I am trying to understand how to use managed identity to connect to SharePoint. Everywhere I can read that I should create a new managed identity in the portal (I did that) and then somehow assing Sites.Selected permission... But I can assign such permission only to App registrations. And I do not have an app registration - I have this managed identity. In the portal I can see only something like that:
So I cannot add there any permissions??? Then how I am suppose to use this managed identity and assign it the correct permission? I have tries with the script:
Grant-PnPAzureADAppSitePermission -AppId <my managed identity principal id> -DisplayName 'Test' -Site <my site url> -Permissions Write
But then after executing
Get-PnPAzureADAppSitePermission -AppId <my managed identity principal id> -Site <my site url>
I get in response:
Id : aTowaS50fG1zLnNwLnV4dHwzYmVhYTUyYS1iNzgxLTRjNDQtYTNkYy0wMmJhNWYzMjVhZWNAZjI1NDkzYWUtMWM5OC00MWQ3LThhMzMtMGJlNzVmNWZlNjAz
Roles :
Apps : {Test, 3beca52a-b781-4c44-a3dc-02ba5f325aec}
So looks like roles are not set or what? Still, I have tried to get the access token (running in azure function deployed to azure with assigned this managed identity I am trying to set up):
var credential = new ManagedIdentityCredential();
await credential.GetTokenAsync(new Azure.Core.TokenRequestContext("<url to site>/.default"));
But I receive only 400 bad request...
Or maybe it is not possible to use managed identities in this way and I am actually trying to do something completely wrong?
I tried to reproduce the same in my environment and got below results:
I created one managed identity named MI-TEST
same as you like below:
When I checked permissions of this in Enterprise application, I got same screen as below:
To add Sites.Selected
SharePoint permission to above enterprise application, you can make use of Azure AD PowerShell module.
Make sure to have proper role while connecting to Azure AD. In my case, I connected with Global Administrator credentials like below:
Connect-AzureAD
Response:
Now I ran below PowerShell script to add Sites.Selected
SharePoint permission for managed identity and got response like below:
$msi = Get-AzureADServicePrincipal -SearchString "MI-TEST"
$sharepoint = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0ff1-ce00-000000000000'"
$role = $sharepoint.AppRoles | where Value -Like "Sites.Selected" | Select-Object -First 1
New-AzureADServiceAppRoleAssignment `
-Id $role.Id `
-ObjectId $msi.ObjectId `
-PrincipalId $msi.ObjectId `
-ResourceId $sharepoint.ObjectId
Response:
When I checked the same in Portal under Enterprise application, Sites.Selected
permission added successfully like below: