How to Assign Microsoft Graph API Permissions to a User Assigned Managed Identity?

Question

I have a user assigned managed identity that's associated with VM resource and I want to assign several Graph API permissions to. Most everything I find online is uses a system assigned identity. When I follow the instructions, I get an insufficient privileges error even when I try with Global Administrator.

Is this scenario even supported?

I tried following this existing question: How to set Microsoft Graph API permissions on Azure Managed Service Identity with PowerShell 7

Answer 1

How to Assign Microsoft Graph API Permissions to a User Assigned Managed Identity?

Here is the PowerShell script to assign Permissions to User Managed Identity

    Connect-AzureAD
    
    $TenantID = "TenantID"
    $GraphAppId = "00000003-0000-0000-c000-000000000000" # Don't change this value
    $NameOfMSI = "venkat-user-identity"
    $Permissions = @(
        "Directory.Read.All",
        "Directory.ReadWrite.All",
        "Group.ReadWrite.All",
        "GroupMember.ReadWrite.All",
        "User.ReadWrite.All",
        "RoleManagement.ReadWrite.Directory"
    )
    
    $MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$NameOfMSI'")
    Start-Sleep -Seconds 10
    $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
    
    foreach ($PermissionName in $Permissions) {
        $AppRole = $GraphServicePrincipal.AppRoles | Where-Object { $_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application" }
        New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
    }

Output

Graph API permissions assigned successfully to User Managed Identity

Reference: How to use managed identities for App Service and Azure Functions