Azure Managed Identity - Add Graph Permission

Entra ID06/23/2024

Because the topic of Managed Identity is referenced in many posts and this is standard procedure in the Function/Logic App today, I would like to demonstrate the use and assignment of graph permissions for a managed identity.

Activating Managed Identity

If we have an Azure Function or Logic App, for example, the first step is to activate the Managed Identity of the resource.

This is quite simple: we just go to the resource in Azure, go to Identity, click System Assigned, set it to On, and then save

After saving, the Object ID should appear after a few seconds. If we take this Object ID, we can now find a associated Enterprise App in the Entra ID.

Checking Graph API permissions

We want to set the appropriate Graph Permission (Application permission) on the Logic App or Function. To do this, we first need to know what permissions are available and what the exact name is.


https://graph.microsoft.com/v1.0/servicePrincipals(appId='00000003-0000-0000-c000-000000000000')?$select=id,appId,displayName,appRoles,oauth2PermissionScopes,resourceSpecificApplicationPermissions

To find out, we can use the Graph Request and the Graph App ID to list all roles and specific permissions. We then receive a JSON object with all roles.

Example response:

    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals(id,appId,displayName,appRoles,oauth2PermissionScopes,resourceSpecificApplicationPermissions)/$entity",

    "id": "8b44c67b-91cc-4488-af9b-94a248357254",

    "appId": "00000003-0000-0000-c000-000000000000",

    "displayName": "Microsoft Graph",

    "appRoles": [

        {

            "allowedMemberTypes": [

                "Application"

            ],

            "description": "Allows the app to read access reviews, reviewers, decisions and settings in the organization, without a signed-in user.",

            "displayName": "Read all access reviews",

            "id": "d07a8cc0-3d51-4b77-b3b0-32704d1f69fa",

            "isEnabled": true,

            "origin": "Application",

            "value": "AccessReview.Read.All"

        },
       ........

I have exported all application permissions and provided them as a list:

