search

Grant API permissions

Here we will grant Graph API permissions to the managed identity of your automation account so it can access data from MS Graph.

hashtag
Managed identity

We need to grant API permissions to the service principal object in Azure. For a managed identity, this should be done with PowerShell at the time of writing.

Run the following PowerShell code to grant the required API permissions if they are not present already. You need the Microsoft Graph PowerShell SDK installed and the Global administrator or Application administrator role.

Set the following variables in the script:

  • TenantID. This is the tenant ID for your tenant.

  • EnterpriseAppName. This is the display name of your Azure automation account and its service principal.

circle-info

Note these are application permissions not delegated permissions

# Tenant Id
$TenantId = "<MyTenantId>"
# List of permission names
$RolesToAssign = @(
    "DeviceManagementApps.Read.All"
    "DeviceManagementConfiguration.Read.All"
    "DeviceManagementServiceConfig.Read.All"
    "CloudPC.Read.All"
    "DeviceManagementRBAC.Read.All"
    "GroupMember.Read.All"
    "DeviceManagementScripts.Read.All"
)
#  DisplayName of the Enterprise App you are assigning permissions to
$EnterpriseAppName = "<MyAppName>"
# Connect to Graph
Import-Module Microsoft.Graph.Applications
Connect-Graph -TenantId $TenantId -NoWelcome
# Get the service principals
$GraphApp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" # Microsoft Graph
$EnterpriseApp = Get-MgServicePrincipal -Filter "DisplayName eq '$EnterpriseAppName'"
# Assign the roles
foreach ($Role in $RolesToAssign) {
    $Role = $GraphApp.AppRoles | Where-Object { $_.Value -eq $Role }
    $params = @{
        principalId = $EnterpriseApp.Id
        resourceId = $GraphApp.Id
        appRoleId = $Role.Id
    }
    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $EnterpriseApp.Id -BodyParameter $params
}

Once granted, you will find these permissions listed against the Enterprise application for your managed identity in the Permissions blade, for example:

PreviousCreate / configure an Azure automation accountNextCreate / configure an Azure storage account

Last updated

Was this helpful?