Azure Managed Identity provides a secure and convenient way to authenticate applications and services within the Azure ecosystem.
With Managed Identity, you can easily authenticate your application with various Azure services, including Microsoft Graph.
By assigning the appropriate permissions to your Managed Identity, you can control access to Graph resources and ensure secure interactions.
The main advantage is it is password less and move away from methods where we need to use secrets, passwords etc for authentication.
Majority of the Azure services now support it.
In this recent example a team member of ours was writing automation using azure automation account and require Device.Read.All graph permission to be provided to managed identity owned by automation account.
Here are the steps that can be taken to achieve this goal:
-
Frist connect to azure ad using Azure AD module
\
2. Define below variables
$TenantID=”S6a89h403-2356-6htr-9k89-raa464e3k9821” # Add your tenant id
$GraphAppId = “00000003-0000-0000-c000-000000000000” # this will be same for every tenant
$ManagedIdentity=”TechWizard-AutomationACCt” # managed identity
$PermissionName = “Device.Read.All” #permissions
3. Fetch the managed identity
$MI = (Get-AzureADServicePrincipal -Filter “displayName eq ‘$ManagedIdentity'”)
4. Fetch the permissions
$GraphSP= Get-AzureADServicePrincipal -Filter “appId eq ‘$GraphAppId'”
$AppRole = $GraphSP.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains “Application”}
5. Provide permissions to managed identity
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId -ResourceId $GraphSP.ObjectId -Id $AppRole.Id
Now when you will check the managed identity you will see Device.Read.All permissions applied.
In the same way you can assign any other permissions to managed identity.
Thanks for reading …
Tech Wizard
Tech Wizard 