How to use Managed Identities with Microsoft Graph PowerShell

Managed identities provide a secure way in which applications can access resources in Azure without the need for administrators to manage additional passwords or secrets. This means that authentication can happen smoothly without the need for eventual intervention by a human.

Fortunately for those who code in PowerShell for the administration of their tenant or reporting of their tenant, Microsoft Graph PowerShell v2 supports the use of Managed Identities with Azure Automation. 

In this tutorial, I am going to show you how you can create and assign permissions to a Managed Identity in Azure and then use that Managed Identity in your Microsoft Graph PowerShell scripts.

What are Managed Identities?

Managed Identities are resources in Azure that can automatically request and receive Azure AD access tokens to authenticate resources. For programmatic/automatic scenarios, this eliminates the need for tenant administrators to manage passwords, keys or secrets as authentication is completely managed by Azure and inside Azure only, making it simple and more secure.

In practical terms, Managed Identities are Service Principals (or applications) in Azure AD, to which you can assign specific permissions or roles to complete the tasks they are created to perform. 

You can view Managed Identities in Azure Active Directory by selecting: 

Applications > All applications, then change the application type filter to Managed Identities.

View all Managed Identities
View all Managed Identities

System-assigned vs User-assigned Managed Identities

There are two types of Managed Identities in Azure that enable you to get an Azure AD token for access to resources. These are System-assigned and User-assigned Managed Identities.

Although they both serve the same purpose, they work a little differently. System-assigned Managed Identities are tied to a specific resource and only provide specific access to that for that resource, whereas User-assigned Managed Identities are independent and can be assigned to single or multiple different resources.

System assigned vs User assigned Managed Identity
System assigned vs User assigned Managed Identity

Choosing between using each type of Managed Identity depends on both the scenario where is it being deployed and how you manage your infrastructure.

System-assigned Managed Identities may generally mean more administration if you are needing to apply Graph API permissions to multiple identities, which could be simplified with a single User-assigned managed identity if the permission requirements are the same. Furthermore, if you assign roles instead of Graph API permissions, each System-assigned Managed Identity could also be added to a Security Group with the role assigned, thus reducing administration. 

The lifecycle of a System-assigned Managed Identity is also tied to the resource, so it is created when the resource is created and deleted when the resource is deleted. While in some cases this may help maintain security and keep your environment tidy, it may become troublesome while creating multiple resources, especially if permissions need to be managed or approved by a different department.

The below diagram shows the permission assignment flow while using System-assigned or User-assigned Managed Identities. Generally speaking, if you have a single job with a specific permission that needs to run, a System-assigned Manage Identity would be the better option, any other scenario requires additional thought.

Managed Identity Azure Automation Diagram
Managed Identity Azure Automation Diagram

How to create a User-assigned Managed Identity

As User-assigned managed identities are independent of the resources they service, they must first be created manually either using the Azure Portal or PowerShell and then the required permissions must be assigned. Follow the steps below you create and configure a User-assigned Managed Identity.

Using the Azure Portal

2. Seach for Managed Identities and open the service

Select Managed Identities
Select Managed Identities

3. Click Create to start the Managed Identity creation wizard

Click Create
Click Create

4. Complete the information areas on the screen then click Review & Create > Create

Create your Managed Identity

Using PowerShell

While I like to do everything with Microsoft Graph, Managed Identities are Azure Resources and cannot be created directly in Azure AD, which is what Microsoft Graph enables you to manage. To create a Managed Identity with PowerShell, you must use the Azure (Az) PowerShell module as follows:

1. Install the Az PowerShell module.

Install-Module Az -Scope CurrentUser -AllowPrerelease -Force

2. Connect to Azure using Connect-AzAccount.

Connect-AzAccount

3. Before you create a managed identity, you must first create a resource group which will contain it.

New-AzResourceGroup -Name RG-UKSAA-MgPowerShell -Location "UK South"

4. Now create a new Managed Identity and define the name of your new resource group.

New-AzUserAssignedIdentity -ResourceGroupName RG-UKSAA-MgPowerShell -Name MI-AA-MgPowerShell1 -location UKSouth

Assign Graph API permissions to Managed Identities

To give the necessary (and least amount) of privilege for our managed identity to perform the tasks set out in our final script, we need to assign Graph API permissions through PowerShell. 

