Share via

How to set Microsoft Graph API permissions on Azure Managed Service Identity with bicep template

Suwani 50 Reputation points
2023-10-11T10:49:02.8166667+00:00

I have a requirement to set Microsoft Graph API permissions on Azure Managed Service Identity with bicep template to automate the deployment. Also I don't have access to azure portal to configure anything manual

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,836 questions
Microsoft Entra
0 comments
Accepted answer
  1. James Hamil 22,426 Reputation points Microsoft Employee
    2023-10-12T21:16:46.76+00:00

    Hi @Suwani , please try the following and let me know if it works for you.

    You can use the Microsoft.Authorization/roleAssignments resource type. Here is an example Bicep template that sets the User.Read.All permission on a system-assigned managed identity:

    resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid(subscription().id, 'Microsoft.Authorization', 'roleAssignments', 'myRoleAssignment')
  properties: {
    principalId: identity.principalId
    roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' // Role ID for User.Read.All
    scope: '/providers/Microsoft.Web/sites/${webAppName}'
  }
}

    In this example, the roleAssignment resource assigns the User.Read.All role to the system-assigned managed identity of a web app. The principalId property is set to the principalId of the managed identity, and the roleDefinitionId property is set to the ID of the User.Read.All role. The scope property is set to the resource ID of the web app.

    You can modify this template to set different permissions or to assign roles to user-assigned managed identities. You can also use this template to assign roles to other Azure resources, such as virtual machines or storage accounts, by changing the scope property to the resource ID of the target resource.

    Once you have created the Bicep template, you can deploy it using the Azure CLI or Azure PowerShell. Here is an example command to deploy the template using the Azure CLI:

    az deployment group create --resource-group <resource-group-name> --template-file <path-to-template-file> --parameters <path-to-parameters-file>

    Replace <resource-group-name> with the name of the resource group where you want to deploy the template, <path-to-template-file> with the path to the Bicep template file, and <path-to-parameters-file> with the path to the parameters file (if you have one).

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest