Site icon

Grant Graph API Permission to Managed Identity Object

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. We can access Graph API either using service principal object in Azure or using Managed Identity.   


When it comes to service Principal, we can grant API Permissions to the service principal object in Azure but incase of Managed Identity, we do not have option to provide Graph API permission for Managed Identity object via portal.  Hence we need to use the below PowerShell script to grant Graph API Permission (Application Permission) to the managed Identity object.


 In this blog, we will see how to grant graph API permission to the Managed Identity object


Note: To provide Graph API Permission you need to be Global Administrator in Azure Active Directory


Below Parameters needs to be modified as per your resources:


Powershell Script:


$TenantID="provide the tenant ID"

$GraphAppId = "00000003-0000-0000-c000-000000000000"

$DisplayNameOfMSI="Provide the Logic App name"

$PermissionName = "Directory.Read.All"



# Install the module

Install-Module AzureAD


Connect-AzureAD -TenantId $TenantID

$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")

Start-Sleep -Seconds 10

$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"

$AppRole = $GraphServicePrincipal.AppRoles | `

Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}

New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId `

-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id



Logic App:



 Execute the Powershell script to grant appropriate Graph API Permission to the Managed Identity object



 Once the Powershell is executed, you will be able to see the below Graph API permission added.




Exit mobile version