Azure Function - PowerShell - Connect-mgGraph - No Perms

Question

I have created PowerShell 7 Azure Function (AF) and a managed service identity (MSI) with reader role across the entire subscription. Using this code here:

Connect-AzAccount -Identity 
$token = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com"
Connect-MgGraph -AccessToken $token.Token

The connection, via Graph works as I receive the 'Hello to Graph' in the (AF) log window. However, when searching for a user;

get-mgUser -userID 'objectID of the user'

I receive permission denied. Using:

connect-mgGraph -Scopes 

Prompts for an interactive login...

Looking at the Enterprise application registration for the MSI, I'm unable to grant any permissions (logged in as GA). Can someone point me in the right direction please?

Answer 1

The error "permission denied" usually occurs if there are no required permissions to perform the action.

I agree with Cpt.Whale that at least User.Read.All is required.

To grant the API permissions to an Enterprise Application, make sure that the application is present in Azure AD.

Locate your Enterprise application in Azure Ad like below:

Go to Azure Portal -> App Registrations -> Select App with your Enterprise Application name -> API permissions

After adding the permissions and granting admin consent, the API permissions will be successfully added in your Enterprise application like below:

To know more in detail, please refer below links:

Give permissions to graph api in enterprise application Azure AD by Hury Shen

Configure required Azure AD Graph permissions for an app registration - Microsoft Graph | Microsoft Docs