$TenantID="a84894e7-1234-5678-abcd-320d0334b399"
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$DisplayNameOfMSI="<name of managed identity"
'DeviceManagementManagedDevices.Read.All'
'WindowsUpdates.ReadWrite.All'
'DeviceManagementServiceConfig.Read.All'
'DeviceManagementConfiguration.Read.All'
'DeviceManagementApps.Read.All'
# Install the module (You need admin on the machine)
Connect-AzureAD -TenantId $TenantID
$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
foreach ($Permission in $Permissions)
$AppRole = $GraphServicePrincipal.AppRoles |
Where-Object {$_.Value -eq $Permission -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id