How to add Microsoft Graph permissions to managed identity service principal using Az PowerShell?
I'm working on connecting to Microsoft Graph using a User Managed Identity (UMI). I've already created the managed identity in the Azure portal, but now I need to assign permissions like User.Read.All and Group.Read.All to this identity using PowerShell to retrieve user and group information.
I previously asked a similar question and got solution using the Microsoft Graph PowerShell module here Grant access to managed identity service principal - Microsoft Graph PowerShell. However, now I need to achieve the same result using the Az PowerShell module.
Here’s the old script using the AzureAD module:
Connect-AzureAD
$TenantID = "TenantID"
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$NameOfMSI = "my-managed-identity"
$Permissions = @("Group.Read.All", "User.Read.All")
$MSI = Get-AzureADServicePrincipal -Filter "displayName eq '$NameOfMSI'"
Start-Sleep -Seconds 10
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq
'$GraphAppId'"
foreach ($PermissionName in $Permissions) {
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {
$_.Value -eq $PermissionName -and $_.AllowedMemberTypes
-contains "Application"
}
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId
-PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId
-Id $AppRole.Id
}
Can anyone guide me on how to do this with the Az PowerShell module or is it possible at first?
Solution
To add Microsoft Graph permissions to managed identity service principal using Az PowerShell, make use of below sample script:
Connect-AzAccount
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$NameOfMSI = "testusermsi"
$Permissions = @("Group.Read.All", "User.Read.All")
$GraphServicePrincipal = Get-AzADServicePrincipal -AppId $GraphAppId
foreach ($name in $Permissions) {
$AppRole = $GraphServicePrincipal.AppRole | Where-Object {
$_.Value -eq $name -and $_.Origin -contains "Application"
}
if ($AppRole) {
try {
New-AzADServicePrincipalAppRoleAssignment `
-ServicePrincipalDisplayName $NameOfMSI `
-ResourceDisplayName $GraphServicePrincipal.DisplayName `
-AppRoleId $AppRole.Id
} catch {
Write-Error "Failed to assign ${name}: $_"
}
}
}
Response:
To confirm that, I checked the same in Portal where permissions added successfully to service principal as below:
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Get Private FQDNs, IPs, Names of the Private Endpoints for the Azure resources deployed in an Virtual Network using PowerShell Script
- Foreach parallel Missing an argument for parameter 'xxx'. Specify a parameter of type 'System.Object' and try again
- Query resources in resource groups where tags are missing
- Azure Portal PowerShell Read Global Admins Certificate
- Need to set up the e-mail notification for PowerShell runbook to send its output periodically/daily to the mail
- How to get Drive Item ID of a file from a user OneDrive using PowerShell Microsoft Graph
- Unable to connect to the server: getting credentials: exec: executable kubelogin not found
- Error: Code=InvalidTemplateDeployment; Message=The template deployment 'StAccDeployment' is not valid according to the validation procedure
- New-AzResourceGroupDeployment: Cannot retrieve the dynamic parameters for the cmdlet when trying to execute the bicep script
- Unable to acquire token for tenant 'organizations' with error 'InteractiveBrowserCredential authentication failed: User canceled authentication. '
- Get the Operating system details of the in-place upgraded Azure VM using Azure PowerShell
- How to add Mail.Send permission when creating application with secret?
- Powershell module can't find subscription when a bicep kicks it off
- Powershell 5 vs 7 different output
- Create Alert rule using New-AzScheduledQueryRuleConditionObject returns bad term
- How to check if a blob already exists in Azure blob container using PowerShell
- Is there a way to show displayName with Get-AzRoleAssignment
- Terraform script to disable multiple functions in Azure Function app
- Create Azure Purview collection using API and Powershell
- How to get the azure subscription current cost using PowerShell
- How can I toggle public network access for azure redis cache using powershell?
- How to add a property to Azure table storage row with Azure Powershell module
- Invoke-AzAksRunCommand how to run aks-command pod with toleration
- Assigning data-plane RBAC to Cosmos DB?
- Get-MgUserCalendar fails with "The specified object was not found in the store." for my own calendar
- How to create a VM using Azure Powershell
- How can I change IIS application pool property setProfileEnvironment from Powershell?
- Search-AzQuery querying authorizationresources returns 0 records
- Rename Virtual Machine Managed Disks on Microsoft Azure through PowerShell