You've got a like a sub. I have been trying to figure out how to assign permissions to the Managed Identity Service Principal and no useful information is available online. Cheers, keep up and good luck!
If you are referring to the code that assigns the permissions, you can find it on my blog, also updating description with link: jeffbrown.tech/graph-api-managed-identity/
Great video, when i run 'New-MgServicePrincipalAppRoleAssignment' i get the 'Insufficient privileges to complete the operation.' error, I can't figure out which permissions are missing, i created the function app,, i am also a global admin, but error comes up each time when itry to run it, any idea what m,ay be causing it?
Double check what scopes you have in your Microsoft Graph connection context, there should be something like Directory.ReadWrite.All: Get-MgContext | Select-Object -ExpandProperty Scopes
@@jeffbrowntech thanks for your replay, I managed to resolve my issue, At first I only used scope which you mentioned in the video 'Connect-MgGraph -Scopes 'Directory.ReadWrite.All'' but it did not work, only after adding 'AppRoleAssignment.ReadWrite.All' it started to work for me, so first command was "'Connect-MgGraph -Scopes 'Directory.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All'" in my case Thanks for the comments!
Interesting, thank you for the update, glad you were able to figure it out! I don't believe I needed that permission previously but something could have changed in the requirements.
I have not personally done that but I can't think of any reason it couldn't be. You would have to know the app role to assign ahead of time. registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment
@@jeffbrowntech This worked btw. Thank you! I needed to be Global Administrator not just Application Administrator. Not sure why yet. Need to work on that. ``` data "azuread_application_published_app_ids" "well_known" {} resource "azuread_service_principal" "msgraph" { client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph use_existing = true } resource "azuread_app_role_assignment" "directory_read_all" { app_role_id = azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"] principal_object_id = azurerm_user_assigned_identity.github.principal_id resource_object_id = azuread_service_principal.msgraph.object_id } ```
This is terrible... Not the video. The video is great! But why this information is not easy to find in Microsoft Docs? They should have a atep by step guide like this... Anyway, thanks for your help! Why did the Graph series stopped?
That is primarily why I blogged about it and created the video, to put all the steps together. That's all I had for Graph stuff at the time but will produce more if something comes up. I primarily pull from things I encounter in my daily work.
You've got a like a sub. I have been trying to figure out how to assign permissions to the Managed Identity Service Principal and no useful information is available online. Cheers, keep up and good luck!
Glad it helped, and that's why I wrote the article and did the video. Seems like a complicated process and wanted to document it myself.
Very informative, may I ask to the PowerShell script you using here pls
If you are referring to the code that assigns the permissions, you can find it on my blog, also updating description with link:
jeffbrown.tech/graph-api-managed-identity/
Great video, when i run 'New-MgServicePrincipalAppRoleAssignment' i get the 'Insufficient privileges to complete the operation.' error, I can't figure out which permissions are missing, i created the function app,, i am also a global admin, but error comes up each time when itry to run it, any idea what m,ay be causing it?
Double check what scopes you have in your Microsoft Graph connection context, there should be something like Directory.ReadWrite.All:
Get-MgContext | Select-Object -ExpandProperty Scopes
@@jeffbrowntech thanks for your replay, I managed to resolve my issue, At first I only used scope which you mentioned in the video 'Connect-MgGraph -Scopes 'Directory.ReadWrite.All'' but it did not work, only after adding 'AppRoleAssignment.ReadWrite.All' it started to work for me, so first command was "'Connect-MgGraph -Scopes 'Directory.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All'" in my case
Thanks for the comments!
Interesting, thank you for the update, glad you were able to figure it out! I don't believe I needed that permission previously but something could have changed in the requirements.
@@pawelhaubus172 Thank you for posting your solution, I was having the same issue until I came across your comment.
Is this possible via Terraform?
I have not personally done that but I can't think of any reason it couldn't be. You would have to know the app role to assign ahead of time.
registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment
@@jeffbrowntech This worked btw. Thank you!
I needed to be Global Administrator not just Application Administrator. Not sure why yet. Need to work on that.
```
data "azuread_application_published_app_ids" "well_known" {}
resource "azuread_service_principal" "msgraph" {
client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azuread_app_role_assignment" "directory_read_all" {
app_role_id = azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
principal_object_id = azurerm_user_assigned_identity.github.principal_id
resource_object_id = azuread_service_principal.msgraph.object_id
}
```
This is terrible...
Not the video. The video is great! But why this information is not easy to find in Microsoft Docs? They should have a atep by step guide like this...
Anyway, thanks for your help! Why did the Graph series stopped?
That is primarily why I blogged about it and created the video, to put all the steps together.
That's all I had for Graph stuff at the time but will produce more if something comes up. I primarily pull from things I encounter in my daily work.
@@jeffbrowntech could you bring more examples of using Python?
The general step: register the app, request the token, use the API via requests/SDK
@@starvosxant4348 Unfortunately I don't know Python, PowerShell is my go-to scripting language for now.