Introduction
Managing permissions for system-assigned identities in Azure Automation and Azure Logic Apps can be tricky due to UI limitations, especially when dealing with Microsoft Graph permissions. This guide outlines how to use an Excel spreadsheet and PowerShell to delegate these permissions accurately. It aims to simplify permission assignment by detailing the use of New-MgServicePrincipalAppRoleAssignment cmdlet for system-assigned identities, making the process more direct and manageable.
The Excel Spreadsheet: A Detailed Permission Guide
The heart of this guide is an Excel spreadsheet organized into three distinct pages: Microsoft Graph, Windows Defender ATP, and Microsoft Threat Protection. Version 1.0 of this spreadsheet includes permission sets specific to these services, offering a valuable resource for administrators tasked with managing system-assigned identities.
Excel Spreadsheet Structure
- Microsoft Graph: This page lists permissions related to Microsoft Graph, detailing the various operations that can be performed through the Graph API.
- Windows Defender ATP: Focuses on permissions for Defender for Endpoint, providing administrators with the capability to manage devices etc.
- Microsoft Threat Protection: Contains permissions for Microsoft Threat Protection.
The spreadsheet serves not just as a reference but as a practical tool for streamlining the process of permission assignment. By consolidating permission names and details in one place, it enables a straightforward method for identifying and assigning the appropriate permissions to system-assigned identities.
Utilizing the Spreadsheet with PowerShell
With the required permissions identified within the spreadsheet, they can be effectively assigned using the New-MgServicePrincipalAppRoleAssignment cmdlet in PowerShell. This cmdlet necessitates the specification of several parameters for successful permission assignment:
- AppRoleId: The unique identifier for the application role you wish to assign.
- ServicePrincipalId: The identifier for the service principal associated with the application or service you’re assigning permissions for.
- ResourceId: This parameter typically requires the object ID of the resource service principal for which the role is being assigned.
- PrincipalId: Represents the object ID of the system-assigned identity receiving the role assignment.
To obtain the ServicePrincipalId and ResourceID, use the Get-MgServicePrincipal cmdlet.