Grant Graph API Permission to Azure Automation System assigned Managed Identity by info.odysseyx@gmail.com October 25, 2024 written by info.odysseyx@gmail.com October 25, 2024 0 comment 12 views 12 Azure managed identities are identities that Azure automatically manages for applications to use when connecting to resources that support Microsoft Entra (formerly Azure Active Directory) authentication. Azure creates and manages your identity so you don’t have to manage credentials and secrets. Use cases Manage Entra identity users and groups with Azure Automation runbooks using PowerShell scripts that make specific Microsoft Graph API calls. problem When you turn on a system with a managed identity assigned, it does not have permission to access the Microsoft Graph API. And when I call Microsoft Graph API I get an error: The script can log in successfully using: Connect-MgGraph-ID However, the call fails due to insufficient permissions to make the call. For system-assigned managed identities, you cannot grant Microsoft Graph permissions using the Azure portal user interface. that Grant administrator consent The button is disabled. way out Fortunately, scripting makes this easy. Below are two PowerShell scripts that assign and remove three Microsoft Graph permissions to a system-assigned managed identity. You can run it locally or from Cloud Shell. You must be a global administrator for your tenant. Allocation-MgGraphPermissions.ps1 #Requires -Modules "Az.Accounts", "Az.Resources", "Microsoft.Graph.Applications" [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [string]$AutomationAccountName, [Parameter(Mandatory=$true)] [string]$Tenant, [Parameter(Mandatory=$true)] [string]$Subscription ) $GRAPH_APP_ID = "00000003-0000-0000-c000-000000000000" Connect-AzAccount -TenantId $Tenant -Subscription $Subscription | Out-Null Connect-MgGraph -TenantId $Tenant -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -NoWelcome Write-Host "AZ context" Get-AzContext | Format-List Write-Host "MG context" Get-MgContext | Format-List $GraphPermissions = "User.Read.All", "Group.ReadWrite.All", "Directory.ReadWrite.All" $AutomationMSI = (Get-AzADServicePrincipal -Filter "displayName eq '$AutomationAccountName'") Write-Host "Assigning permissions to $AutomationAccountName ($($AutomationMSI.Id))" $GraphServicePrincipal = Get-AzADServicePrincipal -Filter "appId eq '$GRAPH_APP_ID'" $GraphAppRoles = $GraphServicePrincipal.AppRole | Where-Object {$_.Value -in $GraphPermissions -and $_.AllowedMemberType -contains "Application"} if($GraphAppRoles.Count -ne $GraphPermissions.Count) { Write-Warning "App roles found: $($GraphAppRoles)" throw "Some App Roles are not found on Graph API service principal" } foreach ($AppRole in $GraphAppRoles) { Write-Host "Assigning $($AppRole.Value) to $($AutomationMSI.DisplayName)" New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id -PrincipalId $AutomationMSI.Id -ResourceId $GraphServicePrincipal.Id -AppRoleId $AppRole.Id | Out-Null } Remove-MgGraphPermissions.ps1 #Requires -Modules "Az.Accounts", "Az.Resources", "Microsoft.Graph.Applications" [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [string]$AutomationAccountName, [Parameter(Mandatory=$true)] [string]$Tenant, [Parameter(Mandatory=$true)] [string]$Subscription ) Connect-AzAccount -TenantId $Tenant -Subscription $Subscription | Out-Null Connect-MgGraph -TenantId $Tenant -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -NoWelcome Write-Host "AZ context" Get-AzContext | Format-List Write-Host "MG context" Get-MgContext | Format-List $AutomationMSI = (Get-AzADServicePrincipal -Filter "displayName eq '$AutomationAccountName'") Write-Host "Removing permissions from $AutomationAccountName ($($AutomationMSI.Id))" Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id | ForEach-Object { Write-Host "Removing $($_.Id)" Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id -AppRoleAssignmentId $_.Id } As a result, Microsoft Graph permissions are added (even though the Grant Admin Consent button is still disabled) and your Automation account can still use the comfort and security of a system-assigned managed identity. PS: This post was inspired by: Grant Graph API permissions to managed identity objects – Microsoft Community Hub. Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Quick actions with Copilot now at your fingertips in OneNote on Windows next post Festival Web You may also like Galaxy S25 Ultra how finally removed me from my iPhone addiction March 20, 2025 Low Earth orbital networks are pressing for the innovation of geostationary giants March 19, 2025 AI Chattbots ‘Zero-Jnan’ may be easy victims for hackers March 18, 2025 Sevatton Dual Screen turns ad-on laptops into triple display March 17, 2025 Microprocessor market problems with market conditions and tariffs March 17, 2025 Believe Hyp about Quantum Protection: Report March 11, 2025 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.