Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
# Your tenant id (Azure Portal 🡪 Azure Active Directory 🡪 Overview)
# Microsoft Graph App ID (DON'T CHANGE - Microsoft Graph ID is the same in all tenants)
$GraphAppId = "00000003-0000-0000-c000-000000000000"
#Specify the Managed Identity ID. (Azure Portal 🡪 Azure resource instance (in our example – Automation Account) 🡪 Managed Identity)
$ManagedIdentityID =""
# Add the permission you need for the operation (the below permissions are needed in our scenario)
$Permissions = "User.Read.All", "AuditLog.Read.All", "User.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All", "Directory.ReadWrite.All"
# Install the module if it’s not already been installed
Install-Module AzureAD
Connect-AzureAD -TenantId $TenantID
#Find the application in AzureAD object
$GraphApp = Get-AzureADServicePrincipal -Filter "AppId eq '$GraphAppId'"
#Assign all the permissions to the Managed Identity
foreach ($permission in $permissions)
$role = $GraphApp.AppRoles | Where-Object {$_.Value -eq $permission}
New-AzureADServiceAppRoleAssignment -ObjectId $ManagedIdentityID -ResourceId $GraphApp.ObjectId -Id
$role.Id -PrincipalId $ManagedIdentityID
#ObjectId = the Managed Identity object
#ResourceId = "define by" - the Microsoft Graph
#Id = the role ID
#PrincipalId = the object that will receive the permission - the Managed Identity
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment