Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. You can grant API permissions directly to a managed identity's service principal, eliminating the need to store credentials in code or configuration files.
In this article, you learn how to grant and revoke Microsoft Graph API permissions for both system-assigned and user-assigned managed identities using Microsoft Entra PowerShell.
Prerequisites
- A Microsoft Entra user account. If you don't already have one, you can create an account for free.
- Install the Microsoft Entra PowerShell module.
- An Azure resource with either a system-assigned or user-assigned managed identity enabled.
- To grant API permissions to managed identities, you need one of the following roles:
- Privileged Role Administrator (required when granting permissions to Microsoft Graph or other Microsoft first-party applications)
- Application Administrator
- Cloud Application Administrator
Grant API permissions to a managed identity
Follow these steps to grant Microsoft Graph API permissions to your managed identity.
Connect to Microsoft Entra
To grant API permissions to managed identities, connect with the
Application.ReadWrite.AllandAppRoleAssignment.ReadWrite.Allscopes:Connect-Entra -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"Caution
The
AppRoleAssignment.ReadWrite.Allpermission allows an app or service to manage permission grants and elevate privileges for any app, user, or group in your organization. Only grant this permission to trusted administrators.Identify the managed identity service principal
Find the service principal that represents your managed identity in Microsoft Entra ID.
For system-assigned managed identities, use the Azure resource name:
$managedIdentityName = "MyAzureVM" $managedIdentitySP = Get-EntraServicePrincipal -Filter "displayName eq '$managedIdentityName' and servicePrincipalType eq 'ManagedIdentity'" if (-not $managedIdentitySP) { Write-Error "Managed identity service principal '$managedIdentityName' not found." -ErrorAction Stop } Write-Host "Found managed identity service principal:" Write-Host "Display Name: $($managedIdentitySP.DisplayName)" Write-Host "Object ID: $($managedIdentitySP.Id)"Note
If the filter returns multiple results (for example, when multiple managed identities share the same display name), use the object ID to identify the correct service principal:
Get-EntraServicePrincipal -ServicePrincipalId '<object-id>'.For user-assigned managed identities, use the managed identity name:
$userAssignedMIName = "MyUserAssignedMI" $managedIdentitySP = Get-EntraServicePrincipal -Filter "displayName eq '$userAssignedMIName' and servicePrincipalType eq 'ManagedIdentity'" if (-not $managedIdentitySP) { Write-Error "Managed identity service principal '$userAssignedMIName' not found." -ErrorAction Stop }Get the Microsoft Graph service principal
Retrieve the Microsoft Graph service principal:
$graphServicePrincipal = Get-EntraServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"Identify the required API permissions
Find the specific Microsoft Graph permissions your managed identity requires:
$appRole = $graphServicePrincipal.AppRoles | Where-Object { $_.Value -eq "User.Read.All" }Grant API permissions to the managed identity
Grant the API permission to your managed identity:
$params = @{ ServicePrincipalId = $managedIdentitySP.Id PrincipalId = $managedIdentitySP.Id ResourceId = $graphServicePrincipal.Id AppRoleId = $appRole.Id } $appRoleAssignment = New-EntraServicePrincipalAppRoleAssignment @paramsVerify the granted permissions
Confirm that the permissions have been successfully granted:
$assignments = Get-EntraServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentitySP.Id Write-Host "Current app role assignments for $($managedIdentitySP.DisplayName):" foreach ($assignment in $assignments) { $resource = Get-EntraServicePrincipal -ServicePrincipalId $assignment.ResourceId $assignedRole = $resource.AppRoles | Where-Object { $_.Id -eq $assignment.AppRoleId } Write-Host "- Resource: $($resource.DisplayName)" Write-Host " Permission: $($assignedRole.Value)" }
Revoke API permissions from a managed identity
Follow these steps to revoke Microsoft Graph API permissions from your managed identity.
Identify the permission to remove
Find the specific app role assignment to revoke:
$assignmentToRemove = Get-EntraServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentitySP.Id | Where-Object { $_.AppRoleId -eq $appRole.Id -and $_.ResourceId -eq $graphServicePrincipal.Id }Remove the app role assignment
Delete the app role assignment using its ID:
if ($assignmentToRemove) { Remove-EntraServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentitySP.Id -AppRoleAssignmentId $assignmentToRemove.Id Write-Host "Successfully removed permission: $($appRole.Value)" }Verify the permission was removed
Confirm that no assignments remain for the revoked permission:
$remainingAssignments = Get-EntraServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentitySP.Id if ($remainingAssignments) { Write-Host "Remaining permissions for $($managedIdentitySP.DisplayName):" foreach ($assignment in $remainingAssignments) { $resource = Get-EntraServicePrincipal -ServicePrincipalId $assignment.ResourceId $assignedRole = $resource.AppRoles | Where-Object { $_.Id -eq $assignment.AppRoleId } Write-Host "- $($assignedRole.Value) on $($resource.DisplayName)" } } else { Write-Host "No app role assignments remain for $($managedIdentitySP.DisplayName)." }