CODEWITHSUNDEEP
powershellazure-active-directory
BobbyS
BobbyS

Reputation: 49

Accessing Azure AD using a Managed Identity

I am familiar with how to grant API permissions access to a service principal (or App Registration) in Azure, but we have Managed Identity setup on an Azure VM which I'd like to use (via powershell), to query our app registrations.

When I run the below ...

$Applications = Get-AzADApplication

I get the following error ...

Get-AzADApplication : Insufficient privileges to complete the operation.

This occurs even if I PIM myself to the Application Administrator role so I'm not sure what the issue is.

The Get-AzureADApplication command it works fine, but since I want to automate the running of this script I don't want to have to run 'connect-azuread' (which prompts for my login) ...

Get-AzureADApplication : You must call the Connect-AzureAD cmdlet before calling any other cmdlets.

... hence why I was hoping to use a Managed Identity.

I don't see where I can check what access the managed identity has since there is no 'API Permission' to look at. ... unless I'm missing something.

Any ideas?

Upvotes: 0

Views: 7021

Answers (2)

badsector
badsector

Reputation: 31

Just doing some automation with a managed identity and this worked. So if you want it to look more "powershell-like", you can use the following commands:

Disable-AzContextAutosave -Scope Process
$AzureContext = (Connect-AzAccount -Identity).context
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext
$token = (Get-AzAccessToken -ResourceTypeName AadGraph).token
Connect-AzureAD -AadAccessToken $token -AccountId $AzureContext.Account -TenantId $AzureContext.Tenant

You will need Az.Accounts and AzureAD powershell modules. Also the managed identity will need proper permissions (probably Directory reader for AAD and Reader for the subscription).

Upvotes: 0

RamaraoAdapa
RamaraoAdapa

Reputation: 3137

As you already assigned application administrator role to your managed identity, you can use the below script to connect to Azure AD:

Connect-azaccount -identity
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
Write-Output "Hi I'm $($context.Account.Id)"
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id

Then you would be able to run Get-AzureADApplication command

Upvotes: 1

Related Questions