smsagent.blog
Search…
smsagent.blog
docs.smsagent.blog
Custom Reporting in Microsoft Intune
The Intune Inventory Solution
Automating Data Exports from Microsoft Graph
Azure Automation account
Create / configure an Azure automation account
Grant API permissions
Create an Azure automation runbook
Azure Storage account
Automate Data Export to Azure Storage Account
Automate Data Export to Azure Monitor Logs
Creating / Troubleshooting Runbooks
Power BI
Managed Devices Report
Patch My PC Report
Windows 11 Hardware Readiness Report
Gathering Custom Inventory with Intune
Powered By GitBook
Grant API permissions

Managed identity

We need to grant API permissions to the service principal object in Azure. For a managed identity, this can only be done with PowerShell at the time of writing.
Run the following PowerShell code to grant API permissions. It requires the AzureAD PowerShell module and Global administrator permissions.
Set the following variables in the script:
  • TenantID. This is the tenant ID for your tenant.
  • GraphAppId. You do not need to change this.
  • DisplayNameofMSI. The display name of your managed identity, which is the same as the name of your automation account.
  • Permissions. Here you can list which permissions you want to grant. You can reference the MS Docs to find the permissions you need. In this example, I have granted some Intune device management permissions ('DeviceManagement*') as well as some other Azure AD permissions. The permissions you assign here determine what data you can access in Microsoft Graph and you can run this again later to add additional permissions if required.
Note these are application permissions not delegated permissions
1
$TenantID="a84894e7-1234-5678-abcd-320d0334b399"
2
$GraphAppId = "00000003-0000-0000-c000-000000000000"
3
$DisplayNameOfMSI="<name of managed identity"
4
$Permissions = @(
5
'DeviceManagementManagedDevices.Read.All'
6
'Device.Read.All'
7
'WindowsUpdates.ReadWrite.All'
8
'DeviceManagementServiceConfig.Read.All'
9
'Directory.Read.All'
10
'DeviceManagementConfiguration.Read.All'
11
'Organization.Read.All'
12
'DeviceManagementApps.Read.All'
13
)
14
# Install the module (You need admin on the machine)
15
Install-Module AzureAD
16
​
17
Connect-AzureAD -TenantId $TenantID
18
$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")
19
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
20
foreach ($Permission in $Permissions)
21
{
22
$AppRole = $GraphServicePrincipal.AppRoles |
23
Where-Object {$_.Value -eq $Permission -and $_.AllowedMemberTypes -contains "Application"}
24
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
25
}
Copied!
Once granted, you will find these permissions listed against the Enterprise application for your managed identity in the Permissions pane.
Previous
Create / configure an Azure automation account
Next
Create an Azure automation runbook
Last modified 3mo ago
Copy link