App Role	value
Read all access reviews	AccessReview.Read.All
Manage all access reviews	AccessReview.ReadWrite.All
Manage access reviews for group and app memberships	AccessReview.ReadWrite.Membership
Read all acronyms	Acronym.Read.All
Read all administrative units	AdministrativeUnit.Read.All
Read and write all administrative units	AdministrativeUnit.ReadWrite.All
Read all terms of use agreements	Agreement.Read.All
Read and write all terms of use agreements	Agreement.ReadWrite.All
Read all terms of use acceptance statuses	AgreementAcceptance.Read.All
Read all AI enterprise interactions.	AiEnterpriseInteraction.Read.All
Read API connectors for authentication flows	APIConnectors.Read.All
Read and write API connectors for authentication flows	APIConnectors.ReadWrite.All
Read all app catalogs	AppCatalog.Read.All
Read and write to all app catalogs	AppCatalog.ReadWrite.All
Read and write the remote desktop security configuration for all apps	Application-RemoteDesktopConfig.ReadWrite.All
Read all applications	Application.Read.All
Read and write all applications	Application.ReadWrite.All
Manage apps that this app creates or owns	Application.ReadWrite.OwnedBy
Manage app permission grants and app role assignments	AppRoleAssignment.ReadWrite.All
Read all approvals	ApprovalSolution.Read.All
Read all approvals and manage approval subscriptions	ApprovalSolution.ReadWrite.All
Read attack simulation data of an organization	AttackSimulation.Read.All
Read, create, and update all attack simulation data of an organization	AttackSimulation.ReadWrite.All
Read all audit log data	AuditLog.Read.All
Read audit logs data from Dynamics CRM workload	AuditLogsQuery-CRM.Read.All
Read audit logs data from Endpoint Data Loss Prevention workload	AuditLogsQuery-Endpoint.Read.All
Read audit logs data from Entra (Azure AD) workload	AuditLogsQuery-Entra.Read.All
Read audit logs data from Exchange workload	AuditLogsQuery-Exchange.Read.All
Read audit logs data from OneDrive workload	AuditLogsQuery-OneDrive.Read.All
Read audit logs data from SharePoint workload	AuditLogsQuery-SharePoint.Read.All
Read audit logs data from all services	AuditLogsQuery.Read.All
Read all authentication context information	AuthenticationContext.Read.All
Read and write all authentication context information	AuthenticationContext.ReadWrite.All
Read all backup configuration policies	BackupRestore-Configuration.Read.All
Read and edit all backup configuration policies	BackupRestore-Configuration.ReadWrite.All
Read the status of the M365 backup service	BackupRestore-Control.Read.All
Update or read the status of the M365 backup service	BackupRestore-Control.ReadWrite.All
Read all monitoring, quota and billing information for the tenant	BackupRestore-Monitor.Read.All
Read all restore sessions	BackupRestore-Restore.Read.All
Read restore all sessions and start restore sessions from backups	BackupRestore-Restore.ReadWrite.All
Search for metadata properties in all backup snapshots	BackupRestore-Search.Read.All
Read and write application billing configuration	BillingConfiguration.ReadWrite.All
Read all BitLocker keys	BitlockerKey.Read.All
Read all BitLocker keys basic information	BitlockerKey.ReadBasic.All
Manage bookings information	Bookings.Manage.All
Read all Bookings related resources.	Bookings.Read.All
Read and write bookings information	Bookings.ReadWrite.All
Read and write all Bookings related resources.	BookingsAppointment.ReadWrite.All
Read all bookmarks	Bookmark.Read.All
Read all browser site lists for your organization	BrowserSiteLists.Read.All
Read and write all browser site lists for your organization	BrowserSiteLists.ReadWrite.All
Read all business scenario configurations this app creates or owns	BusinessScenarioConfig.Read.OwnedBy
Read and write all business scenario configurations this app creates or owns	BusinessScenarioConfig.ReadWrite.OwnedBy
Read data for all business scenarios this app creates or owns	BusinessScenarioData.Read.OwnedBy
Read and write data for all business scenarios this app creates or owns	BusinessScenarioData.ReadWrite.OwnedBy
Read calendars in all mailboxes	Calendars.Read
Read basic details of calendars in all mailboxes	Calendars.ReadBasic.All
Read and write calendars in all mailboxes	Calendars.ReadWrite
Read all emergency call events	CallEvents-Emergency.Read.All
Read all call events	CallEvents.Read.All
Read PSTN and direct routing call log data	CallRecord-PstnCalls.Read.All
Read all call records	CallRecords.Read.All
Access media streams in a call as an app	Calls.AccessMedia.All
Initiate outgoing 1 to 1 calls from the app	Calls.Initiate.All
Initiate outgoing group calls from the app	Calls.InitiateGroupCall.All
Join group calls and meetings as an app	Calls.JoinGroupCall.All
Join group calls and meetings as a guest	Calls.JoinGroupCallAsGuest.All
Read Change Management items	ChangeManagement.Read.All
Create channels	Channel.Create
Delete channels	Channel.Delete.All
Read the names and descriptions of all channels	Channel.ReadBasic.All
Read the members of all channels	ChannelMember.Read.All
Add and remove members from all channels	ChannelMember.ReadWrite.All
Read all channel messages	ChannelMessage.Read.All
Flag channel messages for violating policy	ChannelMessage.UpdatePolicyViolation.All
Read the names, descriptions, and settings of all channels	ChannelSettings.Read.All
Read and write the names, descriptions, and settings of all channels	ChannelSettings.ReadWrite.All
Create chats	Chat.Create
Delete and recover deleted chats	Chat.ManageDeletion.All
Read all chat messages	Chat.Read.All
Read all chat messages for chats where the associated Teams application is installed.	Chat.Read.WhereInstalled
