smsagent.blog
  • docs.smsagent.blog
  • Custom Reporting in Microsoft Intune
    • Delivery Optimization Report
    • Windows Update for Business Custom Reporting
      • Power BI Report Walkthrough
      • Known issues / limitations
      • Change log
      • Deploy the solution
        • Create Azure Resources
        • Configure Azure Resources
        • Deploy the client-side script
        • Deploy the Azure automation runbooks
        • Configure the Power BI report
      • Adding additional language support
      • Table schema reference
    • Automating Data Exports from Microsoft Graph
      • Azure Automation account
        • Create / configure an Azure automation account
        • Grant API permissions
        • Create an Azure automation runbook
      • Azure Storage account
      • Automate Data Export to Azure Storage Account
      • Automate Data Export to Azure Monitor Logs
      • Creating / Troubleshooting Runbooks
      • Power BI
        • Connect Power BI to an Azure storage account data source
        • Connect Power BI to an Azure log analytics workspace as a data source
    • Managed Devices Report
      • Create / configure an Azure automation account
      • Grant API permissions
      • Create / configure an Azure storage account
      • Create an Azure automation runbook
      • Create a PowerBI report
      • MEM Managed Device Report template
      • Bonus! Unhealthy MEMCM Clients email report
    • Intune Assignments Report
      • Create / configure an Azure automation account
      • Grant API permissions
      • Create / configure an Azure storage account
      • Create an Azure automation runbook
      • Create a Power BI report
      • Change log
    • Patch My PC Report
      • A look at the Power BI reports
      • Change log
      • Video guides
      • Things to know
      • Create / configure an Azure automation account
      • Grant API permissions
      • Create / configure an Azure storage account
      • Create an Azure automation runbook
      • Create the Power BI report
      • Feedback
    • Windows 11 Hardware Readiness Report
    • Gathering Custom Inventory with Intune
      • Set up the Azure Resources
      • Create a Proactive remediations script package
      • Create a runbook
  • PowerShell Scripts Online Help
    • Get-AzSubscriptionActivityLog
  • Azure Solutions
    • Automated Azure Table Storage Backups
      • Change log
      • Deploy the solution
        • Create the Azure resources
        • Set the backup schedule
        • Add storage tables to the backup
        • Add role assignments to the storage account/s
        • Create a lifecycle management rule
      • Run a manual backup
      • Restore a backup
Powered by GitBook
On this page

Was this helpful?

  1. Custom Reporting in Microsoft Intune
  2. Automating Data Exports from Microsoft Graph
  3. Azure Automation account

Grant API permissions

PreviousCreate / configure an Azure automation accountNextCreate an Azure automation runbook

Last updated 3 years ago

Was this helpful?

Managed identity

We need to grant API permissions to the service principal object in Azure. For a managed identity, this can only be done with PowerShell at the time of writing.

Run the following PowerShell code to grant API permissions. It requires the AzureAD PowerShell module and Global administrator permissions.

Set the following variables in the script:

  • TenantID. This is the tenant ID for your tenant.

  • GraphAppId. You do not need to change this.

  • DisplayNameofMSI. The display name of your managed identity, which is the same as the name of your automation account.

  • Permissions. Here you can list which permissions you want to grant. You can reference the to find the permissions you need. In this example, I have granted some Intune device management permissions ('DeviceManagement*') as well as some other Azure AD permissions. The permissions you assign here determine what data you can access in Microsoft Graph and you can run this again later to add additional permissions if required.

Note these are application permissions not delegated permissions

$TenantID="a84894e7-1234-5678-abcd-320d0334b399"
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$DisplayNameOfMSI="<name of managed identity" 
$Permissions = @(
    'DeviceManagementManagedDevices.Read.All'
    'Device.Read.All'
    'WindowsUpdates.ReadWrite.All'
    'DeviceManagementServiceConfig.Read.All'
    'Directory.Read.All'
    'DeviceManagementConfiguration.Read.All'
    'Organization.Read.All'
    'DeviceManagementApps.Read.All'
)
# Install the module (You need admin on the machine)
Install-Module AzureAD 

Connect-AzureAD -TenantId $TenantID 
$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
foreach ($Permission in $Permissions)
{
    $AppRole = $GraphServicePrincipal.AppRoles | 
        Where-Object {$_.Value -eq $Permission -and $_.AllowedMemberTypes -contains "Application"}
    New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
}

Once granted, you will find these permissions listed against the Enterprise application for your managed identity in the Permissions pane.

MS Docs