DEV Community

Kinga
Kinga

Posted on • Updated on

Grant API Permissions with Microsoft.Graph

#powershell #azure #microsoftgraph

Granting API Permissions to Managed Identity can only be done using PowerShell.
In the past, we did it using AzureRM PowerShell modules, but since it will be retired in 29 February 2024, it's time to update the scripts to Az.

The Az.Resources PowerShell module 5.1.0+ introduces changes to the identity-related cmdlets, with the cmdlets relying on Azure AD Graph transitioning to Microsoft Graph.

PowerShell Modules

If you haven't done it yet, install the Az.Resources module

Install-Module -Name Az.Resources -Repository PSGallery -Scope CurrentUser
Enter fullscreen mode Exit fullscreen mode

Sign in

In order to change app role assignments, you need to have at least AppRoleAssignment.ReadWrite.All and Application.Read.All permissions.
Specify these scopes when signing in, to make sure you can execute the script

$tenantID = "{tenant-id}"
Connect-MgGraph -TenantId $tenantID `
-Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All"
Enter fullscreen mode Exit fullscreen mode

Grant API Permissions to Managed Identity 

$spObjId = "{service-principal-object-id}"
$siteUrl = "{site-url}"

# Get Service Principal
$sp = Get-MgServicePrincipal -ServicePrincipalId  $spObjId

### STEP 1: GRANT API PERMISSIONS TO MANAGED IDENTITY

#Retrieve the Azure AD Service Principal instance for the Microsoft Graph (00000003-0000-0000-c000-000000000000) or SharePoint Online (00000003-0000-0ff1-ce00-000000000000).
$servicePrincipal_Graph = Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$servicePrincipal_SPO = Get-MgServicePrincipal -Filter "DisplayName eq 'Office 365 SharePoint Online'"

#Get AppRole Id for Sites.Selected
$appRole_GraphId = ($servicePrincipal_Graph.AppRoles | Where-Object { $_.AllowedMemberTypes -eq "Application" -and $_.Value -eq "Sites.Selected" }).Id
$appRole_SPOId = ($servicePrincipal_SPO.AppRoles | Where-Object { $_.AllowedMemberTypes -eq "Application" -and $_.Value -eq "Sites.Selected" }).Id

# Grant API Permissions
$graphParams = @{
    principalId = $sp.Id
    resourceId  = $servicePrincipal_Graph.Id
    appRoleId   = $appRole_GraphId
}
$spoParams=@{
    principalId = $sp.Id
    resourceId  = $servicePrincipal_SPO.Id
    appRoleId   = $appRole_SPOId
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id -BodyParameter $graphParams
New-MgServicePrincipalAppRoleAssignment  -ServicePrincipalId $sp.Id -BodyParameter $spoParams
Enter fullscreen mode Exit fullscreen mode

Quick check if everything went well 

Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id
Enter fullscreen mode Exit fullscreen mode

You may find the script here

Top comments (0)

Read next

mahzeb profile image

Accessibility exercise #2: Labour Day Poster

Mahzeb -

windui profile image

WindUI + Figma

Wind UI -

acloudguy profile image

Deploy Rancher on Azure AKS using Azure Cli & Helm Charts

Kunal Shah -

ashok6266 profile image

Unveiling the Mystery: Decoding the Dilemma of Lambda Deployment in Private Subnets

Ak -