Search code examples
azure-pipelinesmicrosoft-graph-sdks

Using MS Graph PowerShell SDK in Azure pipeline for granting access to Managed identity

I am deploying an Azure function that needs to access Microsoft Graph API (reading App registrations) using Managed Identity. The function is deployed using Azure pipelines, this would mean that the pipeline need to provision the MI, with necessary permissions to read app registrations. I have taken below approach to accomplish this, and facing permission issue while provisioning access,

  • The Azure pipeline service connection has app-roles Application.ReadWrite.All, ServicePrincipalEndpoint.ReadWrite.All.
  • App role assignment to MI is done using Microsoft Graph PowerShell SDK (using Powershell pipeline task). The relevant code is below
Install-Module Microsoft.Graph -Scope CurrentUser
    
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken

Connect-MgGraph -AccessToken $graphToken 
$AppPrincipal =  Get-MgServicePrincipal -Filter "Id eq '$AppPrincipalId'" 
Write-Host " $AppPrincipal " + $AppPrincipal
$GraphServicePrincipal = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

$PermissionName = "Application.Read.All"
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
$appRoleAssignment = @{
    "principalId" = $AppPrincipal.Id
    "resourceId"  = $GraphServicePrincipal.Id
    "appRoleId"   = $AppRole.Id
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AppPrincipal.Id -BodyParameter $appRoleAssignment | Format-List

While executing Get-MgServicePrincipal statement the below error is thrown,

##[error]Insufficient privileges to complete the operation.

I had similar code work with Get-AzureADServicePrincipal, but not able to figure out how to accomplish this with MG Powershell (the AzureAD will soon be deprecated). What am i doing wrong in the implementation?

Solution

  • I was able to resolve the pipeline permission issue after providing Directory.Read.All (Required for Get-MgServicePrincipal), AppRoleAssignment.ReadWrite.All (Required for New-MgServicePrincipalAppRoleAssignment). Below is the full list of permission required to accomplish the app role assignment from pipeline scoped to App registration and Service principal registration using Graph API, enter image description here