Assign graph permissions to managed identity

posted in MS-Graph API on by

As an IT admin, you probably have more scripts than you have coffee mugs. And let’s face it—most of us have a lot of coffee mugs.

Over time, our trusty PowerShell scripts have evolved from simple admin tools to complex automation beasts, running on everything from scheduled tasks to cloud-based services. But many admins are starting to move away from traditional PowerShell modules and are embracing the flexibility of the Microsoft Graph API. Why? Because it allows you to break free from the PowerShell bubble and use any system capable of sending HTTP requests. Talk about platform freedom!

Now here’s where it gets interesting…

The Problem with App Registrations

When it comes to automation—especially with tools like Logic Apps, Power Automate, or even Azure Functions—a common solution is to register an application in Azure AD and grant it API permissions. This works quite well, but like that drawer full of half-dead batteries in your office, it gets messy over time.

Here are a few downsides of relying on traditional app registrations:

  • App registrations can be (mis)used for unintended purposes.
  • Client secrets or certificates expire (usually at the worst possible time).

Enter: Managed Identities – Your New Best Friend

Instead of juggling app registrations, consider using a Managed Identity. It’s a feature of Azure resources that gives them an identity in Azure AD—without the need to manage credentials. The best part? You can assign Microsoft Graph permissions to it, just like you would for a registered app.

So yes, your Logic App or Azure Function can talk directly to Microsoft Graph securely, with no secrets and no expiration dates.

What You’ll Need

Before you jump in, make sure you have the following in place:

  • Managed Identity enabled on the Azure resource (e.g., Logic App, Function App)
  • The AppRoleAssignment.ReadWrite.All role – needed once to assign permissions via script
  • The Microsoft.Graph PowerShell SDK installed (MgGraph module) – also just once

Sounds Cool… But How? Once your Managed Identity is active, you’ll run a script that grants it the necessary Graph permissions using the AppRoleAssignment.ReadWrite.All scope. That allows you to assign application roles (Graph permissions) directly to the identity.

This eliminates the need for secret rotation or certificate management. Your Managed Identity simply gets the right permissions, and your automation keeps humming along like a well-oiled machine—or at least like a decently-configured cron job.

Full Script

#Role you want fo assign to the managed identity
$roleName = "TeamsTab.Create"

# Name of the ressource you activated the managed identity
$automationAccountName = "CustomerChannelCreation"

#Connect with the graph
Connect-MgGraph 

$mi = Get-MgServicePrincipal -Filter "displayName eq '$automationAccountName'"

# Find the ServicePrincipal for MS-Graph
$graphSp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"

# Get the permission-role from graph principal (e.g. DeviceManagementManagedDevices.ReadWrite.All)
$appRole = $graphSp.AppRoles | Where-Object { $_.Value -eq $roleName -and $_.AllowedMemberTypes -contains "Application" }

# Assign the permission
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $mi.Id `
    -PrincipalId $mi.Id `
    -ResourceId $graphSp.Id `
    -AppRoleId $appRole.Id

After that execution you can see the assigned permissions under the enterprise-application.

Screenshot 2025-08-04 204957

Leave a Reply

Your email address will not be published. Required fields are marked *