# Grant API permissions

## Managed identity

We need to grant API permissions to the service principal object in Azure. For a managed identity, this can only be done with PowerShell at the time of writing.

Run the following PowerShell code to grant API permissions. You need the **AzureAD** module and **Global administrator** permissions.

Set the following variables in the script:

* **TenantID**. This is the tenant ID for your tenant.
* **GraphAppId**. You do not need to change this.
* **DisplayNameofMSI**. The display name of your managed identity, which is the same as the name of your automation account.
* **Permissions**. Here you can list which permissions you want to grant. You can reference the [MS Docs](https://docs.microsoft.com/en-us/graph/permissions-reference) to find the permissions you need. In this example, I have granted some Intune device management permissions ('DeviceManagement\*') as well as some other Azure AD permissions.

{% hint style="info" %}
Note these are **application** permissions not **delegated** permissions
{% endhint %}

```
$TenantID="a84894e7-1234-5678-abcd-320d0334b399"
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$DisplayNameOfMSI="<name of managed identity" 
$Permissions = @(
    'DeviceManagementManagedDevices.Read.All'
    'Device.Read.All'
    'WindowsUpdates.ReadWrite.All'
    'DeviceManagementServiceConfig.Read.All'
    'Directory.Read.All'
    'DeviceManagementConfiguration.Read.All'
    'Organization.Read.All'
    'DeviceManagementApps.Read.All'
)
# Install the module (You need admin on the machine)
Install-Module AzureAD 

Connect-AzureAD -TenantId $TenantID 
$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
foreach ($Permission in $Permissions)
{
    $AppRole = $GraphServicePrincipal.AppRoles | 
        Where-Object {$_.Value -eq $Permission -and $_.AllowedMemberTypes -contains "Application"}
    New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
}
```

Once granted, you will find these permissions listed against the **Enterprise application** for your managed identity in the **Permissions** pane.

![](https://3886807721-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWe9ieepRHnj7T8odXt%2F-M_R8wzbJ8oME9Qt58aB%2F-M_RJWPwQAuP3ms-q9uE%2Fimage.png?alt=media\&token=979edb01-ef09-4b7d-a397-7c369e718d17)

## Run as account

If you are using a Run as account instead, you can grant permissions through the registered app.

{% hint style="info" %}
Note these are **application** permissions not **delegated** permissions
{% endhint %}

* Go to **App registrations** in the Azure portal and locate the app. It will start with the same name as your automation account.&#x20;
* On the **API permissions** pane, click **Add a permission**
* Select **Microsoft APIs > Microsoft Graph > Application permissions**
* Select the permissions you require and click **Add permissions**
  * Reference permissions from the [MS Docs](https://docs.microsoft.com/en-us/graph/permissions-reference)
  * Intune permissions start with **DeviceManagement\***
* Be sure to **Grant admin consent** for those permissions for your tenant

![](https://3886807721-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWe9ieepRHnj7T8odXt%2F-M_R8wzbJ8oME9Qt58aB%2F-M_RM2YHe9nx-Hs6Asyu%2Fimage.png?alt=media\&token=4b7cb80f-2504-4276-ac08-b9d180c3c2f7)