I have an azure function, that is backed by managed identity.
On the same AD there is office 365 with a SharePoint site called "demonews".
How do I add permissions/add the managed identity to the group "demonews" such it can access the SharePoint API?
I tried Add Member on SharePoint site, I tried on AD Group to add a member. The dropdown do not find a managed identity.
I think this what you are looking for:
Essentially you will get the azure service principal for office 365 SharePoint as well as the roles.
#Get the sharePoint principal
$sharePoint = (Get-AzureADServicePrincipal -SearchString “Office 365 SharePoint”).ObjectId
#Get the Roles for that principal
$appRoles = Get-AzureADServicePrincipal -SearchString “Office 365 SharePoint” | %{$_.AppRoles}
#Find the specific role
$appRole = AppRoles.Where({ $_.Value -eq "Sites.Manage.All" }
#You will also need to get the service principal for your function app
#Get the function app object id
$myfunctionapp = (Get-AzureADServicePrincipal -SearchString “myfunctionapp”).ObjectId
#assign the role to the MSI for the sharepoint resource
New-AzureADServiceAppRoleAssignment -ObjectId $myfunctionapp -PrincipalId $myfunctionapp -ResourceId $sharePoint -Id $appRole
You can then use the local MSI endpoint and secret to obtain a token.
entreprise application bladein Azure AD. – Thomas