Share via

How to create a service account in Azure Active Directory, grant it read only permissions to graph api in azure?

PURAM KRISHNA SUMANTH 26 Reputation points
2023-01-07T13:26:56.15+00:00

Hello All,

All are fine.

I am new to Azure, please provide Step by Step Process for the below question.

Question: How to create a service account in Azure Active Directory, grant it read only permissions to graph api in azure?

Waiting for your quick help.

Thanks & Regards,
Krishna P

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2023-01-09T07:56:01.997+00:00

    Hi @PURAM KRISHNA SUMANTH ,

    Thanks for reaching out.

    There are three types of service accounts in Azure Active Directory.

    a. Managed Identities
    b. Service Principals
    c. and User Based Service accounts.

    These are those accounts that represent application, API or other service.

    To create a service account in Azure Active Directory, you can follow these steps:

    1. Sign in to the Azure portal using your Azure account.
    2. In the left-hand menu, click on "Azure Active Directory".
    3. In the Azure Active Directory page, click on "App registrations" in the menu on the left.
    4. Click on the "New registration" button.
    5. Enter a name for the service account in the "Name" field.
    6. In the "Supported account types" section, select "Accounts in this organizational directory only" or select the appropriate options for your service account.
    7. Click on the "Register" button.

    277373-image.png

    You can then use this service account or service principal to authenticate to Azure resources and perform operations on behalf of your organization. As you create these service accounts for automated use, they're granted permissions to access resources in Azure and Azure AD.

    Grant the service account only the permissions necessary to perform its tasks i.e User.Read by selecting app permissions in your registered application.

    277374-image.png

    User.Read is by default added permission to your registered application.

    Hope this will help.

    Thanks,
    Shweta

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nicolas Roche 411 Reputation points
    2023-01-07T13:36:45.857+00:00

    Hello,

    Use App Registration with Service Principal, service account doesn't existe on Azure AD now, is replace by Application Registration and Service Principal or Managed Identity (is the same).

    You have information here :

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    2 people found this answer helpful.
  2. Lau Hei Yuet Heily 1 Reputation point
    2023-01-07T13:30:27.137+00:00

    I think You can set up a non-functional environment in Cloud Manager, launch a single node system or HA pair in Azure with Cloud Volumes ONTAP.

    0 comments
  3. Bruce (SqlWork.com) 77,926 Reputation points Volunteer Moderator
    2024-10-18T22:56:33.1533333+00:00

    to call graphapi you need to define access.

    access to graphapi is assigned to individual applications. the applications can be desktop, web, mobile, etc. the application is defined in the same Azure AD as the users. a unique application has a ApplicationID, which is often referred to as ClientID when requesting an access token.

    when you create the application you define the ad account type, the platform type and the reply url, used by the application when logging in a user.

    what you do next depends on where your application is hosted.

    if its an azure application, you can define an azure identity and apply graphapi roles to the identity:

    https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-app?tabs=azure-powershell

    if not, then you want to define a secret so the app can get an access token with the application access.

    you want define what api permissions. these are what azure api calls the app can make and api permissions the app will have. in your case you want to call graphapi and define application permissions.

    next define authenication and allow access tokens

    next you want to define a secret, so your application code can get an application access token based on the tenantid, clientid, and secret value. you must save the secret value when you create the secret, as there is no way to retrieve it after. if you lose the secret value, you must create a new one.

    access token. a token represents a azure tenant (tenantID), an application (ClientID)

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.