Grant API permissions

Here we will grant Graph API permissions to the managed identity or Run as account so it can access data from MS Graph.

Managed identity

We need to grant API permissions to the service principal object in Azure. For a managed identity, this can only be done with PowerShell at the time of writing.

Run the following PowerShell code to grant API permissions. You need the AzureAD module and Global administrator permissions.

Set the following variables in the script:

  • TenantID. This is the tenant ID for your tenant.

  • GraphAppId. You do not need to change this.

  • DisplayNameofMSI. The display name of your managed identity, which is the same as the name of your automation account.

  • Permissions. Here you can list which permissions you want to grant. You can reference the MS Docs to find the permissions you need. In this example, I have granted some Intune device management permissions ('DeviceManagement*') as well as some other Azure AD permissions.

Note these are application permissions not delegated permissions

$TenantID="a84894e7-1234-5678-abcd-320d0334b399"
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$DisplayNameOfMSI="<name of managed identity" 
$Permissions = @(
    'DeviceManagementManagedDevices.Read.All'
    'Device.Read.All'
    'WindowsUpdates.ReadWrite.All'
    'DeviceManagementServiceConfig.Read.All'
    'Directory.Read.All'
    'DeviceManagementConfiguration.Read.All'
    'Organization.Read.All'
    'DeviceManagementApps.Read.All'
)
# Install the module (You need admin on the machine)
Install-Module AzureAD 

Connect-AzureAD -TenantId $TenantID 
$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
foreach ($Permission in $Permissions)
{
    $AppRole = $GraphServicePrincipal.AppRoles | 
        Where-Object {$_.Value -eq $Permission -and $_.AllowedMemberTypes -contains "Application"}
    New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
}

Once granted, you will find these permissions listed against the Enterprise application for your managed identity in the Permissions pane.

Run as account

If you are using a Run as account instead, you can grant permissions through the registered app.

Note these are application permissions not delegated permissions

  • Go to App registrations in the Azure portal and locate the app. It will start with the same name as your automation account.

  • On the API permissions pane, click Add a permission

  • Select Microsoft APIs > Microsoft Graph > Application permissions

  • Select the permissions you require and click Add permissions

    • Reference permissions from the MS Docs

    • Intune permissions start with DeviceManagement*

  • Be sure to Grant admin consent for those permissions for your tenant

Last updated