#Nice to know #Entra ID #Azure #Logic App #Managed Identity

Adding Graph API permissions to Managed Identities

(Updated: May 10, 2026)

In this post, we will go over how to simply add a Graph API permission to a managed identity. You can view the permissions from the Enterprise Application blade in Entra ID, but not add any new permissions. Instead we have to use Powershell.

If you just want the full script, scroll to the bottom.

Step by step

Make sure the Graph API is installed, first off all!

Install-Module Microsoft.Graph.Applications -Scope CurrentUser -Force

Authenticate with the proper access

Connect-MgGraph -TenantId "<tenantId>" -Scopes AppRoleAssignment.ReadWrite.All, Application.Read.All -NoWelcome

This should enable us to do what we need to do.

Add the required information

First, we need to add a variable that contains the name of our managed identity. We can find this in the enterprise application blade.

$identityName = "<name of Managed Identity>"

We also need the role name(s) we want to add to the application. For this example, we’ll only do one role.

$permission = "<name of role, like Mail.Send>"

Get the Graph API SPN

This is a simple action of getting the Graph SPN in Azure using the standard appId, which is 00000003-0000-0000-c000-000000000000.

$graphSpn = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

Get the managed identity SPN

$identitySpn = Get-MgServicePrincipal -Filter "displayName eq '$identityName'"

Find the roleId

$roleObject = $graphSpn.AppRoles | Where-Object {
	$_.Value -eq $permission -and $_.AllowedMemberTypes -contains "Application"
}

Add the role to managed identity

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $identitySpn.Id -PrincipalId $identitySpn.Id -ResourceId $graphSpn.Id -AppRoleId $roleObject.Id

Add Azure RBAC roles

If you also need to add an Azure RBAC role to the same managed identity, we can do that with Powershell as well.

Install-Module -Name Az.Resources -Scope CurrentUser -Repository PSGallery -Force
Connect-AzAccount -Subscription "<subscriptionId>" -Tenant "<tenantId>"

Then we can define the scope and add the role.

$subscriptionId = "<subscriptionId>"
$resourceGroupName = "<resourceGroupName>"
$azureRole = "Microsoft Sentinel Responder"
$scope = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName"
New-AzRoleAssignment -ApplicationId $identitySpn.AppId -Scope $scope -RoleDefinitionName $azureRole

Full script

Connect-MgGraph -TenantId "<tenantId>" -Scopes AppRoleAssignment.ReadWrite.All, Application.Read.All -NoWelcome
$identityName = "<name of Managed Identity>"
$permission = "<name of role, like Mail.Send>"
$subscriptionId = "<subscriptionId>"
$resourceGroupName = "<resourceGroupName>"
$azureRole = "Microsoft Sentinel Responder"
Connect-AzAccount -Subscription $subscriptionId -Tenant "<tenantId>"
$graphSpn = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
$identitySpn = Get-MgServicePrincipal -Filter "displayName eq '$identityName'"
$roleObject = $graphSpn.AppRoles | Where-Object {
	$_.Value -eq $permission -and $_.AllowedMemberTypes -contains "Application"
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $identitySpn.Id -PrincipalId $identitySpn.Id -ResourceId $graphSpn.Id -AppRoleId $roleObject.Id
$scope = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName"
New-AzRoleAssignment -ApplicationId $identitySpn.AppId -Scope $scope -RoleDefinitionName $azureRole