Assign Permissions to a Managed Identity with Graph PowerShell

Assigning permissions to Managed Identities in Microsoft Entra can be a little tricky. Unfortunately, there are no options to assign permissions using the Entra admin portal, instead, using Microsoft Graph PowerShell is the preferred method.

Requirements

To run the scripts in this tutorial, ensure you meet the following requirements:

  • Have the latest version of the Microsoft Graph PowerShell SDK installed.
  • Have the Global Administrator role to consent to permissions.
  • Ensure you can connect to the built-in Microsoft Graph Command Line Tool enterprise app.

Assigning Permissions

To assign permissions to a Managed Identity using Microsoft Graph PowerShell, start by connecting to Microsoft Graph with the following permissions:

  • Application.Read.All
  • AppRoleAssignment.ReadWrite.All
Connect-MgGraph -Scopes Application.Read.All, AppRoleAssignment.ReadWrite.All

You will need to know the ID of the target managed identity, you can get this from the Microsoft Entra Admin portal, or you can find this using PowerShell. Use the below example with PowerShell, modifying the value of the $MIName variable to match the name of your Managed Identity:

$MIName = "Managed Identity Name"

$ManagedIdentity = (Get-MgServicePrincipal -Filter "DisplayName eq '$MIName'")

Now you have stored your Managed Identity, you need to store information on the permissions you wish to assign to the Managed Identity. On the first line in the code below, replace each permission entry with a list of the permissions you need. The second line will gather the permissions objects from the Microsoft Graph resource, allowing us to reuse them when assigning to our Managed Identity and the third line stores the ID of the Microsoft Graph resource.

$permissions = "permission1", "permission2", "permission3"

$getPerms = (Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'").approles | Where {$_.Value -in $permissions}

$GraphID = (Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'").id

Now use a foreach loop with the New-MgServicePrincipalAppRoleAssignment cmdlet to assign them to your Managed Identity.

foreach ($perm in $getPerms){
    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ManagedIdentity.Id `
    -PrincipalId $ManagedIdentity.Id -ResourceId $GraphID -AppRoleId $perm.id
}

Full Script Example

Connect-MgGraph -Scopes Application.Read.All, AppRoleAssignment.ReadWrite.All

$ManagedIdentityName = "My Managed Identity"
$permissions = "Mail.send", "AuditLog.Read.All"

$getPerms = (Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'").approles | Where {$_.Value -in $permissions}
$ManagedIdentity = (Get-MgServicePrincipal -Filter "DisplayName eq '$ManagedIdentityName'")
$GraphID = (Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'").id

foreach ($perm in $getPerms){
    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ManagedIdentity.Id `
    -PrincipalId $ManagedIdentity.Id -ResourceId $GraphID -AppRoleId $perm.id
}

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply