MSI Permissions for Graph API

by

Disclaimer – I’m not overly familiar with MSIs, but as they are modeled as service principals, this should work. Also I’m not able to validate these steps.

These steps require that you use Azure AD PowerShell (v2) to assign application permissions to your MSI (to access Microsoft Graph), and that you are an administrator or app admin in your tenant. For Microsoft Graph, the documented permissions can be found here. The same instructions could be used for other resources secured by Azure AD too. I’ll assume that you’ve already installed the PowerShell module.

  1. Connect-AzureAD to connect PS to Azure Ad. Enter your admin creds.
  2. $graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" to find the service principal representing Microsoft Graph and assign it to a variable. The service principal for Microsoft Graph is currently created just in time on first access, so there is a possibility it doesn’t exist. It can be created by calling New-AzureADServicePrincipal -AppId "00000003-0000-0000-c000-000000000000".
  3. $graph.AppRoles – this will show you all the available application permissions that you can choose from that are exposed by Microsoft Graph. For example if your MSI needs to read group information, find the “Group.Read.All” permission from the list, and make a note of its permission Id (it’s a GUID). For example here’s one of the records from the AppRoles list:
    AllowedMemberTypes : {Application}
    Description : Allows the app to read events of all calendars without a signed-in user.
    DisplayName : Read calendars in all mailboxes
    Id : 798ee544-9d2d-430c-a058-570e29e34338
    IsEnabled : True
    Value : Calendars.Read
  4. Find your MSI’s objectId (assuming you don’t know it, but that you do know its clientId/appId):
    $msi = Get-AzureADServicePrincipal -Filter "AppId eq '{Your_MSI_appId}'"
  5. For each of the permissions your MSI needs, run the following PS cmdlet to assign the permission to your MSI:
    New-AzureADServiceAppRoleAssignment -Id {permissionId} -PrincipalId $msi.ObjectId -ResourceId $graph.ObjectId

And that should do it. You should now be able to acquire an access token for your MSI to call Microsoft Graph, and the access token should contain a roles claim that matches the permissions (ids) that you’ve assigned above. You can then use that access token to call Microsoft Graph. This is similar to steps 6 and 7 in https://learn.microsoft.com/en-us/azure/active-directory/msi-overview.

Hope this helps,

More Related Contents:

  1. Which Graph API should be used with Azure AD B2C
  2. Azure Portal: Bad Request – Request Too Long
  3. IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Payload.Nonce was not null
  4. Azure: Service Principal ID vs Application ID
  5. Can a “User Assigned Managed Identity” be used locally?
  6. How to validate Azure AD security token?
  7. What format is the exp (Expiration Time) claim in a JWT
  8. Tenant does not have a SPO license
  9. What’s the difference between Azure AD B2C tenant and normal Azure AD tenant?
  10. how to get Azure Active Directory B2C working with Bot Framework?
  11. Upload file to SharePoint drive using Microsoft Graph
  12. Azure authentication Audience validation failed
  13. Logging into Azure Ad with Cypress
  14. Why is “Application permissions” disabled in Azure AD’s “Request API permissions”?
  15. Correlation failed in net.core / asp.net identity / openid connect
  16. How to get the azure account tenant Id?
  17. When should I use Outlook REST API vs Microsoft Graph API?
  18. IDX10501: Signature validation failed. Unable to match keys
  19. SharePoint Rest API how to get Access Token?
  20. Unable to filter messages by recipient in Microsoft Graph Api. One or more invalid nodes
  21. Azure Function with AD auth results in 401 Unauthorized when using Bearer tokens
  22. Get a list of groups that Azure AD user belongs to in claims
  23. How to send email from any one email using Microsoft Graph
  24. Enabling CORS on Azure Active Directory
  25. “Use a tenant-specific endpoint or configure the application to be multi-tenant” when signing into my Azure website
  26. How to add application to Azure AD programmatically?
  27. How to authenticate user with Azure Active Directory using OAuth 2.0?
  28. Azure AD Custom Claims in JWT
  29. Authentication with Azure Active Directory – how to accept user credentials programmatically
  30. Trouble getting ClaimsPrincipal populated when using EasyAuth to authenticate against AAD on Azure App Service in a Asp.Net Core web app

Leave a Comment