Yes, you can, and you can refer to my article on the subject: https://joonasw.net/view/calling-your-apis-with-aad-msi-using-app-permissions.
You'll have to define app permissions in your API and then assign those to the MSI service principal through PowerShell or one of the Graph APIs.
Sample app permission in the API's app manifest in AAD:
{
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "Read all things",
"id": "32028ccd-3212-4f39-3212-beabd6787d81",
"isEnabled": true,
"description": "Allow the application to read all things as itself.",
"value": "Things.Read.All"
}
]
}
More info on permissions here: https://joonasw.net/view/defining-permissions-and-roles-in-aad.
You can then assign that to a service principal through AAD PowerShell:
Connect-AzureAD
New-AzureADServiceAppRoleAssignment -ObjectId 1606ffaf-7293-4c5b-b971-41ae9122bcfb -Id 32028ccd-3212-4f39-3212-beabd6787d81 -PrincipalId 1606ffaf-7293-4c5b-b971-41ae9122bcfb -ResourceId c3ccaf5a-47d6-4f11-9925-45ec0d833dec
The ObjectId and PrincipalId are both the MSI-generated service principal's id. Id is the id of the role/app permission. ResourceId is the id for the API service principal.
After you do this, you can acquire tokens using the managed identity for the API and the token will contain the app permission as "roles": "Things.Read.All".
