Last active
March 22, 2023 08:30
-
-
Save maayanlux/e6ca2d92b3d5a13a3905dff3244495db to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Your tenant id (Azure Portal 🡪 Azure Active Directory 🡪 Overview) | |
| $TenantID="" | |
| # Microsoft Graph App ID (DON'T CHANGE - Microsoft Graph ID is the same in all tenants) | |
| $GraphAppId = "00000003-0000-0000-c000-000000000000" | |
| #Specify the Managed Identity ID. (Azure Portal 🡪 Azure resource instance (in our example – Automation Account) 🡪 Managed Identity) | |
| $ManagedIdentityID ="" | |
| # Add the permission you need for the operation (the below permissions are needed in our scenario) | |
| $Permissions = "User.Read.All", "AuditLog.Read.All", "User.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All", "Directory.ReadWrite.All" | |
| # Install the module if it’s not already been installed | |
| Install-Module AzureAD | |
| Connect-AzureAD -TenantId $TenantID | |
| #Find the application in AzureAD object | |
| $GraphApp = Get-AzureADServicePrincipal -Filter "AppId eq '$GraphAppId'" | |
| #Assign all the permissions to the Managed Identity | |
| foreach ($permission in $permissions) | |
| { | |
| $role = $GraphApp.AppRoles | Where-Object {$_.Value -eq $permission} | |
| New-AzureADServiceAppRoleAssignment -ObjectId $ManagedIdentityID -ResourceId $GraphApp.ObjectId -Id | |
| $role.Id -PrincipalId $ManagedIdentityID | |
| } | |
| #ObjectId = the Managed Identity object | |
| #ResourceId = "define by" - the Microsoft Graph | |
| #Id = the role ID | |
| #PrincipalId = the object that will receive the permission - the Managed Identity |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment