Hey everyone! I'm new to Azure and Entra, and I'm trying to figure out how to assign Graph API permissions to a managed identity for my PowerShell scripts. I've set up an Azure Automation Account with a system-assigned managed identity and successfully gave it some SharePoint Online permissions, but I'm stuck when it comes to the Graph API.
I need to pull some user information from the directory using the Graph API. I've read that as long as my admin account has the Cloud Application Administrator or Application Administrator roles, I should be able to assign Graph API permissions like User.Read.All to my managed identity using PowerShell and MgGraph. However, I'm running into an "Insufficient privileges to complete the operation" error whenever I try to do this. Do I need additional roles beyond Cloud Application Administrator for this task?
5 Answers
No, you don't need extra roles, but just remember that a managed identity doesn't have an "App registration." You'll need to manually add the managed identity to the Graph application in Azure Entra. Alternatively, you can create an app registration and set up workload federation by federating the managed identity to that registration.
You might want to use the Application.ReadWrite.All permission as well when you connect. Try this command: Connect-MgGraph -Scopes "Application.ReadWrite.All". Just be aware that you might need additional admin consent for the Graph command line tools.
The automation account creates an enterprise application that requires specific API permissions for Microsoft Graph. A global admin will need to handle this for privileged permissions. You should definitely check what permissions are necessary in the Graph API docs; everything runs through the API. Here's a helpful link for the service principal: https://learn.microsoft.com/en-us/graph/api/resources/serviceprincipal?view=graph-rest-1.0.
Thanks for the tips, everyone! I've got the connection to Mg-Graph working with the right scope, so that part's good! I’ll take a look at the Graph Application next. I suspect I might need our Global Admin to run this part since I could add SharePoint permissions but not Graph permissions. Any idea what specific permission they need?
It sounds like you might need to elevate your permissions to global administrator in order to assign Graph permissions. I typically assign app permissions to the Graph service principal with the ID "00000003-0000-0000-c000-000000000000" in PowerShell and it works fine.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux