# Grant API permissions

## Managed identity

We need to grant API permissions to the service principal object in Azure. For a managed identity, this can only be done with PowerShell at the time of writing.

Run the following PowerShell code to grant API permissions. You need the **AzureAD** module and **Global administrator** permissions.

Set the following variables in the script:

* **TenantID**. This is the tenant ID for your tenant.
* **GraphAppId**. You do not need to change this.
* **DisplayNameofMSI**. The display name of your managed identity, which is the same as the name of your automation account.
* **Permissions**. Here you can list which permissions you want to grant. You can reference the [MS Docs](https://docs.microsoft.com/en-us/graph/permissions-reference) to find the permissions you need. In this example, I have granted some Intune device management permissions ('DeviceManagement\*') as well as some other Azure AD permissions.

{% hint style="info" %}
Note these are **application** permissions not **delegated** permissions
{% endhint %}

```
$TenantID="a84894e7-1234-5678-abcd-320d0334b399"
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$DisplayNameOfMSI="<name of managed identity" 
$Permissions = @(
    'DeviceManagementManagedDevices.Read.All'
    'Device.Read.All'
    'WindowsUpdates.ReadWrite.All'
    'DeviceManagementServiceConfig.Read.All'
    'Directory.Read.All'
    'DeviceManagementConfiguration.Read.All'
    'Organization.Read.All'
    'DeviceManagementApps.Read.All'
)
# Install the module (You need admin on the machine)
Install-Module AzureAD 

Connect-AzureAD -TenantId $TenantID 
$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
foreach ($Permission in $Permissions)
{
    $AppRole = $GraphServicePrincipal.AppRoles | 
        Where-Object {$_.Value -eq $Permission -and $_.AllowedMemberTypes -contains "Application"}
    New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
}
```

Once granted, you will find these permissions listed against the **Enterprise application** for your managed identity in the **Permissions** pane.

![](/files/-M_RJWPwQAuP3ms-q9uE)

## Run as account

If you are using a Run as account instead, you can grant permissions through the registered app.

{% hint style="info" %}
Note these are **application** permissions not **delegated** permissions
{% endhint %}

* Go to **App registrations** in the Azure portal and locate the app. It will start with the same name as your automation account.&#x20;
* On the **API permissions** pane, click **Add a permission**
* Select **Microsoft APIs > Microsoft Graph > Application permissions**
* Select the permissions you require and click **Add permissions**
  * Reference permissions from the [MS Docs](https://docs.microsoft.com/en-us/graph/permissions-reference)
  * Intune permissions start with **DeviceManagement\***
* Be sure to **Grant admin consent** for those permissions for your tenant

![](/files/-M_RM2YHe9nx-Hs6Asyu)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.smsagent.blog/microsoft-endpoint-manager-reporting/managed-devices-report/grant-api-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.