Read names and members of all chat threads	Chat.ReadBasic.All
Read names and members of all chat threads where the associated Teams application is installed.	Chat.ReadBasic.WhereInstalled
Read and write all chat messages	Chat.ReadWrite.All
Read and write all chat messages for chats where the associated Teams application is installed.	Chat.ReadWrite.WhereInstalled
Flag chat messages for violating policy	Chat.UpdatePolicyViolation.All
Read the members of all chats	ChatMember.Read.All
Read the members of all chats where the associated Teams application is installed.	ChatMember.Read.WhereInstalled
Add and remove members from all chats	ChatMember.ReadWrite.All
Add and remove members from all chats where the associated Teams application is installed.	ChatMember.ReadWrite.WhereInstalled
Read all chat messages	ChatMessage.Read.All
Read all discovered cloud applications data	CloudApp-Discovery.Read.All
Read Cloud PCs	CloudPC.Read.All
Read and write Cloud PCs	CloudPC.ReadWrite.All
Read all Viva Engage communities	Community.Read.All
Read and write all Viva Engage communities	Community.ReadWrite.All
Read all consent requests	ConsentRequest.Read.All
Read and write all consent requests	ConsentRequest.ReadWrite.All
Read contacts in all mailboxes	Contacts.Read
Read and write contacts in all mailboxes	Contacts.ReadWrite
Read cross-tenant basic information	CrossTenantInformation.ReadBasic.All
Read all shared cross-tenant user profiles and export their data	CrossTenantUserProfileSharing.Read.All
Read all shared cross-tenant user profiles and export or delete their data	CrossTenantUserProfileSharing.ReadWrite.All
Read all custom authentication extensions	CustomAuthenticationExtension.Read.All
Read and write all custom authentication extensions	CustomAuthenticationExtension.ReadWrite.All
Receive custom authentication extension HTTP requests	CustomAuthenticationExtension.Receive.Payload
Read all custom detection rules	CustomDetection.Read.All
Read and write all custom detection rules	CustomDetection.ReadWrite.All
Read custom security attribute assignments	CustomSecAttributeAssignment.Read.All
Read and write custom security attribute assignments	CustomSecAttributeAssignment.ReadWrite.All
Read all custom security attribute audit logs	CustomSecAttributeAuditLogs.Read.All
Read custom security attribute definitions	CustomSecAttributeDefinition.Read.All
Read and write custom security attribute definitions	CustomSecAttributeDefinition.ReadWrite.All
Read the provisioning configuration of all active custom security attributes	CustomSecAttributeProvisioning.Read.All
Read and edit the provisioning configuration of all active custom security attributes	CustomSecAttributeProvisioning.ReadWrite.All
Read all custom tags data	CustomTags.Read.All
Read and write custom tags data	CustomTags.ReadWrite.All
Read Delegated Admin relationships with customers	DelegatedAdminRelationship.Read.All
Manage Delegated Admin relationships with customers	DelegatedAdminRelationship.ReadWrite.All
Read all delegated permission grants	DelegatedPermissionGrant.Read.All
Manage all delegated permission grants	DelegatedPermissionGrant.ReadWrite.All
Read all devices	Device.Read.All
Read and write devices	Device.ReadWrite.All
Read device local credential passwords	DeviceLocalCredential.Read.All
Read device local credential properties	DeviceLocalCredential.ReadBasic.All
Read Microsoft Intune apps	DeviceManagementApps.Read.All
Read and write Microsoft Intune apps	DeviceManagementApps.ReadWrite.All
Read Microsoft Cloud PKI objects	DeviceManagementCloudCA.Read.All
Read and write Microsoft Cloud PKI objects	DeviceManagementCloudCA.ReadWrite.All
Read Microsoft Intune device configuration and policies	DeviceManagementConfiguration.Read.All
Read and write Microsoft Intune device configuration and policies	DeviceManagementConfiguration.ReadWrite.All
Perform user-impacting remote actions on Microsoft Intune devices	DeviceManagementManagedDevices.PrivilegedOperations.All
Read Microsoft Intune devices	DeviceManagementManagedDevices.Read.All
Read and write Microsoft Intune devices	DeviceManagementManagedDevices.ReadWrite.All
Read Microsoft Intune RBAC settings	DeviceManagementRBAC.Read.All
Read and write Microsoft Intune RBAC settings	DeviceManagementRBAC.ReadWrite.All
Read Microsoft Intune Scripts	DeviceManagementScripts.Read.All
Read and write Microsoft Intune Scripts	DeviceManagementScripts.ReadWrite.All
Read Microsoft Intune configuration	DeviceManagementServiceConfig.Read.All
Read and write Microsoft Intune configuration	DeviceManagementServiceConfig.ReadWrite.All
Create device template	DeviceTemplate.Create
Read all device templates	DeviceTemplate.Read.All
Read and write all device templates	DeviceTemplate.ReadWrite.All
Read directory data	Directory.Read.All
Read and write directory data	Directory.ReadWrite.All
Read all Azure AD recommendations	DirectoryRecommendations.Read.All
Read and update all Azure AD recommendations	DirectoryRecommendations.ReadWrite.All
Read domains	Domain.Read.All
Read and write domains	Domain.ReadWrite.All
Read all eDiscovery objects	eDiscovery.Read.All
Read and write all eDiscovery objects	eDiscovery.ReadWrite.All
Read Education app settings	EduAdministration.Read.All
Manage education app settings	EduAdministration.ReadWrite.All
Read all class assignments with grades	EduAssignments.Read.All
Read all class assignments without grades	EduAssignments.ReadBasic.All
Create, read, update and delete all class assignments with grades	EduAssignments.ReadWrite.All
Create, read, update and delete all class assignments without grades	EduAssignments.ReadWriteBasic.All
