...
Graph API / Permissions name | Access Granted by Permissions | Used By |
AuditLog.Read.All | Read audit log data | App Service Managed Identity |
Group.Read.All | Read group data | App Service Managed Identity |
GroupMember.ReadWrite.All | Read and write group memberships | App Service Managed Identity |
User.Read.All | Read user profile | App Service Managed Identity |
Reports.Read.All | Read report data | App Service Managed Identity |
Organization.Read.All | Read organization information | App Service Managed Identity |
...
Code Block | ||
---|---|---|
| ||
############### ## GRAPH API ## ############### Param( $tenantId = "", $appServiceObjectID = "", $PermissionsToAdd = @("Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.ReadWrite.All", "Reports.Read.All", "AuditLog.Read.All") ) # Install AzureAD module if not installed if (-Not(Get-Module -ListAvailable -Name AzureAD)) { try { Install-Module AzureAD -Force } catch { if ($_.Exception.Message.Contains("Administrator rights")) { Write-Host "You must run the script with administrator rights" } else { Write-Error $_.Exception.Message } } } if (Get-Module -ListAvailable -Name AzureAD) { # Check if connected to the target Azure AD Tenant try { $tenantDetail = Get-AzureADTenantDetail } catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] { Write-Host "You're not connected."; Connect-AzureAD -TenantId $tenantId; $tenantDetail = Get-AzureADTenantDetail } if ($tenantDetail.ObjectId -ne $tenantId) { Write-Host "You're not connected to the tenant: " $tenantId; Connect-AzureAD -TenantId $tenantId; } # Managed Identity for the SCIM App Service | Found in App Service -> Identity $ManagedIdentitiesServicePrincipal = Get-AzureADServicePrincipal -Filter "ObjectId eq `'$appServiceObjectID`'" if ($ManagedIdentitiesServicePrincipal -eq $null) { throw "Managed Identity for the app service is not found. `nApp Service Object ID: $appServiceObjectID " } # Resource Name : Microsoft Graph | Resource URI : https://graph.microsoft.com | Application ID : 00000003-0000-0000-c000-000000000000 $GraphAppId = "00000003-0000-0000-c000-000000000000" $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'" # Permissions foreach ($PermissionToAdd in $PermissionsToAdd) { $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionToAdd.Trim() -and $_.AllowedMemberTypes -contains "Application"} if ($AppRole -eq $null) { Write-Error "Invalid Permission `nPermission name: $PermissionToAdd" } else { # Assigns a Graph API service principal to an application role try { New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentitiesServicePrincipal.ObjectId -PrincipalId $ManagedIdentitiesServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id -ErrorAction Stop } catch { if ($_.Exception.ErrorContent.Message.Value -eq .Contains("Permission being assigned already")) exists{ on the object") { Write-Host "`""$AppRole.DisplayName"`"" " Permission is already assigned on the app service" } else { Write-Error $_ } } } } } |
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|