# Grant API permissions

## Managed identity <a href="#managed-identity" id="managed-identity"></a>

We need to grant API permissions to the service principal object in Azure. For a managed identity, this can only be done with PowerShell at the time of writing.

Run the following PowerShell code to grant API permissions. You need the **Microsoft Graph PowerShell SDK** and an account with **Global administrator** or **Application administrator** permissions.

Set the following variables in the script:

* **TenantID**. This is the tenant ID for your tenant.
* **EnterpriseAppName**. The display name of your managed identity, which is the same as the name of your automation account.
* **RolesToAssign**. Here you can list which permissions you want to grant. You can reference the [MS Docs](https://docs.microsoft.com/en-us/graph/permissions-reference) to find the permissions you need. As a minimum, the following permissions are needed for this report:
  * DeviceManagementManagedDevices.Read.All
  * DeviceManagementConfiguration.Read.All
  * DeviceManagementApps.Read.All

{% hint style="info" %}
Note these are **application** permissions not **delegated** permissions
{% endhint %}

```powershell
# Tenant Id
$TenantId = "<MyTenantId>"
# List of permission names
$RolesToAssign = @(
    "DeviceManagementManagedDevices.Read.Alll"
    "DeviceManagementConfiguration.Read.All"
    "DeviceManagementApps.Read.All"
)
#  DisplayName of the Managed Identity (Enterprise app, Service principal) you are assigning permissions to
$EnterpriseAppName = "<MyAppName>"
# Connect to Graph
Import-Module Microsoft.Graph.Applications
Connect-Graph -TenantId $TenantId -NoWelcome
# Get the service principals
$GraphApp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" # Microsoft Graph
$EnterpriseApp = Get-MgServicePrincipal -Filter "DisplayName eq '$EnterpriseAppName'"
# Assign the roles
foreach ($Role in $RolesToAssign) {
    $Role = $GraphApp.AppRoles | Where-Object { $_.Value -eq $Role }
    $params = @{
        principalId = $EnterpriseApp.Id
        resourceId = $GraphApp.Id
        appRoleId = $Role.Id
    }
    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $EnterpriseApp.Id -BodyParameter $params
}
```

Once granted, you will find these permissions listed against the **Enterprise application** for your managed identity in the **Permissions** pane.

![](/files/-Mdax5aEzdXbftErsmQ4)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.smsagent.blog/microsoft-endpoint-manager-reporting/patch-my-pc-report/grant-api-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.