I'm starting to explore using System Managed Identity with Azure Functions to access Microsoft Graph resources. I'm apprehensive about the security risks of creating App Registrations, especially since they can grant "Service Account" level permissions to MS Graph. I've successfully created a service principal and granted the necessary permissions, but I'm stuck when it comes to local development. I'm working with .NET 8 and using the DefaultAzureCredential() method to obtain credentials from my Visual Studio account.
The real challenge is how to grant my user permissions similar to those of the Azure Functions service principal without having to create an App Registration, which I'm trying to avoid. I've read that according to Microsoft's documentation, I need to create an App Registration for local development and debugging, which contradicts my intention to use System Managed Identity for enhanced security. Is there a workaround for local development with MSI that avoids the creation of App Registrations?
2 Answers
Have you considered using your Visual Studio credentials and ensuring your user account has the necessary permissions to access MS Graph? When fetching your access token, just make sure to include the correct scope. Default Azure Credential should work for both your local setup and your Azure-hosted function.
Unfortunately, you will have to create an App Registration and include it in your local.settings.json file. This is evaluated with a higher priority when using DefaultAzureCredential. I know it’s frustrating—I had to ask my sys admin for a Local Development App Registration recently, and it felt counterintuitive to say the least.
That's what I'm trying to figure out. I thought the only way to give my user access to MS Graph was through an App Registration, which I'm trying to avoid because it seems against the principles of Managed Service Identity. Is there really no other way?