unable to assign graph api permissions to managed identity

Question

We have a Data Factory instance with both a system and user assigned managed identity. We need these to be able to have the Group.Read.All Graph API permission and despite having Global Admin role, we are unable to assign this

Answer 1

Assign with powershell:

$managedIdentity = Get-MgServicePrincipal -ServicePrincipalId '<object id>'

$graphSPN = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"

#Add the needed perm

$permission = "Group.Read.All"

#find app role and type

$appRole = $graphSPN.AppRoles |

Where-Object Value -eq $permission |

Where-Object AllowedMemberTypes -contains "Application"

$bodyParam = @{

PrincipalId = $managedIdentity.Id

ResourceId  = $graphSPN.Id

AppRoleId   = $appRole.Id

}

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentity.Id -BodyParameter $bodyParam

Answer 2

Hello Nathan Carr

Thank you for reaching out to Microsoft Support!!

The issue you're encountering arises because managed identities in Azure (both system-assigned and user-assigned) cannot directly be granted Microsoft Graph API permissions like Group.Read.All through the Azure portal. This is a known limitation, as managed identities are not treated the same as service principals when it comes to assigning Graph API permissions.

You can submit this feature request using this support link, which will be monitored by Microsoft team and make the enhancements to Graph API.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.