Can I assign API permissions to User Assigned Managed Identities?

Question

Is it possible to assign API permissions ( such as Microsoft Graph API Permissions ) to a User Assigned Managed Identity?

I like to use a MSI or User Assigned MSI to authenticate, get an access token (bearer token) to call Microsoft Graph API or any other API I published through my App registrations.

A link to an online documentation would help.

Answer 1

I tried to reproduce the same in my environment and got the results like below:

To assign Permissions to User Managed Identity, you can make of below PowerShell script:

Connect-AzureAD

$TenantID="TENANTID"
$GraphAppId = "00000003-0000-0000-c000-000000000000" (Dont change this value)
$DisplayNameOfMSI="MSINAME"
$PermissionName = "Directory.Read.All"

$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$NameOfMSI'")
Start-Sleep -Seconds 10
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole = $GraphServicePrincipal.AppRoles | 
Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}

New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id

In the Portal, the Graph API permissions assigned successfully like below:

To generate access token using User Assigned MSI, refer below documentation:

Managed identities - Azure App Service | Microsoft Learn

Note that, for obtaining a token for User Assigned MSI you must include one of the optional properties.