Assign Graph API App Role to Azure Managed Identity

แชร์
ฝัง
  • เผยแพร่เมื่อ 22 ธ.ค. 2024

ความคิดเห็น •

  • @MalcolManan
    @MalcolManan 3 หลายเดือนก่อน

    You've got a like a sub. I have been trying to figure out how to assign permissions to the Managed Identity Service Principal and no useful information is available online. Cheers, keep up and good luck!

    • @jeffbrowntech
      @jeffbrowntech  3 หลายเดือนก่อน

      Glad it helped, and that's why I wrote the article and did the video. Seems like a complicated process and wanted to document it myself.

  • @armaans64
    @armaans64 8 หลายเดือนก่อน

    Very informative, may I ask to the PowerShell script you using here pls

    • @jeffbrowntech
      @jeffbrowntech  8 หลายเดือนก่อน +1

      If you are referring to the code that assigns the permissions, you can find it on my blog, also updating description with link:
      jeffbrown.tech/graph-api-managed-identity/

  • @pawelhaubus172
    @pawelhaubus172 5 หลายเดือนก่อน

    Great video, when i run 'New-MgServicePrincipalAppRoleAssignment' i get the 'Insufficient privileges to complete the operation.' error, I can't figure out which permissions are missing, i created the function app,, i am also a global admin, but error comes up each time when itry to run it, any idea what m,ay be causing it?

    • @jeffbrowntech
      @jeffbrowntech  5 หลายเดือนก่อน +1

      Double check what scopes you have in your Microsoft Graph connection context, there should be something like Directory.ReadWrite.All:
      Get-MgContext | Select-Object -ExpandProperty Scopes

    • @pawelhaubus172
      @pawelhaubus172 5 หลายเดือนก่อน +2

      @@jeffbrowntech thanks for your replay, I managed to resolve my issue, At first I only used scope which you mentioned in the video 'Connect-MgGraph -Scopes 'Directory.ReadWrite.All'' but it did not work, only after adding 'AppRoleAssignment.ReadWrite.All' it started to work for me, so first command was "'Connect-MgGraph -Scopes 'Directory.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All'" in my case
      Thanks for the comments!

    • @jeffbrowntech
      @jeffbrowntech  5 หลายเดือนก่อน

      Interesting, thank you for the update, glad you were able to figure it out! I don't believe I needed that permission previously but something could have changed in the requirements.

    • @andresjordan1906
      @andresjordan1906 4 หลายเดือนก่อน +1

      @@pawelhaubus172 Thank you for posting your solution, I was having the same issue until I came across your comment.

  • @MadiAnas-wc3xt
    @MadiAnas-wc3xt 6 หลายเดือนก่อน

    Is this possible via Terraform?

    • @jeffbrowntech
      @jeffbrowntech  6 หลายเดือนก่อน +1

      I have not personally done that but I can't think of any reason it couldn't be. You would have to know the app role to assign ahead of time.
      registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment

    • @MadiAnas-wc3xt
      @MadiAnas-wc3xt 6 หลายเดือนก่อน

      @@jeffbrowntech This worked btw. Thank you!
      I needed to be Global Administrator not just Application Administrator. Not sure why yet. Need to work on that.
      ```
      data "azuread_application_published_app_ids" "well_known" {}
      resource "azuread_service_principal" "msgraph" {
      client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
      use_existing = true
      }
      resource "azuread_app_role_assignment" "directory_read_all" {
      app_role_id = azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
      principal_object_id = azurerm_user_assigned_identity.github.principal_id
      resource_object_id = azuread_service_principal.msgraph.object_id
      }
      ```

  • @starvosxant4348
    @starvosxant4348 5 หลายเดือนก่อน +2

    This is terrible...
    Not the video. The video is great! But why this information is not easy to find in Microsoft Docs? They should have a atep by step guide like this...
    Anyway, thanks for your help! Why did the Graph series stopped?

    • @jeffbrowntech
      @jeffbrowntech  5 หลายเดือนก่อน

      That is primarily why I blogged about it and created the video, to put all the steps together.
      That's all I had for Graph stuff at the time but will produce more if something comes up. I primarily pull from things I encounter in my daily work.

    • @starvosxant4348
      @starvosxant4348 5 หลายเดือนก่อน

      @@jeffbrowntech could you bring more examples of using Python?
      The general step: register the app, request the token, use the API via requests/SDK

    • @jeffbrowntech
      @jeffbrowntech  5 หลายเดือนก่อน

      @@starvosxant4348 Unfortunately I don't know Python, PowerShell is my go-to scripting language for now.