Azure: Possible to assign delegated API permissions to a managed identity?
Question
I was testing managed identities in Azure. My scenario is I need to access the Microsoft Graph on behalf of either a system- or user-assigned MID. On the basis auf the docs I was able to configure each one of them and assign Graph API permissions. I see that they're all application permissions (MID -> Settings menu -> Security -> Permissions). I expected this for the system-assigned MID but not for the user-assigned MID. The reason I want to have it access the API trough the delegated type is that some Graph API permissions are protected and cannot be accesses in an application context, such as ChannelMessage.Read.All (read Teams channel messages).
So my question is basically: Does anybody know if there's a way to access protected Graph API's in a non-application context with a managed identity. Please let me know if you need specific details.
1 answers
solution1
1 2022-05-27 08:22:36
As far as I know, it is not possible. Managed Identities can only utilize application permissions. While in theory you could assign a delegated permission to its service principal, you would not be able to sign in as a user with the Managed Identity. "User-assigned" Managed Identities are just a separate Azure resource instead of being part of another resource. They are not different from system-assigned in Azure AD, both are service principals.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.