Manage Entra identity users and groups with Azure Automation runbooks using PowerShell scripts that make specific Microsoft Graph API calls. problem When you turn on a system with a managed identity assigned, it does not have permission to access the Microsoft Graph API. And when I call Microsoft Graph API I get an error: The script can log in successfully using: Connect-MgGraph-ID However, the call fails due to insufficient permissions to make the call. For system-assigned managed identities, you cannot grant Microsoft Graph permissions using the Azure portal user interface. that Grant administrator consent The button is disabled. way out Fortunately, scripting makes this easy. Below are two PowerShell scripts that assign and remove three Microsoft Graph permissions to a system-assigned managed identity. You can run it locally or from Cloud Shell. You must be a global administrator for your tenant. Allocation-MgGraphPermissions.ps1 #Requires -Modules "Az.Accounts", "Az.Resources", "Microsoft.Graph.Applications" [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [string]$AutomationAccountName, [Parameter(Mandatory=$true)] [string]$Tenant, [Parameter(Mandatory=$true)] [string]$Subscription ) $GRAPH_APP_ID = "00000003-0000-0000-c000-000000000000" Connect-AzAccount -TenantId $Tenant -Subscription $Subscription | Out-Null Connect-MgGraph -TenantId $Tenant -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -NoWelcome Write-Host "AZ context" Get-AzContext | Format-List Write-Host "MG context" Get-MgContext | Format-List $GraphPermissions = "User.Read.All", "Group.ReadWrite.All", "Directory.ReadWrite.All" $AutomationMSI = (Get-AzADServicePrincipal -Filter "displayName eq '$AutomationAccountName'") Write-Host "Assigning permissions to $AutomationAccountName ($($AutomationMSI.Id))" $GraphServicePrincipal = Get-AzADServicePrincipal -Filter "appId eq '$GRAPH_APP_ID'" $GraphAppRoles = $GraphServicePrincipal.AppRole | Where-Object {$_.Value -in $GraphPermissions -and $_.AllowedMemberType -contains "Application"} if($GraphAppRoles.Count -ne $GraphPermissions.Count) { Write-Warning "App roles found: $($GraphAppRoles)" throw "Some App Roles are not found on Graph API service principal" } foreach ($AppRole in $GraphAppRoles) { Write-Host "Assigning $($AppRole.Value) to $($AutomationMSI.DisplayName)" New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id -PrincipalId $AutomationMSI.Id -ResourceId $GraphServicePrincipal.Id -AppRoleId $AppRole.Id | Out-Null } Remove-MgGraphPermissions.ps1 #Requires -Modules "Az.Accounts", "Az.Resources", "Microsoft.Graph.Applications" [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [string]$AutomationAccountName, [Parameter(Mandatory=$true)] [string]$Tenant, [Parameter(Mandatory=$true)] [string]$Subscription ) Connect-AzAccount -TenantId $Tenant -Subscription $Subscription | Out-Null Connect-MgGraph -TenantId $Tenant -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -NoWelcome Write-Host "AZ context" Get-AzContext | Format-List Write-Host "MG context" Get-MgContext | Format-List $AutomationMSI = (Get-AzADServicePrincipal -Filter "displayName eq '$AutomationAccountName'") Write-Host "Removing permissions from $AutomationAccountName ($($AutomationMSI.Id))" Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id | ForEach-Object { Write-Host "Removing $($_.Id)" Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id -AppRoleAssignmentId $_.Id } As a result, Microsoft Graph permissions are added (even though the Grant Admin Consent button is still disabled) and your Automation account can still use the comfort and security of a system-assigned managed identity. PS: This post was inspired by: Grant Graph API permissions to managed identity objects – Microsoft Community Hub. Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Quick actions with Copilot now at your fingertips in OneNote on Windows next post Festival Web You may also like Believe Hyp about Quantum Protection: Report March 11, 2025 Google Jemi is coming to Android Auto but the rollout is hassle March 10, 2025 How the drones are transmitting security on the US southern border March 7, 2025 Remember a uninterrupted tech trailballs: Tom Mitchell March 7, 2025 New HMD X 1 ‘Safe’ Phone: Protection for Parents, Great Factors for Kids March 5, 2025 Opera adds Agent AI to his browser March 4, 2025 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.