The following commands must be run in Windows PowerShell and with the AzureAD Module. Remember to Connect-AzureAD with Global Administrator Privileges first.
# Get SPN based on MSI Display Name
$msiSpn = (Get-AzureADServicePrincipal -Filter "displayName eq '$msiDisplayName'")
# If System Assigned MSI this is the name of the Function App, if User Assigned MSI use DisplayName
$msiDisplayName=".."
# Set well known Graph Application Id
$msGraphAppId = "00000003-0000-0000-c000-000000000000"
# Get SPN for Microsoft Graph
$msGraphSpn = Get-AzureADServicePrincipal -Filter "appId eq '$msGraphAppId'"
# Type Graph App Permissions needed
$msGraphPermission = "User.Read.All", "...", "..."
# Now get all Application Roles matching above Graph Permissions
$appRoles = $msGraphSpn.AppRoles | Where-Object {$_.Value -in $msGraphPermission -and $_.AllowedMemberTypes -contains "Application"}
# Add Application Roles to MSI SPN
$appRoles | % { New-AzureAdServiceAppRoleAssignment -ObjectId $msiSpn.ObjectId -PrincipalId $msiSpn.ObjectId -ResourceId $msGraphSpn.ObjectId -Id $_.Id }