Read all class modules and resources	EduCurricula.Read.All
Read and write all class modules and resources	EduCurricula.ReadWrite.All
Read all tenant reading assignments submissions data	EduReports-Reading.Read.All
Read all tenant reading assignments submissions data	EduReports-Reading.ReadAnonymous.All
Read all tenant reflect check-ins submissions data	EduReports-Reflect.Read.All
Read all tenant reflect check-ins submissions data	EduReports-Reflect.ReadAnonymous.All
Read the organization's roster	EduRoster.Read.All
Read a limited subset of the organization's roster	EduRoster.ReadBasic.All
Read and write the organization's roster	EduRoster.ReadWrite.All
Read all entitlement management resources	EntitlementManagement.Read.All
Read and write all entitlement management resources	EntitlementManagement.ReadWrite.All
Read all authentication event listeners	EventListener.Read.All
Read and write all authentication event listeners	EventListener.ReadWrite.All
Read all external connections	ExternalConnection.Read.All
Read and write all external connections	ExternalConnection.ReadWrite.All
Read and write external connections	ExternalConnection.ReadWrite.OwnedBy
Read all external items	ExternalItem.Read.All
Read and write items in external datasets	ExternalItem.ReadWrite.All
Read and write external items	ExternalItem.ReadWrite.OwnedBy
Read all external user profiles	ExternalUserProfile.Read.All
Read and write all external user profiles	ExternalUserProfile.ReadWrite.All
Ingest SharePoint and OneDrive content to make it available in the search index	FileIngestion.Ingest
Manage onboarding for a Hybrid Cloud tenant	FileIngestionHybridOnboarding.Manage
Read files in all site collections	Files.Read.All
Read and write files in all site collections	Files.ReadWrite.All
Have full access to the application's folder without a signed in user.	Files.ReadWrite.AppFolder
Access selected Files without a signed in user.	Files.SelectedOperations.Selected
Access selected file storage containers	FileStorageContainer.Selected
Read all group conversations	Group-Conversation.Read.All
Read and write all group conversations	Group-Conversation.ReadWrite.All
Create groups	Group.Create
Read all groups	Group.Read.All
Read and write all groups	Group.ReadWrite.All
Read all group memberships	GroupMember.Read.All
Read and write all group memberships	GroupMember.ReadWrite.All
Read all scenario health monitoring alert	HealthMonitoringAlert.Read.All
Read and write all scenario monitoring alerts	HealthMonitoringAlert.ReadWrite.All
Read all scenario health monitoring alert configurations	HealthMonitoringAlertConfig.Read.All
Read and write all scenario monitoring alerts	HealthMonitoringAlertConfig.ReadWrite.All
Read identity providers	IdentityProvider.Read.All
Read and write identity providers	IdentityProvider.ReadWrite.All
Read all identity risk event information	IdentityRiskEvent.Read.All
Read and write all risk detection information	IdentityRiskEvent.ReadWrite.All
Read all identity risky service principal information	IdentityRiskyServicePrincipal.Read.All
Read and write all identity risky service principal information	IdentityRiskyServicePrincipal.ReadWrite.All
Read all identity risky user information	IdentityRiskyUser.Read.All
Read and write all risky user information	IdentityRiskyUser.ReadWrite.All
Read all identity user flows	IdentityUserFlow.Read.All
Read and write all identity user flows	IdentityUserFlow.ReadWrite.All
View data connector definitions	IndustryData-DataConnector.Read.All
Manage data connector definitions	IndustryData-DataConnector.ReadWrite.All
Upload files to a data connector	IndustryData-DataConnector.Upload
View inbound flow definitions	IndustryData-InboundFlow.Read.All
Manage inbound flow definitions	IndustryData-InboundFlow.ReadWrite.All
View outbound flow definitions	IndustryData-OutboundFlow.Read.All
Manage outbound flow definitions	IndustryData-OutboundFlow.ReadWrite.All
View reference definitions	IndustryData-ReferenceDefinition.Read.All
Manage reference definitions	IndustryData-ReferenceDefinition.ReadWrite.All
View current and previous runs	IndustryData-Run.Read.All
View and start runs	IndustryData-Run.Start
View source system definitions	IndustryData-SourceSystem.Read.All
Manage source system definitions	IndustryData-SourceSystem.ReadWrite.All
Read time period definitions	IndustryData-TimePeriod.Read.All
Manage time period definitions	IndustryData-TimePeriod.ReadWrite.All
View basic service and resource information	IndustryData.ReadBasic.All
Read all configurations for protecting organizational data applicable to users	InformationProtectionConfig.Read.All
Sign digests for data	InformationProtectionContent.Sign.All
Create protected content	InformationProtectionContent.Write.All
Read all published labels and label policies for an organization.	InformationProtectionPolicy.Read.All
Read all user metrics insights	Insights-UserMetric.Read.All
Read all assignments	LearningAssignedCourse.Read.All
Read and write all assignments	LearningAssignedCourse.ReadWrite.All
Read all learning content	LearningContent.Read.All
Manage all learning content	LearningContent.ReadWrite.All
Read all self-initiated courses	LearningSelfInitiatedCourse.Read.All
Read and write all self-initiated courses	LearningSelfInitiatedCourse.ReadWrite.All
Manage all license assignments	LicenseAssignment.ReadWrite.All
Read all lifecycle workflows resources	LifecycleWorkflows.Read.All
Read and write all lifecycle workflows resources	LifecycleWorkflows.ReadWrite.All
Access selected ListItems without a signed in user.	ListItems.SelectedOperations.Selected
