How to Assign Graph Permissions to a Managed Identity in Azure?

No, you don't need extra roles, but just remember that a managed identity doesn't have an "App registration." You'll need to manually add the managed identity to the Graph application in Azure Entra. Alternatively, you can create an app registration and set up workload federation by federating the managed identity to that registration.

You might want to use the Application.ReadWrite.All permission as well when you connect. Try this command: Connect-MgGraph -Scopes "Application.ReadWrite.All". Just be aware that you might need additional admin consent for the Graph command line tools.

The automation account creates an enterprise application that requires specific API permissions for Microsoft Graph. A global admin will need to handle this for privileged permissions. You should definitely check what permissions are necessary in the Graph API docs; everything runs through the API. Here's a helpful link for the service principal: https://learn.microsoft.com/en-us/graph/api/resources/serviceprincipal?view=graph-rest-1.0.

Thanks for the tips, everyone! I've got the connection to Mg-Graph working with the right scope, so that part's good! I’ll take a look at the Graph Application next. I suspect I might need our Global Admin to run this part since I could add SharePoint permissions but not Graph permissions. Any idea what specific permission they need?

It sounds like you might need to elevate your permissions to global administrator in order to assign Graph permissions. I typically assign app permissions to the Graph service principal with the ID "00000003-0000-0000-c000-000000000000" in PowerShell and it works fine.