My question is, do we have any documented method of granting a Manage Service Identity permissions to the Graph API as we would with an Azure App Registration in the portal? I was unable to find any Powershell options or ability to manage permissions for the MSI service principal in the Azure Portal or documentation. I found a similar question on MSDN forums, but wanted to make sure there were not any further updates or workarounds that anybody knew of?
MSDN Forum Post: https://social.msdn.microsoft.com/Forums/azure/en-US/dae34534-f193-4444-b52e-ba9cfa4a1fda/does-azure-msi-support-accessing-graph-api?forum=WindowsAzureAD
Go to the app's API permissions page. Select Add a permission and then choose Microsoft Graph in the flyout. Select Delegated permissions. Use the search box to find and select the required permissions.
Sign in to the Azure portal as a global administrator or application administrator. Search for and select Azure Active Directory. Under Manage, select App registrations. In the App registrations window, under the All applications tab, select the app for which you wish to add Azure AD Graph permissions.
If users are logging in with work or school accounts (Azure AD), you can just look inside the access token to see a list of permissions like User.
You can consent to permissions in Graph Explorer by choosing either the Modify permissions tab or the Consent to permissions option under the profile avatar when you're signed in.
Disclaimer - I'm not overly familiar with MSIs, but as they are modeled as service principals, this should work. Also I'm not able to validate these steps.
These steps require that you use Azure AD PowerShell (v2) to assign application permissions to your MSI (to access Microsoft Graph), and that you are an administrator or app admin in your tenant. For Microsoft Graph, the documented permissions can be found here. The same instructions could be used for other resources secured by Azure AD too. I'll assume that you've already installed the PowerShell module.
Connect-AzureAD
to connect PS to Azure Ad. Enter your admin creds.$graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
to find the service principal representing Microsoft Graph and assign it to a variable. The service principal for Microsoft Graph is currently created just in time on first access, so there is a possibility it doesn't exist. It can be created by calling New-AzureADServicePrincipal -AppId "00000003-0000-0000-c000-000000000000"
.$graph.AppRoles
- this will show you all the available application permissions that you can choose from that are exposed by Microsoft Graph. For example if your MSI needs to read group information, find the "Group.Read.All" permission from the list, and make a note of its permission Id (it's a GUID). For example here's one of the records from the AppRoles list:
AllowedMemberTypes : {Application}
Description : Allows the app to read events of all calendars without a signed-in user.
DisplayName : Read calendars in all mailboxes
Id : 798ee544-9d2d-430c-a058-570e29e34338
IsEnabled : True
Value : Calendars.Read
$msi = Get-AzureADServicePrincipal -Filter "AppId eq '{Your_MSI_appId}'"
New-AzureADServiceAppRoleAssignment -Id {permissionId} -PrincipalId $msi.ObjectId -ResourceId $graph.ObjectId
And that should do it. You should now be able to acquire an access token for your MSI to call Microsoft Graph, and the access token should contain a roles
claim that matches the permissions (ids) that you've assigned above. You can then use that access token to call Microsoft Graph. This is similar to steps 6 and 7 in https://docs.microsoft.com/en-us/azure/active-directory/msi-overview.
Hope this helps,
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With