Access selected Lists without a signed in user.	Lists.SelectedOperations.Selected
Read mail in all mailboxes	Mail.Read
Read basic mail in all mailboxes	Mail.ReadBasic
Read basic mail in all mailboxes	Mail.ReadBasic.All
Read and write mail in all mailboxes	Mail.ReadWrite
Send mail as any user	Mail.Send
Read all the users' mailbox folders	MailboxFolder.Read.All
Read and write all the users' mailbox folders	MailboxFolder.ReadWrite.All
Allows the app to perform backup and restore for all mailbox items	MailboxItem.ImportExport.All
Read all the users' mailbox items	MailboxItem.Read.All
Read all user mailbox settings	MailboxSettings.Read
Read and write all user mailbox settings	MailboxSettings.ReadWrite
Read all hidden memberships	Member.Read.Hidden
Read all multi-tenant organization details and tenants	MultiTenantOrganization.Read.All
Read multi-tenant organization basic details and active tenants	MultiTenantOrganization.ReadBasic.All
Read and write all multi-tenant organization details and tenants	MultiTenantOrganization.ReadWrite.All
Read all configurations used for mutual-TLS client authentication.	MutualTlsOauthConfiguration.Read.All
Read and write all configurations used for mutual-TLS client authentication.	MutualTlsOauthConfiguration.ReadWrite.All
Read all network access reports	NetworkAccess-Reports.Read.All
Read all network access information	NetworkAccess.Read.All
Read and write all network access information	NetworkAccess.ReadWrite.All
Read properties of all branches for network access	NetworkAccessBranch.Read.All
Read and write properties of all branches for network access	NetworkAccessBranch.ReadWrite.All
Read all security and routing policies for network access	NetworkAccessPolicy.Read.All
Read and write all security and routing policies for network access	NetworkAccessPolicy.ReadWrite.All
Read all OneNote notebooks	Notes.Read.All
Read and write all OneNote notebooks	Notes.ReadWrite.All
Read all AI Insights for online meetings.	OnlineMeetingAiInsight.Read.All
Read all AI Insights for online meetings where the Teams application is installed.	OnlineMeetingAiInsight.Read.Chat
Read online meeting artifacts	OnlineMeetingArtifact.Read.All
Read all recordings of online meetings.	OnlineMeetingRecording.Read.All
Read online meeting details	OnlineMeetings.Read.All
Read and create online meetings	OnlineMeetings.ReadWrite.All
Read all transcripts of online meetings.	OnlineMeetingTranscript.Read.All
Read all on-premises directory synchronization information	OnPremDirectorySynchronization.Read.All
Read and write all on-premises directory synchronization information	OnPremDirectorySynchronization.ReadWrite.All
Manage on-premises published resources	OnPremisesPublishingProfiles.ReadWrite.All
Read organization information	Organization.Read.All
Read and write organization information	Organization.ReadWrite.All
Read organizational branding information	OrganizationalBranding.Read.All
Read and write organizational branding information	OrganizationalBranding.ReadWrite.All
Read organizational contacts	OrgContact.Read.All
Read organization-wide apps and services settings	OrgSettings-AppsAndServices.Read.All
Read and write organization-wide apps and services settings	OrgSettings-AppsAndServices.ReadWrite.All
Read organization-wide Dynamics customer voice settings	OrgSettings-DynamicsVoice.Read.All
Read and write organization-wide Dynamics customer voice settings	OrgSettings-DynamicsVoice.ReadWrite.All
Read organization-wide Microsoft Forms settings	OrgSettings-Forms.Read.All
Read and write organization-wide Microsoft Forms settings	OrgSettings-Forms.ReadWrite.All
Read organization-wide Microsoft 365 apps installation settings	OrgSettings-Microsoft365Install.Read.All
Read and write organization-wide Microsoft 365 apps installation settings	OrgSettings-Microsoft365Install.ReadWrite.All
Read organization-wide Microsoft To Do settings	OrgSettings-Todo.Read.All
Read and write organization-wide Microsoft To Do settings	OrgSettings-Todo.ReadWrite.All
Read all billing data for your company's tenant	PartnerBilling.Read.All
Read security alerts of customer with CSP relationship	PartnerSecurity.Read.All
Read security alerts and update status of security alerts of customer with CSP relationship	PartnerSecurity.ReadWrite.All
Read all pending external user profiles	PendingExternalUserProfile.Read.All
Read and write all pending external user profiles	PendingExternalUserProfile.ReadWrite.All
Read all users' relevant people lists	People.Read.All
Read all tenant-wide people settings	PeopleSettings.Read.All
Read and write all tenant-wide people settings	PeopleSettings.ReadWrite.All
Read all company places	Place.Read.All
Read all workplace devices	PlaceDevice.Read.All
Read and write all workplace devices	PlaceDevice.ReadWrite.All
Read and write telemetry for all workplace devices.	PlaceDeviceTelemetry.ReadWrite.All
Read your organization's policies	Policy.Read.All
Read your organization's conditional access policies	Policy.Read.ConditionalAccess
Read your organization's device configuration policies	Policy.Read.DeviceConfiguration
Read your organization’s identity protection policy	Policy.Read.IdentityProtection
Read consent and permission grant policies	Policy.Read.PermissionGrant
Read and write your organization's directory access review default policy	Policy.ReadWrite.AccessReview
Read and write your organization's application configuration policies	Policy.ReadWrite.ApplicationConfiguration
Read and write authentication flow policies	Policy.ReadWrite.AuthenticationFlows
Read and write all authentication method policies	Policy.ReadWrite.AuthenticationMethod
