Home NewsX Grant Graph API Permission to Azure Automation System assigned Managed Identity

Grant Graph API Permission to Azure Automation System assigned Managed Identity

by info.odysseyx@gmail.com
0 comment 0 views


Azure managed identities are identities that Azure automatically manages for applications to use when connecting to resources that support Microsoft Entra (formerly Azure Active Directory) authentication. Azure creates and manages your identity so you don’t have to manage credentials and secrets.

Use cases

Manage Entra identity users and groups with Azure Automation runbooks using PowerShell scripts that make specific Microsoft Graph API calls.

problem

When you turn on a system with a managed identity assigned, it does not have permission to access the Microsoft Graph API.

1_MI Activation.png

And when I call Microsoft Graph API I get an error:

The script can log in successfully using: Connect-MgGraph-ID However, the call fails due to insufficient permissions to make the call.

2_error.png

For system-assigned managed identities, you cannot grant Microsoft Graph permissions using the Azure portal user interface.
that Grant administrator consent The button is disabled.

2_Disabled button.png

way out

Fortunately, scripting makes this easy.

Below are two PowerShell scripts that assign and remove three Microsoft Graph permissions to a system-assigned managed identity. You can run it locally or from Cloud Shell. You must be a global administrator for your tenant.

Allocation-MgGraphPermissions.ps1

#Requires -Modules "Az.Accounts", "Az.Resources", "Microsoft.Graph.Applications"
[CmdletBinding()]
param (
    [Parameter(Mandatory=$true)]
    [string]$AutomationAccountName,
    [Parameter(Mandatory=$true)]
    [string]$Tenant,
    [Parameter(Mandatory=$true)]
    [string]$Subscription
)

$GRAPH_APP_ID = "00000003-0000-0000-c000-000000000000"

Connect-AzAccount -TenantId $Tenant -Subscription $Subscription  | Out-Null
Connect-MgGraph -TenantId $Tenant -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -NoWelcome

Write-Host "AZ context"
Get-AzContext | Format-List
Write-Host "MG context"
Get-MgContext | Format-List

$GraphPermissions = "User.Read.All", "Group.ReadWrite.All", "Directory.ReadWrite.All"
$AutomationMSI = (Get-AzADServicePrincipal -Filter "displayName eq '$AutomationAccountName'")
Write-Host "Assigning permissions to $AutomationAccountName ($($AutomationMSI.Id))"

$GraphServicePrincipal = Get-AzADServicePrincipal -Filter "appId eq '$GRAPH_APP_ID'"
$GraphAppRoles = $GraphServicePrincipal.AppRole | Where-Object {$_.Value -in $GraphPermissions -and $_.AllowedMemberType -contains "Application"}

if($GraphAppRoles.Count -ne $GraphPermissions.Count)
{
    Write-Warning "App roles found: $($GraphAppRoles)"
    throw "Some App Roles are not found on Graph API service principal"
}

foreach ($AppRole in $GraphAppRoles) {
    Write-Host "Assigning $($AppRole.Value) to $($AutomationMSI.DisplayName)"
    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id -PrincipalId $AutomationMSI.Id -ResourceId $GraphServicePrincipal.Id -AppRoleId $AppRole.Id | Out-Null
}

Remove-MgGraphPermissions.ps1

#Requires -Modules "Az.Accounts", "Az.Resources", "Microsoft.Graph.Applications"
[CmdletBinding()]
param (
    [Parameter(Mandatory=$true)]
    [string]$AutomationAccountName,
    [Parameter(Mandatory=$true)]
    [string]$Tenant,
    [Parameter(Mandatory=$true)]
    [string]$Subscription
)

Connect-AzAccount -TenantId $Tenant -Subscription $Subscription  | Out-Null 
Connect-MgGraph -TenantId $Tenant -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -NoWelcome

Write-Host "AZ context"
Get-AzContext | Format-List
Write-Host "MG context"
Get-MgContext | Format-List

$AutomationMSI = (Get-AzADServicePrincipal -Filter "displayName eq '$AutomationAccountName'")
Write-Host "Removing permissions from $AutomationAccountName ($($AutomationMSI.Id))"

Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id | 
ForEach-Object {
    Write-Host "Removing $($_.Id)"
    Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id -AppRoleAssignmentId $_.Id
}

As a result, Microsoft Graph permissions are added (even though the Grant Admin Consent button is still disabled) and your Automation account can still use the comfort and security of a system-assigned managed identity.

4_Permission.png

PS: This post was inspired by: Grant Graph API permissions to managed identity objects – Microsoft Community Hub.





Source link

You may also like

Leave a Comment

Our Company

Welcome to OdysseyX, your one-stop destination for the latest news and opportunities across various domains.

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Laest News

@2024 – All Right Reserved. Designed and Developed by OdysseyX