Comments on: Using Managed Identities with the Microsoft Graph SDK and Teams PowerShell Modules https://practical365.com/managed-identity-powershell/ Practical Office 365 News, Tips, and Tutorials Wed, 17 Jan 2024 15:17:28 +0000 hourly 1 https://wordpress.org/?v=6.6.1 By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Tony Redmond</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_262291'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_262291"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Tony Redmond</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/managed-identity-powershell/#comment-262291 Sun, 07 May 2023 15:53:09 +0000 https://practical365.com/?p=57014#comment-262291 In reply to David Remillard.

Nope. Never tried. What’s the source of this information?

]]>
By: David Remillard https://practical365.com/managed-identity-powershell/#comment-262178 Sat, 06 May 2023 18:19:03 +0000 https://practical365.com/?p=57014#comment-262178 Thanks, Tony. Have you tried to connect to a remote tenant from a runbook in a source tenant? I read somewhere that you can have a remote tenant approve it using https://login.microsoftonline.com/{TARGET_TENANT_ID}/adminconsent?client_id={APP_REGISTRATION_CLIENT_ID}&redirect_uri={REDIRECT_URI}. (This would reference the application reg associated with the managed identity for the automation account).

It seems to work, but then when I try to get a token and pass it into get-pnpteamsteam, the results are still coming from my source tenant. Would be interested to hear what you think?

]]>
By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Tony Redmond</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_251411'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_251411"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Tony Redmond</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/managed-identity-powershell/#comment-251411 Tue, 17 Jan 2023 10:40:40 +0000 https://practical365.com/?p=57014#comment-251411 In reply to T.

The permissions to manage service principals require you to read and update information about apps and the directory, hence the ones that you found you needed.

]]>
By: T https://practical365.com/managed-identity-powershell/#comment-251370 Tue, 17 Jan 2023 03:00:32 +0000 https://practical365.com/?p=57014#comment-251370 I had the same issue with Get-MgServicePrincipal. Returned “Insufficient privileges”

Using “Find-MgGraphCommand -Command Get-MgServicePrincipal | Select -First 1 -ExpandProperty Permissions” it told me I needed the permissions below. After adding them to the -Scopes parameter the command worked.

Application.Read.All
Application.ReadWrite.All
Directory.Read.All
Directory.ReadWrite.All

]]>
By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Tony Redmond</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_248759'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_248759"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Tony Redmond</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/managed-identity-powershell/#comment-248759 Thu, 22 Dec 2022 10:48:48 +0000 https://practical365.com/?p=57014#comment-248759 In reply to Martin.

You definitely need administrative rights to set permissions for a service principal. If you didn’t, then anyone could assign permissions and that wouldn’t be a good thing. I’m not sure exactly which admin role is necessary: https://learn.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles offers guidance that “Azure AD-specific roles: These roles grant permissions to manage resources within Azure AD only. For example, User Administrator, Application Administrator, Groups Administrator all grant permissions to manage resources that live in Azure AD.” As a matter of routine, I use Global Administrator. Maybe Security administrator would work too.

]]>
By: Martin https://practical365.com/managed-identity-powershell/#comment-248738 Thu, 22 Dec 2022 03:53:28 +0000 https://practical365.com/?p=57014#comment-248738 In reply to Martin.

Forgot to mention I’m connecting to MgGraph this way using my non global admin account: Connect-MgGraph -UseDeviceAuthentication -Scope AppRoleAssignment.ReadWrite.All

]]>
By: Martin https://practical365.com/managed-identity-powershell/#comment-248736 Thu, 22 Dec 2022 03:31:51 +0000 https://practical365.com/?p=57014#comment-248736 Hi Tony, does the account connecting to Powershell Graph needs to be a global admin to set permissions to the managed identities SPN? If I can use a non global admin, what would I need to do on the managed identities SPN to be able to set permissions with this account? I tried adding the account into the Managed Identities App “Cloud Application Administrator” role but when running the New-MgServicePrincipalAppRoleAssignment, it says “Insufficient privileges to complete the operation.”

Thanks!

]]>
By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Tony Redmond</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_245241'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_245241"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Tony Redmond</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/managed-identity-powershell/#comment-245241 Fri, 21 Oct 2022 17:24:22 +0000 https://practical365.com/?p=57014#comment-245241 In reply to Joerg.

I believe that you need the AppRoleAssignment.ReadWrite.All. At least, that’s what I use in https://office365itpros.com/2022/10/13/exchange-online-powershell-app/

]]>
By: Joerg https://practical365.com/managed-identity-powershell/#comment-245229 Fri, 21 Oct 2022 13:56:09 +0000 https://practical365.com/?p=57014#comment-245229 I tried to assign the Graph API Permissions via New-MgServicePrincipalAppRoleAssignment.
However it always fails with “New-MgServicePrincipalAppRoleAssignment_Create1: Insufficient privileges to complete the operation.”
I am signed in with a User having the Global Admin permissions. Maybe I am missing a Permission Scope? but I cannot get it to work.
Using the old AzureAD cmdlet it worked immediately.
Which Scopes do I need to provide when connecting to mg-graph in order to be able to execute “New-MgServicePrincipalAppRoleAssignment.”?

]]>
By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Tony Redmond</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_242982'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_242982"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Tony Redmond</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/managed-identity-powershell/#comment-242982 Wed, 14 Sep 2022 20:10:31 +0000 https://practical365.com/?p=57014#comment-242982 In reply to Tom.

I see the same error when I run Grant-CSTeamsMessagingPolicy. It might be that Microsoft hasn’t modernized these old cmdlets (inherited from Skype for Business Online) sufficiently to work with a managed identity. I’d try a Runbook. It’ll be supported for years…

]]>