Have you ever struggled with using PowerShell modules in function apps to access resources through MS Graph? In this article, we will break down how to add a managed identity to an existing Azure Function App and grant it permissions to Graph.

Granting permissions

Granting permissions is only possible by using the MS Graph PowerShell Module. Be sure you have installed the latest one.

Install-Module -name Microsoft.Graph -scope AllUsers -Force

While this is downloading, head over to your Function App and select Settings > Identity > System assigned. Make sure the status is On, afterwards copy the Object ID.

Once the MS Graph module has downloaded, we can use the following script to grant our Managed Identity the needed permissions. The user connecting to MS Graph will need the following permissions Application.Read.All and AppRoleAssignment.ReadWrite.All . Be sure to add your TenantID and Managed Identity ObjectID. In our use case, the app roles «Group.ReadWrite.All», «GroupMember.ReadWrite.All» are added.

# The tenant ID
$TenantId = "xxxx-xxxx"

# The array of app role names that the managed identity should be assigned to.
$appRoleNames = @("Group.ReadWrite.All", "GroupMember.ReadWrite.All")

#The Object principal ID we've copied from our Function App.
$managedIdentityObjectId = "xxxx-xxxx"

Connect-MgGraph -TenantId $TenantId -Scopes 'Application.Read.All','AppRoleAssignment.ReadWrite.All'

# Get Microsoft Graph app's service principal and app roles.
$serverApplicationName = "Microsoft Graph"
$serverServicePrincipal = (Get-MgServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
$serverServicePrincipalObjectId = $serverServicePrincipal.Id

# Loop through each app role name and assign the managed identity access to the app role.
foreach ($appRoleName in $appRoleNames) {
    $appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id

    # Assign the managed identity access to the app role.
    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentityObjectId -PrincipalId $managedIdentityObjectId -ResourceId $serverServicePrincipalObjectId -AppRoleId $appRoleId
}

Once set, these permissions will be reflected in Entra if you head over to the Enterprise Application.

Connection to Microsoft Graph

Disclaimer: To use the connection to Microsoft Graph as described, ensure that the required Microsoft Graph PowerShell modules are available in your Azure Function App. If your app does not already have these modules installed, you can refer to this blog post for detailed instructions on how to add them.

Using Managed Identity to connect to Microsoft Graph is an efficient and secure way to authenticate in Azure Function Apps. This section explains how to configure your Function App to connect to Microsoft Graph at startup.

The profile.ps1 file in your Azure Function App is executed every time the app undergoes a «cold start». This makes it an ideal place to include the necessary connection commands. Below is an example profile.ps1 that establishes the connection using the Managed Identity (MSI) of your Function App.

Navigate to your Function App in the Azure Portal, then go to Functions and select App Files. From the list of files, choose profile.ps1. Once you have opened the file, add the necessary connection commands. Use the following script to establish a connection to Microsoft Graph using the Managed Identity of your Function App:

# Authenticate using MSI.
if ($env:MSI_SECRET) {
    Connect-MgGraph -Identity
}

After adding the connection commands to the profile.ps1 file, save your changes directly in the Azure Portal. To ensure the updates take effect, restart your Function App, which will trigger a «cold start» and execute the modified profile.ps1 script. Finally, verify the connection to Microsoft Graph by checking the logs of your Function App to confirm that the connection was successfully established using the Managed Identity.

Usecases

You can change the managed identity permissions to your liking and use any PowerShell module available to interact with Microsoft’s cloud services. Some examples for function apps are:

• Cleaning up stale devices in Entra ID
• Automate group memberships based on user attributes like department, location, or role
• Onboarding and offboarding workflows
• Shutting down unused AVD Hosts