Read and write your organization's authorization policy	Policy.ReadWrite.Authorization
Read and write your organization's conditional access policies	Policy.ReadWrite.ConditionalAccess
Read and write your organization's consent request policy	Policy.ReadWrite.ConsentRequest
Read and write your organization's cross tenant access policies	Policy.ReadWrite.CrossTenantAccess
Read and write your organization's device configuration policies	Policy.ReadWrite.DeviceConfiguration
Read and write your organization's external identities policy	Policy.ReadWrite.ExternalIdentities
Read and write feature rollout policies	Policy.ReadWrite.FeatureRollout
Read and write your organization's federated token validation policy	Policy.ReadWrite.FedTokenValidation
Read and write your organization’s identity protection policy	Policy.ReadWrite.IdentityProtection
Manage consent and permission grant policies	Policy.ReadWrite.PermissionGrant
Read and write your organization's security defaults policy	Policy.ReadWrite.SecurityDefaults
Read and write your organization's trust framework policies	Policy.ReadWrite.TrustFramework
Read presence information for all users	Presence.Read.All
Read and write presence information for all users	Presence.ReadWrite.All
Read printers	Printer.Read.All
Read and update printers	Printer.ReadWrite.All
Perform advanced operations on print jobs	PrintJob.Manage.All
Read print jobs	PrintJob.Read.All
Read basic information for print jobs	PrintJob.ReadBasic.All
Read and write print jobs	PrintJob.ReadWrite.All
Read and write basic information for print jobs	PrintJob.ReadWriteBasic.All
Read tenant-wide print settings	PrintSettings.Read.All
Read, write and update print task definitions	PrintTaskDefinition.ReadWrite.All
Read privileged access to Azure AD roles	PrivilegedAccess.Read.AzureAD
Read privileged access to Azure AD groups	PrivilegedAccess.Read.AzureADGroup
Read privileged access to Azure resources	PrivilegedAccess.Read.AzureResources
Read and write privileged access to Azure AD roles	PrivilegedAccess.ReadWrite.AzureAD
Read and write privileged access to Azure AD groups	PrivilegedAccess.ReadWrite.AzureADGroup
Read and write privileged access to Azure resources	PrivilegedAccess.ReadWrite.AzureResources
Read assignment schedules for access to Azure AD groups	PrivilegedAssignmentSchedule.Read.AzureADGroup
Read, create, and delete assignment schedules for access to Azure AD groups	PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup
Delete assignment schedules for access to Azure AD groups	PrivilegedAssignmentSchedule.Remove.AzureADGroup
Read eligibility schedules for access to Azure AD groups	PrivilegedEligibilitySchedule.Read.AzureADGroup
Read, create, and delete eligibility schedules for access to Azure AD groups	PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup
Delete eligibility schedules for access to Azure AD groups	PrivilegedEligibilitySchedule.Remove.AzureADGroup
Read profile photo of a user or group	ProfilePhoto.Read.All
Read and write profile photo of a user or group	ProfilePhoto.ReadWrite.All
Read all programs	ProgramControl.Read.All
Manage all programs	ProgramControl.ReadWrite.All
Read all certificate based authentication configurations	PublicKeyInfrastructure.Read.All
Read and write all certificate based authentication configurations	PublicKeyInfrastructure.ReadWrite.All
Read all Question and Answers	QnA.Read.All
Read Records Management configuration, labels and policies	RecordsManagement.Read.All
Read and write Records Management configuration, labels and policies	RecordsManagement.ReadWrite.All
Read all usage reports	Reports.Read.All
Read all admin report settings	ReportSettings.Read.All
Read and write all admin report settings	ReportSettings.ReadWrite.All
Read resource specific permissions granted on a chat	ResourceSpecificPermissionGrant.ReadForChat.All
Read resource specific permissions granted on a team	ResourceSpecificPermissionGrant.ReadForTeam.All
Read all resource specific permissions granted on user accounts	ResourceSpecificPermissionGrant.ReadForUser.All
Read all identity risk prevention providers	RiskPreventionProviders.Read.All
Read and write all identity risk prevention providers	RiskPreventionProviders.ReadWrite.All
Read all active role assignments and role schedules for your company's directory	RoleAssignmentSchedule.Read.Directory
Read, update, and delete all policies for privileged role assignments of your company's directory	RoleAssignmentSchedule.ReadWrite.Directory
Delete all active role assignments of your company's directory	RoleAssignmentSchedule.Remove.Directory
Read all eligible role assignments and role schedules for your company's directory	RoleEligibilitySchedule.Read.Directory
Read, update, and delete all eligible role assignments and schedules for your company's directory	RoleEligibilitySchedule.ReadWrite.Directory
Delete all eligible role assignments of your company's directory	RoleEligibilitySchedule.Remove.Directory
Read role management data for all RBAC providers	RoleManagement.Read.All
Read Cloud PC RBAC settings	RoleManagement.Read.CloudPC
Read M365 Defender RBAC configuration	RoleManagement.Read.Defender
Read all directory RBAC settings	RoleManagement.Read.Directory
Read Exchange Online RBAC configuration	RoleManagement.Read.Exchange
Read and write all Cloud PC RBAC settings	RoleManagement.ReadWrite.CloudPC
Read M365 Defender RBAC configuration	RoleManagement.ReadWrite.Defender
Read and write all directory RBAC settings	RoleManagement.ReadWrite.Directory
Read and write Exchange Online RBAC configuration	RoleManagement.ReadWrite.Exchange
