The preferred means of granting an Automation Account or LogicApp access to Microsoft Graph is via a system-assigned Managed Identity.

The Managed Identity offers a greater level of security with no requirement for credentials to be stored.

Using this approach:

  • There are no secrets or certifcates to rotate; and
  • The identity is tied directly to the resource

A current Azure Portal limitation does not allow a Managed Identity to be assigned permissions directly in the user interface.

The following PowerShell snippet shows how they may be assigned.

PowerShell Script

This snippet depends upon the Azure AD or AzureADPreview PowerShell modules.

$ErrorActionPreference = "Stop"
try {
    Get-AzureADTenantDetail | Out-Null
catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] {

# Select your Azure Resource (ie LogicApp or Automation Account)
# Account Settings -> Identity
# Enable the Managed identity as required.

# Copy the created Object (principal) ID to the below:
$ManagedIdentityObjectId = 'abcd...'

# Enter the scope/permission you require
$Permission = "User.ReadWrite.All"

# Get the instance of Microsoft Graph in the tenant
$ServicePrincipal = Get-AzureADServicePrincipal `
    -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

# View all roles with:
# $ServicePrincipal.AppRoles

# Get the Permission relevant to our Automation Account or LogicApp
$AppRole = $ServicePrincipal.AppRoles | Where-Object { $_.Value -eq `
        $Permission -and $_.AllowedMemberTypes -contains "Application" }

# Assign to the Managed Identity
New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentityObjectId `
    -PrincipalId $ManagedIdentityObjectId `
    -ResourceId $ServicePrincipal.ObjectId -Id $AppRole.Id

# View/Verify the result via
# 1. Azure Active Directory
# 2. Enterprise Applications
# 3. Managed Identities -> Select your Managed Identity
# 4. View Permissions