1

I have successfully added application permissions to my system assigned Managed Identity/Service principal/MSI (Enterprise app) connected to a Azure Function through the following guide.

https://gist.githubusercontent.com/JanVidarElven/32b8f6bb8a422c9cce1816582eef24d8/raw/1148f1a96a351acf1a0fcf282e187ef1d2398fb1/AddManagedIdentityMSGraphAppRoles.md

I have previously used a separately created App registration/Enterprise app and used a secret from it to acquire a token to use when sending requests to Microsoft Graph API.

def get_auth_token_appreg(secret):
app = msal.ConfidentialClientApplication(appreg_client_id, authority=appreg_tenant_id, client_credential=secret)

result = None
result = app.acquire_token_silent(default_scope, account=None)

if not result:
    result = app.acquire_token_for_client(default_scope)

return result["access_token"]

I can't figure out how (if it's possible) to use this MSI without using a app registration secret in Python. Since there is no app registration I'm not even sure I can't get a secret for this MSI. I don't want a to use a secret but rather utilize the MSI (with it's permissions) instead since a secret kinda defeats the purpose of adding permissions to the MSI.

Any ideas?

ChristofferL
  • 59
  • 2
  • 8
  • Check `azure-identity` library for the class you can use to get a Managed Identity access token: https://learn.microsoft.com/en-us/python/api/overview/azure/identity-readme?view=azure-python#managed-identity – juunas Apr 08 '22 at 08:12
  • @juunas Thanks! I've tested it with the following but the token that I get back contains no /rolespermissions. I use `credential = DefaultAzureCredential() token = credential.get_token(default_scope)`. The variable default_scope is set to `https://graph.microsoft.com/.default`. The Managed Identity/Enterprise app has Group.Read.All, User.Read.All, GroupMember.ReadWrite.All and AuditLog.Read.All under permissions. All granted through Admin consent. – ChristofferL Apr 08 '22 at 11:22
  • And you are running this in the VM? It might also be better to use `ManagedIdentityCredential` to ensure you use that method instead of e.g. AZ CLI by accident. – juunas Apr 08 '22 at 11:40
  • @juunas No, it's ran in an Azure Function (Linux), Consumption tier. The reason for choosing DefaultAzureCredential() is because I write the python code in VS Code. I see in the logs that it utilizes ManagedIdentityCredential but I tested it with it as well with the same result. – ChristofferL Apr 08 '22 at 13:13
  • Can you inspect the token and check what the `oid` value is? It should match the enterprise app's object id for the Managed Identity. – juunas Apr 08 '22 at 13:27
  • 1
    @juunas It's working now. I must have added the permissions on another similar app... Thanks for the help! – ChristofferL Apr 08 '22 at 13:50

1 Answers1

1

Got it working with some help in the comments.

Add permissions to the managed identity, it can be found in the Enterprise app's list if you change Application type to Managed Identity.

Powershell guide to add permissions:

https://gist.githubusercontent.com/JanVidarElven/32b8f6bb8a422c9cce1816582eef24d8/raw/1148f1a96a351acf1a0fcf282e187ef1d2398fb1/AddManagedIdentityMSGraphAppRoles.md

Python code to issue a token:

default_scope = "https://graph.microsoft.com/.default"

def get_token():
credential = DefaultAzureCredential()
token = credential.get_token(default_scope)
return token[0]

Make sure that the token that is issued has the correct roles/permissions. You can use https://jwt.ms/ to check the token.

ChristofferL
  • 59
  • 2
  • 8