If you have read one of my automation-related flows before, you know most of these solutions rely on querying Graph API using HTTP actions in a Logic Apps flow. When I first started using these flows, I used Azure App Registrations with a client secret for authentication (and stored these in a Key Vault).
But for a few months, I didn’t use App Registrations anymore but started using Azure Managed Identities. The benefit of using Managed Identities, is that you get an identity in Azure, but without the App Registration. You don’t have to use a client secret anymore, which is actually just some sort of password.
In this post, I show you how to set up a user-assigned Managed Identity (a user-assigned Managed Identity can be shared between multiple Logic Apps flows for example) and how to assign different kinds of roles and permissions. We can for example assign an Azure role or Azure AD role and Graph API permissions to the identity. I just show the basics of setting up the Managed Identity, there are multiple ways to set up the identity and assign the roles and permissions.
Create a Managed Identity
One of the options to create a Managed Identity, is to use the Azure Portal.
- Sign in to the Azure portal
- Under All services search for Managed Identity
- Open the Managed Identity service
- Click Create
- Select the Subscription and Resource group
- Select the Region
- Enter a name for the Managed Identity
- Click Review + Create
- Click Create
That’s all to create the Managed Identity via the portal.
Assign an Azure role to the Managed Identity
It is possible to assign an Azure role to the Managed Identity. One of the ways to do this is via the Azure Portal.
Open the Managed Identity after creation.
Here you can find the properties of the Managed Identity and also assign an Azure role to the identity.
- Click on Azure role assignments
- Make your choice for the scope
- Select your subscription
- Select the Resource group (in case you selected Resource group as scope)
- Select the Role(s) you like to assign
- Click Save
As you can see you can assign different kinds of Azure roles to the identity, like Log analytics Reader or Storage Blob Reader.
Assign an Azure AD role to the Managed Identity
We can also assign an Azure AD role to a Managed Identity, both built-in and custom roles can be assigned. This might come in handy for example when a Graph API call doesn’t support application permissions.
Assigning an AAD role is done in the same way as assigning the role to an AD account, but only active assignments are allowed. To assign an AAD role, follow the below steps.
- Browse to Azure Active Directory
- Open Roles and administrators
- Search for the role you want to assign
- Click Add Assignments
- Click on No member selected
- Search and select the Managed Identity
- Click Next
- Enter a Justification
- Click Assign
And the Azure AD role is assigned.
Assign Graph API permissions to the Managed Identity
We can also assign Graph API permissions to the Managed Identity.
Via de Azure Portal, we can view the currently assigned API permissions, but not assign these permissions.
To view the permissions via the Azure Portal, open the Enterprise Applications services.
Select Managed Identities as the Application type.
Open the previously created Managed Identity and on the Permissions tab, we find an overview of the assigned Graph API permissions.
We can use PowerShell to assign Graph API permissions, for example with this small script from Aleksandar Stefanov.
You only need to enter your tenant ID, displayname of the Managed Identity, and Permission name.
Microsoft Graph API always has the appId that is: 00000003-0000-0000-c000-000000000000. No need to change that.
In case you need to assign Windows Defender ATP API permissions, use appid fc780465-2017-40d4-a0c5-307022471b92.
# Your tenant id (in Azure Portal, under Azure Active Directory -> Overview )
$TenantID=""
# Microsoft Graph App ID (DON'T CHANGE)
$GraphAppId = "00000003-0000-0000-c000-000000000000"
# Name of the manage identity (same as the Logic App name)
$DisplayNameOfMSI="demoLogicApp"
# Check the Microsoft Graph documentation for the permission you need for the operation
$PermissionName = "Domain.Read.All"
# Install the module (You need admin on the machine)
Install-Module AzureAD
Connect-AzureAD -TenantId $TenantID
$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")
Start-Sleep -Seconds 10
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole = $GraphServicePrincipal.AppRoles | `
Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
After running the script, the assigned API permissions can be found in the overview.
If you want to automate the deployment of the Managed Identity and Graph permissions, also have a look at this post by Luise Freese.
That’s it for this post.
We have walked through the basic steps of creating a Managed Identity and how we can assign different roles and permissions.
And if you still wonder in which use case you can use a Managed Identity, have a look at the automation blog posts on my website.
Thanks for reading!