Assign a managed identity access to an application role using PowerShell
Managed identities for Azure resources provide Azure services with an identity in Microsoft Entra ID. They work without needing credentials in your code. Azure services use this identity to authenticate to services that support Microsoft Entra authentication. Application roles provide a form of role-based access control, and allow a service to implement authorization rules.
Note
The tokens that your application receives are cached by the underlying infrastructure, which means that any changes to the managed identity's roles can take significant time to take effect. For more information, see Limitation of using managed identities for authorization.
In this article, you learn how to assign a managed identity to an application role exposed by another application using the Microsoft Graph PowerShell SDK.
Prerequisites
- If you're unfamiliar with managed identities for Azure resources, check out the overview section. Be sure to review the difference between a system-assigned and user-assigned managed identity.
- If you don't already have an Azure account, sign up for a free account before continuing.
- To run the example scripts, you have two options:
- Use the Azure Cloud Shell, which you can open using the Try It button on the top-right corner of code blocks.
- Run scripts locally by installing the latest version of the Microsoft Graph PowerShell SDK.
Assign a managed identity access to another application's app role
Enable managed identity on an Azure resource, such as an Azure VM.
Find the object ID of the managed identity's service principal.
For a system-assigned managed identity, you can find the object ID on the Azure portal on the resource's Identity page. You can also use the following PowerShell script to find the object ID. You'll need the resource ID of the resource you created in step 1, which is available in the Azure portal on the resource's Properties page.
$resourceIdWithManagedIdentity = '/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.Compute/virtualMachines/{my virtual machine name}' (Get-AzResource -ResourceId $resourceIdWithManagedIdentity).Identity.PrincipalId
For a user-assigned managed identity, you can find the managed identity's object ID on the Azure portal on the resource's Overview page. You can also use the following PowerShell script to find the object ID. You'll need the resource ID of the user-assigned managed identity.
$userManagedIdentityResourceId = '/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{my managed identity name}' (Get-AzResource -ResourceId $userManagedIdentityResourceId).Properties.PrincipalId
Create a new application registration to represent the service that your managed identity will send a request to. If the API or service that exposes the app role grant to the managed identity already has a service principal in your Microsoft Entra tenant, skip this step. For example, if you want to grant the managed identity access to the Microsoft Graph API, you can skip this step.
Find the object ID of the service application's service principal. You can find this using the Azure portal. Go to Microsoft Entra ID and open the Enterprise applications page, then find the application and look for the Object ID. You can also find the service principal's object ID by its display name using the following PowerShell script:
$serverServicePrincipalObjectId = (Get-MgServicePrincipal -Filter "DisplayName eq '$applicationName'").Id
Note
Display names for applications are not unique, so you should verify that you obtain the correct application's service principal.
Add an app role to the application you created in step 3. You can create the role using the Azure portal or by using Microsoft Graph. For example, you could add an app role by running the following query on Graph explorer:
PATCH /applications/{id}/ { "appRoles": [ { "allowedMemberTypes": [ "User", "Application" ], "description": "Read reports", "id": "1e250995-3081-451e-866c-0f6efef9c638", "displayName": "Report reader", "isEnabled": true, "value": "report.read" } ] }
Assign the app role to the managed identity. You'll need the following information to assign the app role:
managedIdentityObjectId
: the object ID of the managed identity's service principal, which you found in step 2.serverServicePrincipalObjectId
: the object ID of the server application's service principal, which you found in step 4.appRoleId
: the ID of the app role exposed by the server app, which you generated in step 5 - in the example, the app role ID is0566419e-bb95-4d9d-a4f8-ed9a0f147fa6
.
Execute the following PowerShell command to add the role assignment:
New-MgServicePrincipalAppRoleAssignment ` -ServicePrincipalId $serverServicePrincipalObjectId ` -PrincipalId $managedIdentityObjectId ` -ResourceId $serverServicePrincipalObjectId ` -AppRoleId $appRoleId
Complete script
This example script shows how to assign an Azure web app's managed identity to an app role.
# Install the module.
# Install-Module Microsoft.Graph -Scope CurrentUser
# Your tenant ID (in the Azure portal, under Azure Active Directory > Overview).
$tenantID = '<tenant-id>'
# The name of your web app, which has a managed identity that should be assigned to the server app's app role.
$webAppName = '<web-app-name>'
$resourceGroupName = '<resource-group-name-containing-web-app>'
# The name of the server app that exposes the app role.
$serverApplicationName = '<server-application-name>' # For example, MyApi
# The name of the app role that the managed identity should be assigned to.
$appRoleName = '<app-role-name>' # For example, MyApi.Read.All
# Look up the web app's managed identity's object ID.
$managedIdentityObjectId = (Get-AzWebApp -ResourceGroupName $resourceGroupName -Name $webAppName).identity.principalid
Connect-MgGraph -TenantId $tenantId -Scopes 'Application.Read.All','Application.ReadWrite.All','AppRoleAssignment.ReadWrite.All','Directory.AccessAsUser.All','Directory.Read.All','Directory.ReadWrite.All'
# Look up the details about the server app's service principal and app role.
$serverServicePrincipal = (Get-MgServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
$serverServicePrincipalObjectId = $serverServicePrincipal.Id
$appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id
# Assign the managed identity access to the app role.
New-MgServicePrincipalAppRoleAssignment `
-ServicePrincipalId $serverServicePrincipalObjectId `
-PrincipalId $managedIdentityObjectId `
-ResourceId $serverServicePrincipalObjectId `
-AppRoleId $appRoleId
Next steps
- Managed identity for Azure resources overview
- To enable managed identity on an Azure VM, see Configure managed identities for Azure resources on an Azure VM using PowerShell.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for