Read all alert data for your company's directory	RoleManagementAlert.Read.Directory
Read all alert data, configure alerts, and take actions on all alerts for your company's directory	RoleManagementAlert.ReadWrite.Directory
Read all policies in PIM for Groups	RoleManagementPolicy.Read.AzureADGroup
Read all policies for privileged role assignments of your company's directory	RoleManagementPolicy.Read.Directory
Read, update, and delete all policies in PIM for Groups	RoleManagementPolicy.ReadWrite.AzureADGroup
Read, update, and delete all policies for privileged role assignments of your company's directory	RoleManagementPolicy.ReadWrite.Directory
Trigger working time policies and read the working time status	Schedule-WorkingTime.ReadWrite.All
Read all schedule items	Schedule.Read.All
Read and write all schedule items	Schedule.ReadWrite.All
Read/Write schedule permissions for a role	SchedulePermissions.ReadWrite.All
Read your organization's search configuration	SearchConfiguration.Read.All
Read and write your organization's search configuration	SearchConfiguration.ReadWrite.All
Read your organization's security actions	SecurityActions.Read.All
Read and update your organization's security actions	SecurityActions.ReadWrite.All
Read all security alerts	SecurityAlert.Read.All
Read and write to all security alerts	SecurityAlert.ReadWrite.All
Read metadata and detection details for all emails in your organization	SecurityAnalyzedMessage.Read.All
Read metadata, detection details, and execute remediation actions on all emails in your organization	SecurityAnalyzedMessage.ReadWrite.All
Read your organization’s security events	SecurityEvents.Read.All
Read and update your organization’s security events	SecurityEvents.ReadWrite.All
Read all identity security health issues	SecurityIdentitiesHealth.Read.All
Read and write all identity security health issues	SecurityIdentitiesHealth.ReadWrite.All
Read all identity security sensors	SecurityIdentitiesSensors.Read.All
Read and write all identity security sensors	SecurityIdentitiesSensors.ReadWrite.All
Read all identity security available user actions	SecurityIdentitiesUserActions.Read.All
Read and perform all identity security available user actions	SecurityIdentitiesUserActions.ReadWrite.All
Read all security incidents	SecurityIncident.Read.All
Read and write to all security incidents	SecurityIncident.ReadWrite.All
Read all Exchange service activity	ServiceActivity-Exchange.Read.All
Read all Microsoft 365 Web service activity	ServiceActivity-Microsoft365Web.Read.All
Read all One Drive service activity	ServiceActivity-OneDrive.Read.All
Read all Teams service activity	ServiceActivity-Teams.Read.All
Read service health	ServiceHealth.Read.All
Read service messages	ServiceMessage.Read.All
Read service principal endpoints	ServicePrincipalEndpoint.Read.All
Read and update service principal endpoints	ServicePrincipalEndpoint.ReadWrite.All
Read SharePoint and OneDrive tenant settings	SharePointTenantSettings.Read.All
Read and change SharePoint and OneDrive tenant settings	SharePointTenantSettings.ReadWrite.All
Read all users' short notes	ShortNotes.Read.All
Read, create, edit, and delete all users' short notes	ShortNotes.ReadWrite.All
Have full control of all site collections	Sites.FullControl.All
Create, edit, and delete items and lists in all site collections	Sites.Manage.All
Read items in all site collections	Sites.Read.All
Read and write items in all site collections	Sites.ReadWrite.All
Access selected site collections	Sites.Selected
Read SPIFFE trust domains and child resources	SpiffeTrustDomain.Read.All
Read and write SPIFFE trust domains and child resources	SpiffeTrustDomain.ReadWrite.All
Read all subject rights requests	SubjectRightsRequest.Read.All
Read and write all subject rights requests	SubjectRightsRequest.ReadWrite.All
Read all Azure AD synchronization data.	Synchronization.Read.All
Read and write all Azure AD synchronization data.	Synchronization.ReadWrite.All
Upload user data to the identity synchronization service	SynchronizationData-User.Upload
Upload user data to the identity sync service for apps that this application creates or owns	SynchronizationData-User.Upload.OwnedBy
Read all users’ tasks and tasklist	Tasks.Read.All
Read and write all users’ tasks and tasklists	Tasks.ReadWrite.All
Create teams	Team.Create
Get a list of all teams	Team.ReadBasic.All
Read the members of all teams	TeamMember.Read.All
Add and remove members from all teams	TeamMember.ReadWrite.All
Add and remove members with non-owner role for all teams	TeamMember.ReadWriteNonOwnerRole.All
Read all users' teamwork activity feed	TeamsActivity.Read.All
Send a teamwork activity to any user	TeamsActivity.Send
Manage installation and permission grants of selected Teams apps in all chats	TeamsAppInstallation.ManageSelectedForChat.All
Manage installation and permission grants of selected Teams apps in all teams	TeamsAppInstallation.ManageSelectedForTeam.All
Manage installation and permission grants of selected Teams apps for all user accounts	TeamsAppInstallation.ManageSelectedForUser.All
Read installed Teams apps for all installation scopes	TeamsAppInstallation.Read.All
Read installed Teams apps for all chats	TeamsAppInstallation.ReadForChat.All
Read installed Teams apps for all teams	TeamsAppInstallation.ReadForTeam.All
Read installed Teams apps for all users	TeamsAppInstallation.ReadForUser.All
Read selected installed Teams apps in all chats	TeamsAppInstallation.ReadSelectedForChat.All
Read selected installed Teams apps in all teams	TeamsAppInstallation.ReadSelectedForTeam.All
