Kaido Jarvemets - Logo

Streamlining Permission Management for System-Assigned Identities with Excel and PowerShell


Managing permissions for system-assigned identities in Azure Automation and Azure Logic Apps can be tricky due to UI limitations, especially when dealing with Microsoft Graph permissions. This guide outlines how to use an Excel spreadsheet and PowerShell to delegate these permissions accurately. It aims to simplify permission assignment by detailing the use of New-MgServicePrincipalAppRoleAssignment cmdlet for system-assigned identities, making the process more direct and manageable.

The Excel Spreadsheet: A Detailed Permission Guide

The heart of this guide is an Excel spreadsheet organized into three distinct pages: Microsoft Graph, Windows Defender ATP, and Microsoft Threat Protection. Version 1.0 of this spreadsheet includes permission sets specific to these services, offering a valuable resource for administrators tasked with managing system-assigned identities.

Excel Spreadsheet Structure

  • Microsoft Graph: This page lists permissions related to Microsoft Graph, detailing the various operations that can be performed through the Graph API. Graph Permissions
  • Windows Defender ATP: Focuses on permissions for Defender for Endpoint, providing administrators with the capability to manage devices etc. Defender for Endpoint permissions
  • Microsoft Threat Protection: Contains permissions for Microsoft Threat Protection. Microsoft Threat Protection Permissions

The spreadsheet serves not just as a reference but as a practical tool for streamlining the process of permission assignment. By consolidating permission names and details in one place, it enables a straightforward method for identifying and assigning the appropriate permissions to system-assigned identities.

Utilizing the Spreadsheet with PowerShell

With the required permissions identified within the spreadsheet, they can be effectively assigned using the New-MgServicePrincipalAppRoleAssignment cmdlet in PowerShell. This cmdlet necessitates the specification of several parameters for successful permission assignment:

  • AppRoleId: The unique identifier for the application role you wish to assign.
  • ServicePrincipalId: The identifier for the service principal associated with the application or service you’re assigning permissions for.
  • ResourceId: This parameter typically requires the object ID of the resource service principal for which the role is being assigned.
  • PrincipalId: Represents the object ID of the system-assigned identity receiving the role assignment.

To obtain the ServicePrincipalId and ResourceID, use the Get-MgServicePrincipal cmdlet.

Download (Free Registered and Premium Members)

Leave a Reply

Contact me

If you’re interested in learning about Streamlining Permission Management for System-Assigned Identities with Excel and PowerShell. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.

Table of Contents