Assign a managed identity access to an application role

Managed identities for Azure resources provide Azure services with an identity in Microsoft Entra ID. They work without needing credentials in your code. Azure services use this identity to authenticate to services that support Microsoft Entra authentication. Application roles provide a form of role-based access control, and allow a service to implement authorization rules.

Note

The tokens your application receives are cached by the underlying infrastructure. This means that any changes to the managed identity's roles can take significant time to process. For more information, see Limitation of using managed identities for authorization.

In this article, you'll learn how to assign a managed identity to an application role exposed by another application using the Microsoft Graph PowerShell SDK.

Prerequisites

Assign a managed identity access to another application's app role using PowerShell

To can run scripts locally by installing the latest version of the Microsoft Graph PowerShell SDK.

  1. Enable managed identity on an Azure resource, such as an Azure VM.

  2. Find the object ID of the managed identity's service principal.

    For a system-assigned managed identity, you can find the object ID on the Azure portal on the resource's Identity page. You can also use the following PowerShell script to find the object ID. You'll need the resource ID of the resource you created in step 1, which is available in the Azure portal on the resource's Properties page.

    $resourceIdWithManagedIdentity = '/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.Compute/virtualMachines/{my virtual machine name}'
    (Get-AzResource -ResourceId $resourceIdWithManagedIdentity).Identity.PrincipalId
    

    For a user-assigned managed identity, you can find the managed identity's object ID on the Azure portal on the resource's Overview page. You can also use the following PowerShell script to find the object ID. You'll need the resource ID of the user-assigned managed identity.

    $userManagedIdentityResourceId = '/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{my managed identity name}'
    (Get-AzResource -ResourceId $userManagedIdentityResourceId).Properties.PrincipalId
    
  3. Create a new application registration to represent the service that you want your managed identity to send a request to.

    • If the API or service that exposes the app role grant to the managed identity already has a service principal in your Microsoft Entra tenant, skip this step. For example, in the case that you want to grant the managed identity access to the Microsoft Graph API.
  4. Find the object ID of the service application's service principal. You can find this using the Azure portal.

    • For example, go to Microsoft Entra ID and open the Enterprise applications page. Then find the application and look for the Object ID.
    • You can also find the service principal's object ID by its display name using the following PowerShell script:
    $serverServicePrincipalObjectId = (Get-MgServicePrincipal -Filter "DisplayName eq '$applicationName'").Id
    

    Note

    Display names for applications are not unique, so you should verify that you obtain the correct application's service principal.

  5. Add an app role to the application you created in the previous step. You can then create the role using the Azure portal or by using Microsoft Graph.

  6. Assign the app role to the managed identity. You'll need the following information to assign the app role:

    • managedIdentityObjectId: the object ID of the managed identity's service principal, which you found in the previous step.
    • serverServicePrincipalObjectId: the object ID of the server application's service principal, which you found in step 4.
    • appRoleId: the ID of the app role exposed by the server app, which you generated in step 5 - in the example, the app role ID is 00000000-0000-0000-0000-000000000000.
    • Execute the following PowerShell command to add the role assignment:
    New-MgServicePrincipalAppRoleAssignment `
        -ServicePrincipalId $serverServicePrincipalObjectId `
        -PrincipalId $managedIdentityObjectId `
        -ResourceId $serverServicePrincipalObjectId `
        -AppRoleId $appRoleId
    

Complete example script

This example script shows you how to assign an Azure web app's managed identity to an app role.

# Install the module.
# Install-Module Microsoft.Graph -Scope CurrentUser

# Your tenant ID (in the Azure portal, under Azure Active Directory > Overview).
$tenantID = '<tenant-id>'

# The name of your web app, which has a managed identity that should be assigned to the server app's app role.
$webAppName = '<web-app-name>'
$resourceGroupName = '<resource-group-name-containing-web-app>'

# The name of the server app that exposes the app role.
$serverApplicationName = '<server-application-name>' # For example, MyApi

# The name of the app role that the managed identity should be assigned to.
$appRoleName = '<app-role-name>' # For example, MyApi.Read.All

# Look up the web app's managed identity's object ID.
$managedIdentityObjectId = (Get-AzWebApp -ResourceGroupName $resourceGroupName -Name $webAppName).identity.principalid

Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId $tenantId -Scopes 'Application.Read.All','Application.ReadWrite.All','AppRoleAssignment.ReadWrite.All','Directory.AccessAsUser.All','Directory.Read.All','Directory.ReadWrite.All'

# Look up the details about the server app's service principal and app role.
$serverServicePrincipal = (Get-MgServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
$serverServicePrincipalObjectId = $serverServicePrincipal.Id
$appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id

# Assign the managed identity access to the app role.
New-MgServicePrincipalAppRoleAssignment `
    -ServicePrincipalId $serverServicePrincipalObjectId `
    -PrincipalId $managedIdentityObjectId `
    -ResourceId $serverServicePrincipalObjectId `
    -AppRoleId $appRoleId

Assign a managed identity access to another application's app role using CLI

  • If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

    • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.

    • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.

    • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

  1. Enable managed identity on an Azure resource, such as an Azure virtual machines.

  2. Find the object ID of the managed identity's service principal.

    • For a system-assigned managed identity, you can find the object ID on the Azure portal on the resource's Identity page.
    • You can also use the following script to find the object ID. You'll need the resource ID of the resource you created in the previous step, which is available in the Azure portal on the resource's Properties page.
    resourceIdWithManagedIdentity="/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.Compute/virtualMachines/{my virtual machine name}"
    
    oidForMI=$(az resource show --ids $resourceIdWithManagedIdentity --query "identity.principalId" -o tsv | tr -d '[:space:]')
    echo "object id for managed identity is: $oidForMI"
    
    • For a user-assigned managed identity, you can find the managed identity's object ID on the Azure portal on the resource's Overview page. You can also use the following script to find the object ID. You'll need the resource ID of the user-assigned managed identity.
    userManagedIdentityResourceId="/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{my managed identity name}"
    
    oidForMI=$(az resource show --id $userManagedIdentityResourceId --query "properties.principalId" -o tsv | tr -d '[:space:]')
    echo "object id for managed identity is: $oidForMI"
    
  3. Create a new application registration to represent the service that your managed identity sends a request to.

    • If the API or service that exposes the app role grant to the managed identity already has a service principal in your Microsoft Entra tenant, skip this step.
  4. Find the object ID of the service application's service principal. You can find this using the Azure portal.

    • Go to Microsoft Entra ID and open the Enterprise applications page, then find the application and look for the Object ID.
    • You can also find the service principal's object ID by its display name using the following script:
    appName="{name for your application}"
    serverSPOID=$(az ad sp list --filter "displayName eq '$appName'" --query '[0].id' -o tsv | tr -d '[:space:]')
    echo "object id for server service principal is: $serverSPOID"
    

    Note

    Display names for applications are not unique, so you should verify that you obtain the correct application's service principal.

    Or you can find the Object ID by the unique Application ID for your application registration:

    appID="{application id for your application}"
    serverSPOID=$(az ad sp list --filter "appId eq '$appID'" --query '[0].id' -o tsv | tr -d '[:space:]')
    echo "object id for server service principal is: $serverSPOID"
    
  5. Add an app role to the application you created in the previous step. You can create the role using the Azure portal or using Microsoft Graph. For example, you could add an app role like this:

    {
        "allowedMemberTypes": [
            "Application"
        ],
        "displayName": "Read data from MyApi",
        "id": "0566419e-bb95-4d9d-a4f8-ed9a0f147fa6",
        "isEnabled": true,
        "description": "Allow the application to read data as itself.",
        "value": "MyApi.Read.All"
    }
    
  6. Assign the app role to the managed identity. You'll need the following information to assign the app role:

    • managedIdentityObjectId: the object ID of the managed identity's service principal, which you found in step 2.
    • serverServicePrincipalObjectId: the object ID of the server application's service principal, which you found in step 4.
    • appRoleId: the ID of the app role exposed by the server app, which you generated in step 5 - in the example, the app role ID is 00000000-0000-0000-0000-000000000000.
  7. Execute the following script to add the role assignment. This functionality isn't directly exposed on the Azure CLI and that a REST command is used here instead:

    roleguid="00000000-0000-0000-0000-000000000000"
    az rest -m POST -u https://microsoftgraph.chinacloudapi.cn/v1.0/servicePrincipals/$oidForMI/appRoleAssignments -b "{\"principalId\": \"$oidForMI\", \"resourceId\": \"$serverSPOID\",\"appRoleId\": \"$roleguid\"}"
    

Next steps