Azure Automation Account MAnaged Identity and New-MgServicePrincipalAppRoleAssignment

Question

I am currently preparing Automation Account runbook in Azure. Runbook type is Powershell 5.1, I am also using Microsoft.Graph modules as presented below:

I have enabled System Assigned Managed Identity on my Automation Account. I am going to use Automation Account runbook to filter out some SPNs registered in my Entra ID tenant, then assign specified API permissions to these SPNs/Registered Applications. To assign API permissions to registered Applications I use command:

New-MgServicePrincipalAppRoleAssignment `
            -ServicePrincipalId $spn.Id `
            -BodyParameter $AppRoleAssignment `
            -Verbose -ErrorAction SilentlyContinue

Once I add Managed Identity to Builtin Entra ID role Global Administrator all works fine, script adds all required API permissions to registered applications/SPNs, but this is not a best practice to add Managed Identity Object to Global Administrator role. I tested other Built In roles, like: Application Administrator, Cloud Application Administrator, Directory Writer, added Managed Identity Object as a member of mentioned roles, but the effect is the same, insufficient permissions to complete the action. I am not sure what BuiltIn Entra ID role should I consider.

Answer 1

I used below presented code to add required permissions for my Managed Identity Object.

# Provide required System Assigned Managed Identity Entra ID permissions
$managedIdentityId = (Get-MgServicePrincipal -Filter "displayName eq 'dev-automation-account'").id

$graphApp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"

$graphScopes = @(
  'Application.ReadWrite.All'
)

ForEach($scope in $graphScopes){
  $appRole = $graphApp.AppRoles | Where-Object {$_.Value -eq $scope}
  New-MgServicePrincipalAppRoleAssignment -PrincipalId $managedIdentityId -ServicePrincipalId $managedIdentityId -ResourceId $graphApp.Id -AppRoleId $appRole.Id

}