azuresharepoint-onlineazure-managed-identity

Managed identity and Sites.Selected permission for SharePoint

I am trying to understand how to use managed identity to connect to SharePoint. Everywhere I can read that I should create a new managed identity in the portal (I did that) and then somehow assing Sites.Selected permission... But I can assign such permission only to App registrations. And I do not have an app registration - I have this managed identity. In the portal I can see only something like that:enter image description here

So I cannot add there any permissions??? Then how I am suppose to use this managed identity and assign it the correct permission? I have tries with the script:

Grant-PnPAzureADAppSitePermission -AppId <my managed identity principal id> -DisplayName 'Test' -Site <my site url> -Permissions Write

But then after executing

Get-PnPAzureADAppSitePermission -AppId <my managed identity principal id> -Site <my site url>

I get in response:

Id    : aTowaS50fG1zLnNwLnV4dHwzYmVhYTUyYS1iNzgxLTRjNDQtYTNkYy0wMmJhNWYzMjVhZWNAZjI1NDkzYWUtMWM5OC00MWQ3LThhMzMtMGJlNzVmNWZlNjAz
Roles :
Apps  : {Test, 3beca52a-b781-4c44-a3dc-02ba5f325aec}

So looks like roles are not set or what? Still, I have tried to get the access token (running in azure function deployed to azure with assigned this managed identity I am trying to set up):

var credential = new ManagedIdentityCredential();
await credential.GetTokenAsync(new Azure.Core.TokenRequestContext("<url to site>/.default"));

But I receive only 400 bad request...

Or maybe it is not possible to use managed identities in this way and I am actually trying to do something completely wrong?

Solution

  • I tried to reproduce the same in my environment and got below results:

    I created one managed identity named MI-TEST same as you like below:

    enter image description here

    When I checked permissions of this in Enterprise application, I got same screen as below:

    enter image description here

    To add Sites.Selected SharePoint permission to above enterprise application, you can make use of Azure AD PowerShell module.

    Make sure to have proper role while connecting to Azure AD. In my case, I connected with Global Administrator credentials like below:

    Connect-AzureAD

    Response:

    enter image description here

    Now I ran below PowerShell script to add Sites.Selected SharePoint permission for managed identity and got response like below:

    $msi = Get-AzureADServicePrincipal -SearchString "MI-TEST"
$sharepoint = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0ff1-ce00-000000000000'"
$role = $sharepoint.AppRoles | where Value -Like "Sites.Selected" | Select-Object -First 1

New-AzureADServiceAppRoleAssignment `
             -Id $role.Id `
             -ObjectId $msi.ObjectId `
             -PrincipalId $msi.ObjectId `
             -ResourceId $sharepoint.ObjectId

    Response: enter image description here

    When I checked the same in Portal under Enterprise application, Sites.Selected permission added successfully like below:

    enter image description here