Assigning Microsoft Graph permissions to Azure Managed Service Identity

Question

I'm trying to assign permissions to an Azure Managed Service Identity for my Azure Logic App, but am running into errors.

I'm using the 2.0.1.16 version of the AzureAD powershell module.

What I have done is the following:

Create a logic app
Generate a Azure Managed Service Identity in the workflow settings of that logic app.
Execute the PowerShell below to assign the group.readwrite.all role the the managed service identity.

It first throws an access denied error, and subsequent tries will throw a "InvalidRequest" Error. I'm a global administrator, and have full access to the resource group (it is a basic dev tenant where I have full permissions)

I have tried it on different tenants. Has anyone been able to get this to work?

    PS C:\Users\markp> $msi = Get-AzureADServicePrincipal | ?{$_.DisplayName -ieq "test"}
PS C:\Users\markp> $mai
PS C:\Users\markp> $msi

ObjectId                             AppId                                DisplayName
--------                             -----                                -----------
8d87a1f9-fab0-45a9-a6f3-1e93b2d99b52 032c3c1c-2530-4eae-b390-153e3b0eb3c6 TEST


PS C:\Users\markp> $graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
PS C:\Users\markp> $graph

ObjectId                             AppId                                DisplayName
--------                             -----                                -----------
5a634981-6bbe-4c81-9aef-185a71df56f7 00000003-0000-0000-c000-000000000000 Microsoft Graph


PS C:\Users\markp> $role = $graph.AppRoles | ?{$_.Value -imatch "group.read.all" }
PS C:\Users\markp> $role


AllowedMemberTypes : {Application}
Description        : Allows the app to read group properties and memberships, and read the calendar and conversations f
                     or all groups, without a signed-in user.
DisplayName        : Read all groups
Id                 : 5b567255-7703-4780-807c-7be8301ae99b
IsEnabled          : True
Value              : Group.Read.All



PS C:\Users\markp> New-AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -PrincipalId $msi.ObjectId -Id $role.Id -ResourceId $graph.ObjectId
New-AzureADServiceAppRoleAssignment : Error occurred while executing NewServicePrincipalAppRoleAssignment
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ New-AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -Principa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewServ
   icePrincipalAppRoleAssignment

PS C:\Users\markp> New-AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -PrincipalId $msi.ObjectId -Id $role.Id -ResourceId $graph.ObjectId
New-AzureADServiceAppRoleAssignment : Error occurred while executing NewServicePrincipalAppRoleAssignment
Code: Request_BadRequest
Message: One or more properties are invalid.
RequestId: 57ef7908-dd8b-4a21-b48e-f2692d324264
DateTimeStamp: Fri, 28 Sep 2018 14:36:55 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:1
+ New-AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -Principa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewServ
   icePrincipalAppRoleAssignment

Rohit Saigal Rohit Saigal · Accepted Answer · 2018-09-29T06:05:30

Initial Setup

I setup a new logic app named "test" in my trial subscription just like you have explained above and enabled the MSI for it through workflow settings. Then I used the exact same PowerShell commands that you have above.

Explanation of two most important things that are happening

First Run - Even though you get error with Code: Authorization_RequestDenied, the operation of adding new role assignments has actually done it's work. New permissions have been added. (I'll give a little evidence on this in section below)
Subsequent Runs after the first run - You get an error with Code: Request_BadRequest, because the permissions/role assignments you're trying to add had already been added in the first run.

Evidence

PowerShell Scripts exactly from your post.
These queries worked for me only from Azure AD Graph Explorer (and NOT the new Microsoft Graph Explorer). Also, queries are case sensitive, so even a small difference will effect.

You can basically look at the role assignments for the Service Principal, before and after running your PowerShell script the first time to see that the required permissions actually get added (I created a new logic app with nothing in it and just MSI enabled to test this part)

Azure AD Graph Query:

Azure AD Graph Query: https://graph.windows.net/{tenant Id}/servicePrincipals/{MSI Service Principal ID}/appRoleAssignments
    
{MSI Service Principal ID} is 8d87a1f9-fab0-45a9-a6f3-1e93b2d99b52 in your case.

Role Assignments for the MSI Service Principal BEFORE the first run of New-AzureADServiceAppRoleAssignment using above query.

Role Assignments for the MSI Service Principal AFTER the first run of New-AzureADServiceAppRoleAssignment using above query.

Another SO Post which is related but slightly different

This SO post mentions almost the same PowerShell scripts that you are using. Interesting thing being it looks like scripts worked without error for many people as well. But notice the last comment by user Olandese