mattbalzan · January 22, 2025 17:20
diff --git a/SetAzureMSI-GraphPermissions.ps1 b/SetAzureMSI-GraphPermissions.ps1
 $TenantID = "<tenantID>"
 $ManagedIdentity = "<MSI name>"
 $Permissions = @("DeviceManagementManagedDevices.Read.All", "DeviceManagementManagedDevices.ReadWrite.All", "AuditLog.Read.All", "User.Read.All")
 $GraphAppId = "00000003-0000-0000-c000-000000000000"

 Connect-AzureAD -TenantId $TenantID
 $ManagedIdentityServicePrincipal = (Get-AzureADServicePrincipal -Filter "displayName eq '$ManagedIdentity'")
 $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"

 foreach ($Permission in $Permissions)
    {
    $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $Permission -and $_.AllowedMemberTypes -contains "Application"}
    New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentityServicePrincipal.ObjectId -PrincipalId $ManagedIdentityServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
    }
	$TenantID = "<tenantID>"
	$ManagedIdentity = "<MSI name>"
	$Permissions = @("DeviceManagementManagedDevices.Read.All", "DeviceManagementManagedDevices.ReadWrite.All", "AuditLog.Read.All", "User.Read.All")
	$GraphAppId = "00000003-0000-0000-c000-000000000000"

	Connect-AzureAD -TenantId $TenantID
	$ManagedIdentityServicePrincipal = (Get-AzureADServicePrincipal -Filter "displayName eq '$ManagedIdentity'")
	$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"

	foreach ($Permission in $Permissions)
	{
	$AppRole = $GraphServicePrincipal.AppRoles \| Where-Object {$_.Value -eq $Permission -and $_.AllowedMemberTypes -contains "Application"}
	New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentityServicePrincipal.ObjectId -PrincipalId $ManagedIdentityServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
	}