How to add Microsoft Graph permissions to managed identity service principal using Az PowerShell?
I'm working on connecting to Microsoft Graph using a User Managed Identity (UMI). I've already created the managed identity in the Azure portal, but now I need to assign permissions like User.Read.All and Group.Read.All to this identity using PowerShell to retrieve user and group information.
I previously asked a similar question and got solution using the Microsoft Graph PowerShell module here Grant access to managed identity service principal - Microsoft Graph PowerShell. However, now I need to achieve the same result using the Az PowerShell module.
Here’s the old script using the AzureAD module:
Connect-AzureAD
$TenantID = "TenantID"
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$NameOfMSI = "my-managed-identity"
$Permissions = @("Group.Read.All", "User.Read.All")
$MSI = Get-AzureADServicePrincipal -Filter "displayName eq '$NameOfMSI'"
Start-Sleep -Seconds 10
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq
'$GraphAppId'"
foreach ($PermissionName in $Permissions) {
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {
$_.Value -eq $PermissionName -and $_.AllowedMemberTypes
-contains "Application"
}
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId
-PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId
-Id $AppRole.Id
}
Can anyone guide me on how to do this with the Az PowerShell module or is it possible at first?
Solution
To add Microsoft Graph permissions to managed identity service principal using Az PowerShell, make use of below sample script:
Connect-AzAccount
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$NameOfMSI = "testusermsi"
$Permissions = @("Group.Read.All", "User.Read.All")
$GraphServicePrincipal = Get-AzADServicePrincipal -AppId $GraphAppId
foreach ($name in $Permissions) {
$AppRole = $GraphServicePrincipal.AppRole | Where-Object {
$_.Value -eq $name -and $_.Origin -contains "Application"
}
if ($AppRole) {
try {
New-AzADServicePrincipalAppRoleAssignment `
-ServicePrincipalDisplayName $NameOfMSI `
-ResourceDisplayName $GraphServicePrincipal.DisplayName `
-AppRoleId $AppRole.Id
} catch {
Write-Error "Failed to assign ${name}: $_"
}
}
}
Response:
To confirm that, I checked the same in Portal where permissions added successfully to service principal as below:
- Error: Code=InvalidTemplateDeployment; Message=The template deployment 'StAccDeployment' is not valid according to the validation procedure
- New-AzResourceGroupDeployment: Cannot retrieve the dynamic parameters for the cmdlet when trying to execute the bicep script
- Unable to acquire token for tenant 'organizations' with error 'InteractiveBrowserCredential authentication failed: User canceled authentication. '
- Get the Operating system details of the in-place upgraded Azure VM using Azure PowerShell
- Powershell module can't find subscription when a bicep kicks it off
- Powershell 5 vs 7 different output
- How to get Drive Item ID of a file from a user OneDrive using PowerShell Microsoft Graph
- Create Alert rule using New-AzScheduledQueryRuleConditionObject returns bad term
- How to check if a blob already exists in Azure blob container using PowerShell
- Is there a way to show displayName with Get-AzRoleAssignment
- Terraform script to disable multiple functions in Azure Function app
- Create Azure Purview collection using API and Powershell
- How to get the azure subscription current cost using PowerShell
- How can I toggle public network access for azure redis cache using powershell?
- Unable to connect to the server: getting credentials: exec: executable kubelogin not found
- How to add a property to Azure table storage row with Azure Powershell module
- Invoke-AzAksRunCommand how to run aks-command pod with toleration
- Assigning data-plane RBAC to Cosmos DB?
- Get-MgUserCalendar fails with "The specified object was not found in the store." for my own calendar
- How to create a VM using Azure Powershell
- How can I change IIS application pool property setProfileEnvironment from Powershell?
- Search-AzQuery querying authorizationresources returns 0 records
- Rename Virtual Machine Managed Disks on Microsoft Azure through PowerShell
- Is there an API to list all Azure Regions?
- Connect-AzAccount : The term 'Connect-AzAccount' is not recognized as the name of a cmdlet, function, script file, or operable program
- Addition of subnets to existing Vnet through ARM templates
- Powershell if function calling another function
- How to Combining PowerShell Output from multiple server to Single csv
- Microsoft exchange online powershell connection Authentication issue
- How to add Microsoft Graph permissions to managed identity service principal using Az PowerShell?