Add Azure-Add-PermissionsManagedIdentity.ps1

Azure-Add-PermissionsManagedIdentity.ps1

@@ -0,0 +1,30 @@
+$TenantID = "721c10dd-5f6e-43e5-9c8c-3a19c09632d2"
+$ManagedIdentity = "cqre-intune"
+$Permissions = @(
+    "DeviceManagementManagedDevices.Read.All", 
+    "DeviceManagementManagedDevices.ReadWrite.All", 
+    "AuditLog.Read.All", 
+    "User.Read.All",
+    "Group.Read.All",
+    "Directory.Read.All"
+)
+$GraphAppId = "00000003-0000-0000-c000-000000000000"
+
+Connect-AzureAD -TenantId $TenantID
+$ManagedIdentityServicePrincipal = Get-AzureADServicePrincipal -Filter "displayName eq '$ManagedIdentity'"
+$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
+
+foreach ($Permission in $Permissions) {
+    $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {
+        $_.Value -eq $Permission -and $_.AllowedMemberTypes -contains "Application"
+    }
+    $ExistingAssignment = Get-AzureADServiceAppRoleAssignment -ObjectId $ManagedIdentityServicePrincipal.ObjectId | Where-Object {
+        $_.ResourceId -eq $GraphServicePrincipal.ObjectId -and $_.Id -eq $AppRole.Id
+    }
+
+    if (-not $ExistingAssignment) {
+        New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentityServicePrincipal.ObjectId -PrincipalId $ManagedIdentityServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
+    } else {
+        Write-Verbose "Permission $Permission is already assigned to $ManagedIdentity."
+    }
+}