Last active
June 11, 2024 11:51
-
-
Save AlexanderHolmeset/3ee8b98230c8800ad5578f78d679279e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Requires -Modules Microsoft.Graph.Authentication | |
#Requires -Modules Microsoft.Graph.Applications | |
# Install the module. (You need admin on the machine.) | |
# Install-Module Microsoft.Graph | |
# Set Static Variables | |
$TenantID="enter here" | |
$AutomationAccountDisplayname ="enter here" | |
# Define dynamic variables | |
$ServicePrincipalFilter = "displayName eq '$($AutomationAccountDisplayname)'" | |
$GraphAPIAppName = "Microsoft Graph" | |
$ApiServicePrincipalFilter = "displayName eq '$($GraphAPIAppName)'" | |
# Scopes needed for the managed identity (Add other scopes if needed) | |
$Scopes = @( | |
"User.Read.All","Calendars.ReadWrite" | |
) | |
# Connect to MG Graph - scopes must be consented the first time you run this. | |
# Connect with Global Administrator | |
Connect-MgGraph -Scopes "Application.Read.All","AppRoleAssignment.ReadWrite.All" -TenantId $TenantID -UseDeviceAuthentication | |
# Get the service principal for your managed identity. | |
$ServicePrincipal = Get-MgServicePrincipal -Filter $ServicePrincipalFilter | |
# Get the service principal for Microsoft Graph. | |
# Result should be AppId 00000003-0000-0000-c000-000000000000 | |
$ApiServicePrincipal = Get-MgServicePrincipal -Filter "$ApiServicePrincipalFilter" | |
# Apply permissions | |
Foreach ($Scope in $Scopes) { | |
Write-Host "`nGetting App Role '$Scope'" | |
$AppRole = $ApiServicePrincipal.AppRoles | Where-Object {$_.Value -eq $Scope -and $_.AllowedMemberTypes -contains "Application"} | |
if ($null -eq $AppRole) { Write-Error "Could not find the specified App Role on the Api Service Principal"; continue; } | |
if ($AppRole -is [array]) { Write-Error "Multiple App Roles found that match the request"; continue; } | |
Write-Host "Found App Role, Id '$($AppRole.Id)'" | |
$ExistingRoleAssignment = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ServicePrincipal.Id | Where-Object { $_.AppRoleId -eq $AppRole.Id } | |
if ($null -eq $existingRoleAssignment) { | |
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ServicePrincipal.Id -PrincipalId $ServicePrincipal.Id -ResourceId $ApiServicePrincipal.Id -AppRoleId $AppRole.Id | |
} else { | |
Write-Host "App Role has already been assigned, skipping" | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment