Overview
In this article, we are going to learn about assigning Azure Graph permissions to Azure Managed Identities.
What is Managed Identity?
A Managed Identity in Azure is a feature that provides an identity for applications (or even Azure Resources) to use when connecting to Azure resources that support Azure Active Directory (Azure AD) authentication. Managed identities eliminate the need for developers to manage credentials by allowing Azure to handle their lifecycle securely. Managed identities can be used for both system-assigned and user-assigned scenarios:
- System-Assigned Managed Identity: Automatically created and tied to an Azure resource. Its lifecycle is linked to the resource (e.g., Virtual Machine, Azure Function, etc.).
- User-Assigned Managed Identity: Created independently of resources and can be associated with multiple resources.
Create Managed Identity
As explained in the above section, Azure supports the two types of Managed Identities. Let’s explore how to create them from the portal.
For a System-Assigned Managed Identity.
- Go to the Azure portal.
- Navigate to the resource (e.g., SQL server or Azure App Service).
- In the resource menu, locate and click Identity.
- Enable the System-Assigned Managed Identity toggle.
- Save the changes.
For a User-Assigned Managed Identity.
- In the Azure portal, search for Managed Identities in the search bar.
- Click + Create.
- Provide the required information (Subscription, Resource Group, Name, and Region).
- Review and create the Managed Identity.
- Assign it to a resource as needed by navigating to the resource, finding the Identity section, and attaching the user-assigned identity.
- You also need to attach the Primary Identity, which is useful in case of multiple Identities that you would like to attach to the same resource.
Locate Managed Identity
When you create a Managed Identity, it is also registered in Microsoft Entra in the form of an Enterprise Application.
Navigate to Microsoft Entra and search for the appropriate Managed Identit,y as shown below.
![Managed Identity]()
- Navigate to Enterprise Applications, where all Managed Identities are stored.
- Navigate to All applications.
- In the search, filter based on Application Type = Managed Identities.
- Search based on your Managed Identity name.
What are API Permissions?
When you create Manage Identity, they won’t have access to anything unless you provide explicit permissions.
API Permissions are the access rights granted to an application to interact with APIs securely. These permissions are typically used with Azure AD to control what operations an application can perform against protected resources like Microsoft Graph API or other APIs.
If you are building any application/script in which you want to access Microsoft Entra’s Users/Group information, then you need to provide the below API permissions.
- User.Read.All
- GroupMember.Read.All
- Application.Read.All
Unfortunately, the Azure portal doesn’t provide access to Enterprise Applications as of this writing. We need to develop Powershell code to provide API permissions with the help of Microsoft Graph libraries.
Adding Microsoft Graph permissions to a Managed Identity in Azure is essential for enabling specific capabilities in applications and scripts that need to interact with Microsoft Graph resources.
Now, let’s understand what Microsoft Graph is and how to get started working with it.
What is Microsoft Graph?
Microsoft Graph is the unified API endpoint from Microsoft that provides access to data and intelligence across Microsoft 365 services, Azure AD, and other Microsoft services. It enables developers to interact with resources such as users, groups, files, emails, calendar events, tasks, and more in a consistent way.
Install Microsoft Graph
Open PowerShell with “Run as Administrator” and then run the below command.
Install-Module Microsoft.Graph -Scope AllUsers
![Run as Administrator]()
Once the Microsoft Graph Powershell modules are installed, we need to develop code to assign API Permissions. Let’s learn how to write the PowerShell code to assign the permissions to the Managed Identity.
Code to assign API Permissions
# Script to assign permissions to an existing UMI
# The following required Microsoft Graph permissions will be assigned:
# User.Read.All
# GroupMember.Read.All
# Application.Read.All
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications
$tenantId = "8ef7b61f-88aa-4478-8edb-d8eaad5710e7" # Your tenant ID
$MSIName = "az-elasticpool-usmi" # Name of your managed identity
# Log in as a user with the "Privileged Role Administrator" role
Connect-MgGraph -TenantId $tenantId -Scopes "AppRoleAssignment.ReadWrite.All,Application.Read.All"
# Search for Microsoft Graph
$MSGraphSP = Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$MSGraphSP
$MSI = Get-MgServicePrincipal -Filter "DisplayName eq '$MSIName'"
if ($MSI.Count -gt 1) {
Write-Output "More than 1 principal found with that name, please find your principal and copy its object ID. Replace the above line with the syntax $MSI = Get-MgServicePrincipal -ServicePrincipalId <your_object_id>"
Exit
}
# Get required permissions
$Permissions = @(
"User.Read.All"
"GroupMember.Read.All"
"Application.Read.All"
)
# Find app permissions within Microsoft Graph application
$MSGraphAppRoles = $MSGraphSP.AppRoles | Where-Object {($_.Value -in $Permissions)}
# Assign the managed identity app roles for each permission
foreach ($AppRole in $MSGraphAppRoles) {
$AppRoleAssignment = @{
principalId = $MSI.Id
resourceId = $MSGraphSP.Id
appRoleId = $AppRole.Id
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AppRoleAssignment.PrincipalId -BodyParameter $AppRoleAssignment -Verbose
}
Before running the code, replace the Managed Identity name and the Tenant ID with your values and run the PowerShell Code.
It would prompt you to log in to Azure. Once the login is successful, the PowerShell code will run, and the permissions will be assigned to the Managed Identity.
Verify the Permissions in Microsoft Entra.
Navigate to Microsoft Entra and search for the appropriate Managed Identity in Enterprise Applications, as shown earlier. Click on your Managed Identity and then navigate to the Permissions tab, as shown below.
![Microsoft Entra]()
You should be able to view all the Microsoft Graph permissions, as shown above.
Summary
In this article, we have learned the basics of how to create the Managed Identity, different types of MI, how to assign them to Azure resources, and then learned what Microsoft Graph is, Install it, and then develop PowerShell code to grant API permissions to the Manage Identity as the Portal doesn’t support this yet as of this writing.