5

My question is, do we have any documented method of granting a Manage Service Identity permissions to the Graph API as we would with an Azure App Registration in the portal? I was unable to find any Powershell options or ability to manage permissions for the MSI service principal in the Azure Portal or documentation. I found a similar question on MSDN forums, but wanted to make sure there were not any further updates or workarounds that anybody knew of?

MSDN Forum Post: https://social.msdn.microsoft.com/Forums/azure/en-US/dae34534-f193-4444-b52e-ba9cfa4a1fda/does-azure-msi-support-accessing-graph-api?forum=WindowsAzureAD

Dan Kershaw - MSFT
  • 5,833
  • 1
  • 14
  • 23
floyd
  • 2,080
  • 4
  • 17
  • 19
  • I am voting to close this question because it is _Seeking recommendations for books, tools, software libraries, and more_, which is off-topic. – Trenton McKinney Nov 13 '20 at 03:45

2 Answers2

14

Disclaimer - I'm not overly familiar with MSIs, but as they are modeled as service principals, this should work. Also I'm not able to validate these steps.

These steps require that you use Azure AD PowerShell (v2) to assign application permissions to your MSI (to access Microsoft Graph), and that you are an administrator or app admin in your tenant. For Microsoft Graph, the documented permissions can be found here. The same instructions could be used for other resources secured by Azure AD too. I'll assume that you've already installed the PowerShell module.

  1. Connect-AzureAD to connect PS to Azure Ad. Enter your admin creds.
  2. $graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" to find the service principal representing Microsoft Graph and assign it to a variable. The service principal for Microsoft Graph is currently created just in time on first access, so there is a possibility it doesn't exist. It can be created by calling New-AzureADServicePrincipal -AppId "00000003-0000-0000-c000-000000000000".
  3. $graph.AppRoles - this will show you all the available application permissions that you can choose from that are exposed by Microsoft Graph. For example if your MSI needs to read group information, find the "Group.Read.All" permission from the list, and make a note of its permission Id (it's a GUID). For example here's one of the records from the AppRoles list: AllowedMemberTypes : {Application} Description : Allows the app to read events of all calendars without a signed-in user. DisplayName : Read calendars in all mailboxes Id : 798ee544-9d2d-430c-a058-570e29e34338 IsEnabled : True Value : Calendars.Read
  4. Find your MSI's objectId (assuming you don't know it, but that you do know its clientId/appId): $msi = Get-AzureADServicePrincipal -Filter "AppId eq '{Your_MSI_appId}'"
  5. For each of the permissions your MSI needs, run the following PS cmdlet to assign the permission to your MSI: New-AzureADServiceAppRoleAssignment -Id {permissionId} -PrincipalId $msi.ObjectId -ResourceId $graph.ObjectId

And that should do it. You should now be able to acquire an access token for your MSI to call Microsoft Graph, and the access token should contain a roles claim that matches the permissions (ids) that you've assigned above. You can then use that access token to call Microsoft Graph. This is similar to steps 6 and 7 in https://learn.microsoft.com/en-us/azure/active-directory/msi-overview.

Hope this helps,

Matthew Steeples
  • 7,858
  • 4
  • 34
  • 49
Dan Kershaw - MSFT
  • 5,833
  • 1
  • 14
  • 23
  • 2
    I followed the steps as described above and I can confirm this works. With the addition that Powershell asks for the -ObjectId parameter, it's the same as the principal Id. New-AzureADServiceAppRoleAssignment -Id {permissionId} -PrincipalId $msi.ObjectId -ObjectId $msi.ObjectId -ResourceId $graph.ObjectId. You can get the AppId of the managed service Identity by going to Azure Active Directory - Enterprise applications - All applications. Be sure to set all the filters to 'Any' / 'All Applications' – Martijn Jan 01 '18 at 13:33
  • Thanks for the confirmation and the additional info. You shouldn't need to supply the objectId on a new assignment - that should be generated for you by the system, but I guess I could be wrong. However as far as I know the objectId here is read-only. – Dan Kershaw - MSFT Jan 02 '18 at 05:28
  • @DanKershaw-MSFT is this supported in Azure gov? I'm having trouble getting `New-AzureADServiceAppRoleAssignment` to work despite having success in non-gov – Josh Aug 08 '18 at 03:02
  • 1
    I'm doing what @DanKershaw-MSFT is saying but I'm getting the following error (**I am running the ppowershell commands as a Global Admin**): > New-AzureADServiceAppRoleAssignment : Error occurred while executing > Authorization_RequestDenied Message: Insufficient privileges to > complete the operation. > > HttpStatusDescription: Forbidden > HttpStatusCode: ForbiddenHttpResponseStatus: But when I check the permissions for the principal in the Enterprise Application, they seemed to be applied! Can you please share the code to get the access token for the principal? – Olandese Aug 27 '18 at 15:52
  • Thanks @DanKershaw-MSFT for this and works perfectly! For anyone facing issues, check out my [blog post](https://www.rahulpnath.com/blog/how-to-authenticate-with-microsoft-graph-api-using-managed-service-identity/) for more details. – Rahul P Nath Oct 09 '19 at 00:27
0

The RequestDenied message is expected. There was a change to this that updating the System MSI SP is now blocked.

Bac Hoang - MSFT
  • 21
  • 1
  • Can you please elaborate on this a bit more? Do you have any link to the official docs that describes the reasoning behind the "updating the System MSI SP is now blocked" ? – Kacper Ryniec Mar 05 '19 at 21:56