-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathAssign-MSGraphAPI-Permissions.ps1
More file actions
58 lines (43 loc) · 2.18 KB
/
Assign-MSGraphAPI-Permissions.ps1
File metadata and controls
58 lines (43 loc) · 2.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Script to add MS Graph API Permissions to a managed identity
# define the service principal
$mgdidentity = Get-AzureADServicePrincipal -ObjectId d7b92146-bebe-46b7-b762-d2d6a46d0b43
# permission name (note: the following one is a very high privileged permission!)
$permissionname ="RoleManagement.ReadWrite.Directory"
# MS Graph App Id (This is always the same!)
$GraphAppId = "00000003-0000-0000-c000-000000000000"
# Get the Graph SP
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
# Get the user defined graph app role
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
# assign the permission
New-AzureAdServiceAppRoleAssignment -ObjectId $mgdidentity.ObjectId -PrincipalId $mgdidentity.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
#########################################
# Using the MG module (from: https://stackoverflow.com/a/72905062)
$DestinationTenantId = Read-Host "please provide the tenant Id"
$MsiName = Read-Host "Please provide the name of the system- or user-assigned managed identity" # Name of system-assigned or user-assigned managed service identity. (System-assigned use same name as resource).
# Define permissions to assign here...
$oPermissions = @(
"Directory.ReadWrite.All"
"Group.ReadWrite.All"
"GroupMember.ReadWrite.All"
"User.ReadWrite.All"
"RoleManagement.ReadWrite.Directory"
)
$GraphAppId = "00000003-0000-0000-c000-000000000000" # Don't change this.
$oMsi = Get-AzADServicePrincipal -Filter "displayName eq '$MsiName'"
$oGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"
$oAppRole = $oGraphSpn.AppRole | Where-Object {($_.Value -in $oPermissions) -and ($_.AllowedMemberType -contains "Application")}
Connect-MgGraph -TenantId $DestinationTenantId
foreach($AppRole in $oAppRole)
{
$oAppRoleAssignment = @{
"PrincipalId" = $oMSI.Id
#"ResourceId" = $GraphAppId
"ResourceId" = $oGraphSpn.Id
"AppRoleId" = $AppRole.Id
}
New-MgServicePrincipalAppRoleAssignment `
-ServicePrincipalId $oAppRoleAssignment.PrincipalId `
-BodyParameter $oAppRoleAssignment `
-Verbose
}