Grant Graph API Permission to Azure Automation System assigned Managed Identity by info.odysseyx@gmail.com October 25, 2024 written by info.odysseyx@gmail.com October 25, 2024 0 comment 0 views 0 Azure managed identities are identities that Azure automatically manages for applications to use when connecting to resources that support Microsoft Entra (formerly Azure Active Directory) authentication. Azure creates and manages your identity so you don’t have to manage credentials and secrets. Use cases Manage Entra identity users and groups with Azure Automation runbooks using PowerShell scripts that make specific Microsoft Graph API calls. problem When you turn on a system with a managed identity assigned, it does not have permission to access the Microsoft Graph API. And when I call Microsoft Graph API I get an error: The script can log in successfully using: Connect-MgGraph-ID However, the call fails due to insufficient permissions to make the call. For system-assigned managed identities, you cannot grant Microsoft Graph permissions using the Azure portal user interface. that Grant administrator consent The button is disabled. way out Fortunately, scripting makes this easy. Below are two PowerShell scripts that assign and remove three Microsoft Graph permissions to a system-assigned managed identity. You can run it locally or from Cloud Shell. You must be a global administrator for your tenant. Allocation-MgGraphPermissions.ps1 #Requires -Modules "Az.Accounts", "Az.Resources", "Microsoft.Graph.Applications" [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [string]$AutomationAccountName, [Parameter(Mandatory=$true)] [string]$Tenant, [Parameter(Mandatory=$true)] [string]$Subscription ) $GRAPH_APP_ID = "00000003-0000-0000-c000-000000000000" Connect-AzAccount -TenantId $Tenant -Subscription $Subscription | Out-Null Connect-MgGraph -TenantId $Tenant -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -NoWelcome Write-Host "AZ context" Get-AzContext | Format-List Write-Host "MG context" Get-MgContext | Format-List $GraphPermissions = "User.Read.All", "Group.ReadWrite.All", "Directory.ReadWrite.All" $AutomationMSI = (Get-AzADServicePrincipal -Filter "displayName eq '$AutomationAccountName'") Write-Host "Assigning permissions to $AutomationAccountName ($($AutomationMSI.Id))" $GraphServicePrincipal = Get-AzADServicePrincipal -Filter "appId eq '$GRAPH_APP_ID'" $GraphAppRoles = $GraphServicePrincipal.AppRole | Where-Object {$_.Value -in $GraphPermissions -and $_.AllowedMemberType -contains "Application"} if($GraphAppRoles.Count -ne $GraphPermissions.Count) { Write-Warning "App roles found: $($GraphAppRoles)" throw "Some App Roles are not found on Graph API service principal" } foreach ($AppRole in $GraphAppRoles) { Write-Host "Assigning $($AppRole.Value) to $($AutomationMSI.DisplayName)" New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id -PrincipalId $AutomationMSI.Id -ResourceId $GraphServicePrincipal.Id -AppRoleId $AppRole.Id | Out-Null } Remove-MgGraphPermissions.ps1 #Requires -Modules "Az.Accounts", "Az.Resources", "Microsoft.Graph.Applications" [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [string]$AutomationAccountName, [Parameter(Mandatory=$true)] [string]$Tenant, [Parameter(Mandatory=$true)] [string]$Subscription ) Connect-AzAccount -TenantId $Tenant -Subscription $Subscription | Out-Null Connect-MgGraph -TenantId $Tenant -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -NoWelcome Write-Host "AZ context" Get-AzContext | Format-List Write-Host "MG context" Get-MgContext | Format-List $AutomationMSI = (Get-AzADServicePrincipal -Filter "displayName eq '$AutomationAccountName'") Write-Host "Removing permissions from $AutomationAccountName ($($AutomationMSI.Id))" Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id | ForEach-Object { Write-Host "Removing $($_.Id)" Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id -AppRoleAssignmentId $_.Id } As a result, Microsoft Graph permissions are added (even though the Grant Admin Consent button is still disabled) and your Automation account can still use the comfort and security of a system-assigned managed identity. PS: This post was inspired by: Grant Graph API permissions to managed identity objects – Microsoft Community Hub. Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Quick actions with Copilot now at your fingertips in OneNote on Windows next post Festival Web You may also like Introducing the Modern Web App (MWA) Pattern for .NET November 2, 2024 Announcing Oracle Database@Azure in Italy North and Brazil South November 1, 2024 MGDC for SharePoint FAQ: How can I estimate my Azure bill? Updated! November 1, 2024 Coming soon: MS-4014: Build a foundation to extend Microsoft 365 Copilot November 1, 2024 Additional MB courses coming in December! MB-7005 & 7006 November 1, 2024 October 2024 V2 Title Plan now available! November 1, 2024 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.