0

I have an azure function, that is backed by managed identity.

On the same AD there is office 365 with a SharePoint site called "demonews".

How do I add permissions/add the managed identity to the group "demonews" such it can access the SharePoint API?

I tried Add Member on SharePoint site, I tried on AD Group to add a member. The dropdown do not find a managed identity.

Poul K. Sørensen
  • 16,950
  • 21
  • 126
  • 283
  • Have you tried adding your identity as an app-only user ?https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly. – Thomas Sep 15 '19 at 06:38
  • That is the app registrations (you cant assign permisions apis to managed api registrations that i know off). So you can create app registraiton, save the secret in keyvault and use MSI to accesss keyvault. – Poul K. Sørensen Sep 15 '19 at 09:44
  • I've never tried with Sharepoint but I've used Managed identity to connect to D365 which has kind of the same approach. You can retrieve the managed identity app id from the `entreprise application blade` in Azure AD. – Thomas Sep 15 '19 at 09:47
  • Managed identity is just a specific type of service principal so from a sharepoint point of view it is the same: just an object in azure ad. – Thomas Sep 15 '19 at 09:48

1 Answers1

0

I think this what you are looking for:

https://finarne.wordpress.com/2019/03/17/azure-function-using-a-managed-identity-to-call-sharepoint-online/

Essentially you will get the azure service principal for office 365 SharePoint as well as the roles.

#Get the sharePoint principal $sharePoint = (Get-AzureADServicePrincipal -SearchString “Office 365 SharePoint”).ObjectId

#Get the Roles for that principal $appRoles = Get-AzureADServicePrincipal -SearchString “Office 365 SharePoint” | %{$_.AppRoles}

#Find the specific role $appRole = AppRoles.Where({ $_.Value -eq "Sites.Manage.All" }

#You will also need to get the service principal for your function app

#Get the function app object id $myfunctionapp = (Get-AzureADServicePrincipal -SearchString “myfunctionapp”).ObjectId

#assign the role to the MSI for the sharepoint resource New-AzureADServiceAppRoleAssignment -ObjectId $myfunctionapp -PrincipalId $myfunctionapp -ResourceId $sharePoint -Id $appRole

You can then use the local MSI endpoint and secret to obtain a token.

rfarris2000
  • 3
  • 1
  • If that works, i assume you are right, but given that you cant do that from UI in the azure portal. How can the admin give consent to the added role. – Poul K. Sørensen Sep 18 '19 at 08:05
  • I don't know the answer to that question other than maybe you are granting permissions to the resource for a service principal and not an application? – rfarris2000 Sep 19 '19 at 13:54