Managed identities in Azure removes the cumbersome task of managing app secrets and credentials used to securely access different resources in a cloud solution. With a managed identity, applications may obtain access tokens enabling them to directly access other resources that support Azure Active Directory authentication, like the Microsoft Graph API, without the need to provide client IDs and secrets.
Like with regular applications in Azure Active Directory, the resources a managed identity has access to is determined by its permission. Unlike regular applications however, it is not possible to grant permissions to the managed identity directly in the Azure portal.
To grant permissions to a managed identity we can instead use PowerShell together with some handy cmdlets provided by Microsoft. In the following step-by-step guide, we will focus on a system-assigned managed identity. Read more about the managed identity types here.
Prerequisites
Privileged Role Administrator, Cloud Application Administrator, Application Administrator or Global Administrator (required for Microsoft Graph permissions) of user running the PowerShell script.
AzureAD module for PowerShell installed and imported.
Granting tenant-wide admin consent for permissions.
1. Retrieve your tenant ID and managed identity (object) ID from Azure AD and define the application and permissions you want the managed identity to gain access to. In this guide, we’ll be using the Microsoft Graph API application as an example.
# Your tenant ID.
$tenantID="<tenant-ID>"
# Managed identity object ID .
$managedIdentityID = "<object-ID>"
# Name of application to grant access to
$applicationName = "Microsoft Graph"
# List of permissions names of the application
$permissionNames = @("User.Read.All", "Sites.Read.All")
2. Connect to Azure AD using your tenant ID. Provide your user credentials in the popup window to sign into your tenant.
# Connect to Azure AD using tenant ID and interactive sign-in
Connect-AzureAD -TenantId $tenantID3. Next, we retrieve the MS Graph application using the previously defined application name variable.
# Get application using application display name
$application = Get-AzureADServicePrincipal `
-SearchString $applicationName | Select-Object -first 14. Finally, we loop through all the permissions and assigns them to the managed identity.
foreach($pName in $PermissionNames) {
# Retrieve all available app roles for the application.
$appRole = $application.AppRoles | Where-Object {
$_.Value -eq $pName -and $_.AllowedMemberTypes -contains "Application"}
# Assign app roles matching the defined permissions to the managed identity.
New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentityID `
-PrincipalId $ManagedIdentityID -ResourceId $application.ObjectId `
-Id $appRole.Id
}
Given that the prerequisites met and that the script is used as described above, the output of the script will be details of each permission granted.
Removing permissions
Removing all permissions granted to a managed identity can also be done with a PowerShell script. Using the two first variables declared in step 1, the following script will remove all permissions, regardless of which application the permissions correspond to.
# Get all application permissions for the service principal
$spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo `
-ObjectId $sp.ObjectId -All $true `
| Where-Object { $_.PrincipalType -eq "ServicePrincipal" }
# Remove all delegated permissions
$spApplicationPermissions | ForEach-Object {
Remove-AzureADServiceAppRoleAssignment -ObjectId $_.PrincipalId `
-AppRoleAssignmentId $_.objectId
}
Final notes
Two custom made cmdlets for adding and removing application permissions for managed identities can be found in one of our publicly available github repositories:
These cmdlets contains the functionalities in the script detailed above, along with some additional error handling and the possibility for removing specific application permissions.
Comments