Last active
October 28, 2021 14:31
-
-
Save SvenAelterman/fe2d66ad4ceb8c1a220766e4898b88ba to your computer and use it in GitHub Desktop.
Adding (Microsoft Graph) API permissions to a Managed Identity (such as for Logic Apps).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# From https://aztoso.com/security/microsoft-graph-permissions-managed-identity/ | |
# Your tenant id (in Azure Portal, under Azure Active Directory -> Overview ) | |
$TenantID = "" | |
# Microsoft Graph App ID (DON'T CHANGE) | |
$GraphAppId = "00000003-0000-0000-c000-000000000000" | |
# Name of the system managed identity (same as the Logic App name) | |
$DisplayNameOfMSI = "demoLogicApp" | |
# Check the Microsoft Graph documentation for the permission you need for the operation | |
$PermissionName = "Domain.Read.All" | |
# Install the module (You need admin on the machine) | |
Install-Module AzureAD | |
Connect-AzureAD -TenantId $TenantID | |
# Get the MSI | |
$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'") | |
Start-Sleep -Seconds 10 | |
# Get the Graph API app principal | |
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'" | |
# Get the permission object from the Graph API for Application | |
$AppRole = $GraphServicePrincipal.AppRoles | ` | |
Where-Object { $_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application" } | |
# Add the required permission on the Graph API to the MSI | |
# This also provides "admin consent" | |
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId ` | |
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment