Assign permissions to Entra managed identity
- romanvitsinskyi
- 4 days ago
- 1 min read
Entra currently doesn't allow to add any permissions to Managed Identity via Entra Portal like you would normally do for app registration or service principal. However, you may have a need to assign permissions to Managed Identities, for example to one used in Azure Automation to automate various Entra tasks. As always, PowerShell to the rescue. Please use below code to get the job done, populate $TenantID, $GraphAppId, $DisplayNameOfMSI and $PermissionName
$TenantID=""$GraphAppId = "00000003-0000-0000-c000-000000000000" # replace if need other API permission, O365 Management API$DisplayNameOfMSI=""$PermissionName = "" # for example "Directory.Read.All"$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
