> For the complete documentation index, see [llms.txt](https://docs.smsagent.blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.smsagent.blog/microsoft-endpoint-manager-reporting/managed-devices-report/grant-api-permissions.md).

# Grant API permissions

## Managed identity

We need to grant API permissions to the service principal object in Azure. For a managed identity, this can only be done with PowerShell at the time of writing.

Run the following PowerShell code to grant API permissions. You need the **AzureAD** module and **Global administrator** permissions.

Set the following variables in the script:

* **TenantID**. This is the tenant ID for your tenant.
* **GraphAppId**. You do not need to change this.
* **DisplayNameofMSI**. The display name of your managed identity, which is the same as the name of your automation account.
* **Permissions**. Here you can list which permissions you want to grant. You can reference the [MS Docs](https://docs.microsoft.com/en-us/graph/permissions-reference) to find the permissions you need. In this example, I have granted some Intune device management permissions ('DeviceManagement\*') as well as some other Azure AD permissions.

{% hint style="info" %}
Note these are **application** permissions not **delegated** permissions
{% endhint %}

```
$TenantID="a84894e7-1234-5678-abcd-320d0334b399"
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$DisplayNameOfMSI="<name of managed identity" 
$Permissions = @(
    'DeviceManagementManagedDevices.Read.All'
    'Device.Read.All'
    'WindowsUpdates.ReadWrite.All'
    'DeviceManagementServiceConfig.Read.All'
    'Directory.Read.All'
    'DeviceManagementConfiguration.Read.All'
    'Organization.Read.All'
    'DeviceManagementApps.Read.All'
)
# Install the module (You need admin on the machine)
Install-Module AzureAD 

Connect-AzureAD -TenantId $TenantID 
$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
foreach ($Permission in $Permissions)
{
    $AppRole = $GraphServicePrincipal.AppRoles | 
        Where-Object {$_.Value -eq $Permission -and $_.AllowedMemberTypes -contains "Application"}
    New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
}
```

Once granted, you will find these permissions listed against the **Enterprise application** for your managed identity in the **Permissions** pane.

![](/files/-M_RJWPwQAuP3ms-q9uE)

## Run as account

If you are using a Run as account instead, you can grant permissions through the registered app.

{% hint style="info" %}
Note these are **application** permissions not **delegated** permissions
{% endhint %}

* Go to **App registrations** in the Azure portal and locate the app. It will start with the same name as your automation account.&#x20;
* On the **API permissions** pane, click **Add a permission**
* Select **Microsoft APIs > Microsoft Graph > Application permissions**
* Select the permissions you require and click **Add permissions**
  * Reference permissions from the [MS Docs](https://docs.microsoft.com/en-us/graph/permissions-reference)
  * Intune permissions start with **DeviceManagement\***
* Be sure to **Grant admin consent** for those permissions for your tenant

![](/files/-M_RM2YHe9nx-Hs6Asyu)
