V
Vladimir_Dronov
Azure Managed Identity is an identity automatically managed by Azure for applications to use when connecting to resources that support Microsoft Entra (formerly Azure Active Directory) authentication. It eliminates the need to manage credentials and secrets, as the identity is created and managed by Azure.
Use PowerShell scripts that are making certain Microsoft Graph API calls to manage Entra ID users and groups as Azure Automation runbooks.
After turning on the system assigned Managed Identity it does not have any permissions to access Microsoft Graph API.
And any call to Microsoft Graph API leads to an error.
The script can successfully log in with Connect-MgGraph -Identity but fails on insufficient privileges to make any call.
When it comes to system assigned Managed Identity, we can't grant Microsoft Graph permissions using Azure Portal user interface.
The Grant admin consent button is disabled.
Fortunately, we can easily do it with scripting.
Here are two PowerShell scripts that assign and remove three Microsoft Graph permissions to system assigned managed identity. You can run them locally or in Cloud Shell. You need to be a Global Administrator in your Tenant.
Assign-MgGraphPermissions.ps1
Remove-MgGraphPermissions.ps1
As a result, Microsoft Graph permissions are added despite that the Grant admin consent button is still disabled and we can continue using the comfort and security of system assigned Managed Identity in Automation Account.
PS: This post is inspired by Grant Graph API Permission to Managed Identity Object - Microsoft Community Hub.
Continue reading...
Use Case
Use PowerShell scripts that are making certain Microsoft Graph API calls to manage Entra ID users and groups as Azure Automation runbooks.
Problem
After turning on the system assigned Managed Identity it does not have any permissions to access Microsoft Graph API.
And any call to Microsoft Graph API leads to an error.
The script can successfully log in with Connect-MgGraph -Identity but fails on insufficient privileges to make any call.
When it comes to system assigned Managed Identity, we can't grant Microsoft Graph permissions using Azure Portal user interface.
The Grant admin consent button is disabled.
Solution
Fortunately, we can easily do it with scripting.
Here are two PowerShell scripts that assign and remove three Microsoft Graph permissions to system assigned managed identity. You can run them locally or in Cloud Shell. You need to be a Global Administrator in your Tenant.
Assign-MgGraphPermissions.ps1
Code:
#Requires -Modules "Az.Accounts", "Az.Resources", "Microsoft.Graph.Applications"
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[string]$AutomationAccountName,
[Parameter(Mandatory=$true)]
[string]$Tenant,
[Parameter(Mandatory=$true)]
[string]$Subscription
)
$GRAPH_APP_ID = "00000003-0000-0000-c000-000000000000"
Connect-AzAccount -TenantId $Tenant -Subscription $Subscription | Out-Null
Connect-MgGraph -TenantId $Tenant -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -NoWelcome
Write-Host "AZ context"
Get-AzContext | Format-List
Write-Host "MG context"
Get-MgContext | Format-List
$GraphPermissions = "User.Read.All", "Group.ReadWrite.All", "Directory.ReadWrite.All"
$AutomationMSI = (Get-AzADServicePrincipal -Filter "displayName eq '$AutomationAccountName'")
Write-Host "Assigning permissions to $AutomationAccountName ($($AutomationMSI.Id))"
$GraphServicePrincipal = Get-AzADServicePrincipal -Filter "appId eq '$GRAPH_APP_ID'"
$GraphAppRoles = $GraphServicePrincipal.AppRole | Where-Object {$_.Value -in $GraphPermissions -and $_.AllowedMemberType -contains "Application"}
if($GraphAppRoles.Count -ne $GraphPermissions.Count)
{
Write-Warning "App roles found: $($GraphAppRoles)"
throw "Some App Roles are not found on Graph API service principal"
}
foreach ($AppRole in $GraphAppRoles) {
Write-Host "Assigning $($AppRole.Value) to $($AutomationMSI.DisplayName)"
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id -PrincipalId $AutomationMSI.Id -ResourceId $GraphServicePrincipal.Id -AppRoleId $AppRole.Id | Out-Null
}Remove-MgGraphPermissions.ps1
Code:
#Requires -Modules "Az.Accounts", "Az.Resources", "Microsoft.Graph.Applications"
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[string]$AutomationAccountName,
[Parameter(Mandatory=$true)]
[string]$Tenant,
[Parameter(Mandatory=$true)]
[string]$Subscription
)
Connect-AzAccount -TenantId $Tenant -Subscription $Subscription | Out-Null
Connect-MgGraph -TenantId $Tenant -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All" -NoWelcome
Write-Host "AZ context"
Get-AzContext | Format-List
Write-Host "MG context"
Get-MgContext | Format-List
$AutomationMSI = (Get-AzADServicePrincipal -Filter "displayName eq '$AutomationAccountName'")
Write-Host "Removing permissions from $AutomationAccountName ($($AutomationMSI.Id))"
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id |
ForEach-Object {
Write-Host "Removing $($_.Id)"
Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AutomationMSI.Id -AppRoleAssignmentId $_.Id
}As a result, Microsoft Graph permissions are added despite that the Grant admin consent button is still disabled and we can continue using the comfort and security of system assigned Managed Identity in Automation Account.
PS: This post is inspired by Grant Graph API Permission to Managed Identity Object - Microsoft Community Hub.
Continue reading...