Managed identities are a best practice for securing resources in Azure, but they don’t have access to anything by default. While role-based access control (RBAC) works for many scenarios, some services—like Microsoft Graph, SharePoint, and Defender—require API permissions.
The challenge? You can’t assign API permissions to a managed identity through the Azure portal. Instead, you need to use a CLI like PowerShell to configure these permissions.
Using PowerShell to Assign API Permissions
In this post, we’ll use a PowerShell script that I created, inspired by an
older Azure blog post.
That script relied on the AzureAD module, which has since been deprecated in favor of the Microsoft Graph module. My updated version uses Microsoft Graph to ensure compatibility with the latest best practices.
📜 You can find my script here:
➡️
GitHub Repository
Prerequisites
Before running the script, ensure you have the following:
-
PowerShell 7
- If you’re not using PowerShell 7, you can run the script in Azure Cloud Shell as an alternative.
-
Microsoft Graph PowerShell SDK (Application Submodule)
- The script requires the Microsoft Graph PowerShell SDK, specifically the Application submodule.
- If it’s not installed, the script will automatically install it for you.
With these prerequisites met, we can proceed with updating the script.
Gathering Required Information
For this example, I have a Logic App with a system-assigned managed identity. I want to use the Microsoft Graph API to create a user.
Identifying the Target API
In Entra ID, the Microsoft Graph API is listed as:
- Name:
Microsoft Graph - App ID:
00000003-0000-0000-c000-000000000000
With my script, you can use either the name or the App ID when assigning permissions, but not both.
Checking Required Permissions
From the Graph API documentation, the required application permissions are:
User.ReadWrite.AllDirectory.ReadWrite.All
Updating the PowerShell Script
With this information, we can update the script as follows:
$TenantId = "myTenantId"
$TargetApiName = "Microsoft Graph" # Provide either the ID or name, not both.
$TargetApiAppId = "00000003-0000-0000-c000-000000000000" # Provide either the ID or name, not both.
$LogicAppName = "myLogicApp"
# ... (Other necessary script logic here) ...
Set-APIPermissions -MSIName $LogicAppName -TargetApiName $TargetApiName -TargetApiAppId $TargetApiAppId -PermissionName "User.ReadWrite.All" -Action "Grant"
Set-APIPermissions -MSIName $LogicAppName -TargetApiName $TargetApiName -TargetApiAppId $TargetApiAppId -PermissionName "Directory.ReadWrite.All" -Action "Grant"
Running the Script
Now that our script is updated, let’s run it to assign the API permissions to our Logic App’s managed identity.
Step 1: Execute the PowerShell Script
If the script runs successfully, you should see an output similar to this:
This confirms that the permissions have been assigned correctly, but let’s double check in the Azure Portal.
Step 2: Verify in Azure
To double-check the applied permissions:
- Go to Microsoft Entra ID in the Azure portal.
- In the Overview blade, search for the name of your managed identity and select it.
- Under Permissions, verify that User.ReadWrite.All and Directory.ReadWrite.All are listed.
With this, your Logic App’s managed identity now has the necessary permissions to create users via the Microsoft Graph API! 🚀
Final Thoughts
Thanks for reading! 🙏
Try it out, and if you run into any issues, please feel free to open a GitHub issue. If you have any suggestions or improvements, don’t hesitate to open a pull request (PR).