How to Assign API Permissions to a Managed Identity in Azure using PowerShell

How to Assign API Permissions to a Managed Identity in Azure using PowerShell

Leave a Comment / Blogs / By

Overview

In Azure environments, assigning API permissions to managed identities is a key step when enabling secure and automated access to services like Microsoft Graph or Microsoft Defender for Endpoint. This blog post walks you through assigning app role permissions (like SecurityAlert.ReadWrite.All) to a managed identity using PowerShell and Azure AD.

🔧 Prerequisites

  • Global Administrator access in Azure AD
  • AzureAD PowerShell module installed (Install-Module AzureAD)
  • Managed Identity object ID
  • App ID of the target Azure service (e.g., Microsoft Graph, Microsoft Threat Protection)

đź›  PowerShell Script to Assign API Permission

Below is the PowerShell script you can use. Replace the placeholder values with your actual Managed Identity Object ID and App ID.

# Replace with your managed identity object ID
$miObjectID = "<your-managed-identity-object-id>"

# The app ID of the Microsoft Graph API
$appId = "<your-app-id>" # Options: Graph, WindowsDefenderATP, Microsoft Threat Protection

# Connect to Azure AD (With Global Administrator Role Account)
Connect-AzureAD

# Get the service principal of the target app
$app = Get-AzureADServicePrincipal -Filter "AppId eq '$appId'"

# Replace with the API permissions required by your app
$permissionsToAdd = @("SecurityAlert.ReadWrite.All")

# Assign the permissions to the managed identity
foreach ($permission in $permissionsToAdd) {
    $role = $app.AppRoles | where Value -Like $permission | Select-Object -First 1
    $role
    New-AzureADServiceAppRoleAssignment -Id $role.Id -ObjectId $miObjectID -PrincipalId $miObjectID -ResourceId $app.ObjectId
}

đź“ť Notes

  • You can use different app IDs depending on whether you’re working with Microsoft Graph, Defender ATP, or another API.
  • Make sure the managed identity is already created and correctly scoped.
  • These roles are app-level permissions .

âś… Summary

This script allows you to assign app role permissions like SecurityAlert.ReadWrite.All to an Azure managed identity. It’s especially useful for automated workflows using Logic Apps, Azure Functions, or other services relying on secure and permissioned access to APIs.

Leave a Comment

Your email address will not be published. Required fields are marked *