Unfortunately, Graph API permissions are not yet supported to be assigned to Managed Identities via the Microsoft Entra portal, so I will show you how to do it with Microsoft Graph PowerShell.

The following script will connect to Microsoft Graph and assign the defined permissions to your Managed Identity. Make sure you modify the variables as advised in the script below.

# Connect to Microsoft Graph with least required permission scope
Connect-MgGraph -Scopes Application.Read.All, AppRoleAssignment.ReadWrite.All

### Define these variables here first ##
$ManagedIdentityName = "OCN-AA-MgPowerShell"
$permissions = "Mail.send", "AuditLog.Read.All", "Application.Read.All"

# Get service principal and roles
$getPerms = (Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'").approles | Where {$_.Value -in $permissions}
$ManagedIdentity = (Get-MgServicePrincipal -Filter "DisplayName eq '$ManagedIdentityName'")
$GraphID = (Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'").id

# Assign roles
foreach ($perm in $getPerms){
    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ManagedIdentity.Id `
    -PrincipalId $ManagedIdentity.Id -ResourceId $GraphID -AppRoleId $perm.id
}

Once your permissions are assigned, the Permissions tab for your Managed Identity in the Microsoft Entra portal will look like the following:

Assigned Permissions (Managed Identity)
Assigned Permissions (Managed Identity)

Use a system-assigned managed identity with Azure Automation Account

System-assigned managed identities can be created directly from the Azure Automation Account or the resource that they apply to. Follow the below steps to create the Managed Identity.

1. Start by opening your Automation Account and then select Identity from the account settings area.

Select Identity
Select Identity

2. Set the System assigned Managed Identity to On then click Save.

Enable the system-assigned managed identity
Enable the system-assigned managed identity

3. You will now see the Managed Identity listed in the applications list as seen at the top of this tutorial.

Use a User-assigned managed identity with Azure Automation Account

User-assigned Managed Identities must be assigned manually to the resource they will be authenticating. Follow the below steps to assign the Managed Identity to your Automation Account.

1. Start by opening your Automation Account and selecting Identity from the account settings area.
Select Identity
Select Identity

2. Select the User assigned tab, then click Add.

Select Add
Select Add

3. Select your subscription and Managed Identity from the list and click Add.

Select a Managed Identity
Select a Managed Identity

How to use Connect-MgGraph -Identity with Microsoft Graph PowerShell

Now you have an Automation Account with a Managed Identity assigned uncluding the correct permissions, you must include the -Identity parameter in your Microsoft Graph authentication commands to use it.

Use Connect-MgGraph with a System-assigned Managed Identity

Simply define the -Identity parameter alone while connecting with a System-assigned Managed Identity, no further authentication commands are required.

Connect-MgGraph -Identity

Use Connect-MgGraph with a User-assigned Managed Identity

To use a User-assigned Managed Identity, both the -Identity and -ClientId parameters need to be defined. You must also include the object ID of the User-assigned Managed Identity (service principal) so the authentication command knows which Managed Identity to use.

Connect-MgGraph -Identity -ClientId %Object ID of Managed Identity%

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 6 Comments

  1. Hanif

    Nice post, thanks

  2. Yustin

    In your case (system-managed identity using Connect-MgGraph -Identity), is the scopes properly set when you run (Get-MgContext).Scopes?

    In my case, the scopes is blank even though I have added the permission/role properly to the managed identity (as shown in the Azure Portal also)

    1. Daniel Bradley

      Are you using the command as defined in the post? Connect-MgGraph -Identity -ClientID *ID*

  3. Jakke

    Very Clear and usefull post. Thanks Daniel!!!

  4. John Eckert

    Is it possible to create managed-identity with delegated permissions? I need to access the excel file with Graph workbook api, but endpoints for workbook do not support application permissions.

    1. Daniel Bradley

      I do not believe they support delegated permissions. You may be able to use a normal app registration instead, although this would be less secure of course.

Leave a Reply