使用用户分配的托管标识访问 Azure AD B2C 和 MS Graph API

Question

I currently use the Graph API to get user info from our AD B2C tenant using a client secret.

I'd like to set up permissions for a user-assigned managed identity to use the Graph API instead of using a client secret.

Examples I've come across use PowerShell to set up permissions for Apps--or system-assigned managed identities.

Is it possible to do this for user assigned managed identities? How?

Answer 1

The managed identities for Azure resources provide Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, without any credentials in your code. Azure Logic App has an option when connecting to an HTTP endpoint to use its managed identity for authentication:

You can try with below PowerShell script

# Your tenant id (in Azure Portal, under Azure Active Directory -> Overview )
$TenantID=""
# Microsoft Graph App ID (DON'T CHANGE)
$GraphAppId = ""
# Name of the manage identity
$DisplayNameOfMSI="" 
# Check the Microsoft Graph documentation for the permission you need for the operation
$PermissionName = "" 

# Install the module (You need admin on the machine)
Install-Module AzureAD 

Connect-AzureAD -TenantId $TenantID 
$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'")
Start-Sleep -Seconds 10
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole = $GraphServicePrincipal.AppRoles | `
Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id

After executing the script, in the portal, the requested API permissions are assigned to the Managed Identity: , you can check the permission on azure portal.