Read selected installed Teams apps for all users	TeamsAppInstallation.ReadSelectedForUser.All
Manage installation and permission grants of Teams apps for all chats	TeamsAppInstallation.ReadWriteAndConsentForChat.All
Manage installation and permission grants of Teams apps for all teams	TeamsAppInstallation.ReadWriteAndConsentForTeam.All
Manage installation and permission grants of Teams apps in a user account	TeamsAppInstallation.ReadWriteAndConsentForUser.All
Allow the Teams app to manage itself and its permission grants for all chats	TeamsAppInstallation.ReadWriteAndConsentSelfForChat.All
Allow the Teams app to manage itself and its permission grants for all teams	TeamsAppInstallation.ReadWriteAndConsentSelfForTeam.All
Allow the Teams app to manage itself and its permission grants in all user accounts	TeamsAppInstallation.ReadWriteAndConsentSelfForUser.All
Manage Teams apps for all chats	TeamsAppInstallation.ReadWriteForChat.All
Manage Teams apps for all teams	TeamsAppInstallation.ReadWriteForTeam.All
Manage Teams apps for all users	TeamsAppInstallation.ReadWriteForUser.All
Manage selected installed Teams apps in all chats	TeamsAppInstallation.ReadWriteSelectedForChat.All
Manage selected installed Teams apps in all teams	TeamsAppInstallation.ReadWriteSelectedForTeam.All
Manage selected Teams apps installed for all users	TeamsAppInstallation.ReadWriteSelectedForUser.All
Allow the Teams app to manage itself for all chats	TeamsAppInstallation.ReadWriteSelfForChat.All
Allow the Teams app to manage itself for all teams	TeamsAppInstallation.ReadWriteSelfForTeam.All
Allow the app to manage itself for all users	TeamsAppInstallation.ReadWriteSelfForUser.All
Read all teams' settings	TeamSettings.Read.All
Read and change all teams' settings	TeamSettings.ReadWrite.All
Read and Write Teams policy user assignment and unassigment for all policy types.	TeamsPolicyUserAssign.ReadWrite.All
Read Teams resource accounts	TeamsResourceAccount.Read.All
Create tabs in Microsoft Teams.	TeamsTab.Create
Read tabs in Microsoft Teams.	TeamsTab.Read.All
Read and write tabs in Microsoft Teams.	TeamsTab.ReadWrite.All
Allow the Teams app to manage all tabs for all chats	TeamsTab.ReadWriteForChat.All
Allow the Teams app to manage all tabs for all teams	TeamsTab.ReadWriteForTeam.All
Allow the app to manage all tabs for all users	TeamsTab.ReadWriteForUser.All
Allow the Teams app to manage only its own tabs for all chats	TeamsTab.ReadWriteSelfForChat.All
Allow the Teams app to manage only its own tabs for all teams	TeamsTab.ReadWriteSelfForTeam.All
Allow the Teams app to manage only its own tabs for all users	TeamsTab.ReadWriteSelfForUser.All
Read Teams user configurations	TeamsUserConfiguration.Read.All
Read all available Teams Templates	TeamTemplates.Read.All
Create chat and channel messages with anyone's identity and with any timestamp	Teamwork.Migrate.All
Read organizational teamwork settings	Teamwork.Read.All
Read Teams app settings	TeamworkAppSettings.Read.All
Read and write Teams app settings	TeamworkAppSettings.ReadWrite.All
Read Teams devices	TeamworkDevice.Read.All
Read and write Teams devices	TeamworkDevice.ReadWrite.All
Read tags in Teams	TeamworkTag.Read.All
Read and write tags in Teams	TeamworkTag.ReadWrite.All
Read all term store data	TermStore.Read.All
Read and write all term store data	TermStore.ReadWrite.All
Read threat assessment requests	ThreatAssessment.Read.All
Run hunting queries	ThreatHunting.Read.All
Read all threat indicators	ThreatIndicators.Read.All
Manage threat indicators this app creates or owns	ThreatIndicators.ReadWrite.OwnedBy
Read all Threat Intelligence Information	ThreatIntelligence.Read.All
Read all of the organization's threat submissions	ThreatSubmission.Read.All
Read and write all of the organization's threat submissions	ThreatSubmission.ReadWrite.All
Read and write all of the organization's threat submission policies	ThreatSubmissionPolicy.ReadWrite.All
Read trust framework key sets	TrustFrameworkKeySet.Read.All
Read and write trust framework key sets	TrustFrameworkKeySet.ReadWrite.All
Convert an external user to internal member user	User-ConvertToInternal.ReadWrite.All
Read all users' lifecycle information	User-LifeCycleInfo.Read.All
Read and write all users' lifecycle information	User-LifeCycleInfo.ReadWrite.All
Read and write all secondary mail addresses for users	User-Mail.ReadWrite.All
Read and write all password profiles and reset user passwords	User-PasswordProfile.ReadWrite.All
Read and write all user mobile phone and business phones	User-Phone.ReadWrite.All
Delete and restore all users	User.DeleteRestore.All
Enable and disable user accounts	User.EnableDisableAccount.All
Export user's data	User.Export.All
Invite guest users to the organization	User.Invite.All
Manage all users' identities	User.ManageIdentities.All
Read all users' full profiles	User.Read.All
Read all users' basic profiles	User.ReadBasic.All
Read and write all users' full profiles	User.ReadWrite.All
Revoke all sign in sessions for a user	User.RevokeSessions.All
Read all users' authentication methods	UserAuthenticationMethod.Read.All
Read and write all users' authentication methods	UserAuthenticationMethod.ReadWrite.All
Read all users' passkey authentication methods	UserAuthMethod-Passkey.Read.All
Read and write all users' passkey authentication methods	UserAuthMethod-Passkey.ReadWrite.All
Deliver and manage all user's notifications	UserNotification.ReadWrite.CreatedByApp
Read all user shift preferences	UserShiftPreferences.Read.All
Read and write all user shift preferences	UserShiftPreferences.ReadWrite.All
Read all user teamwork settings	UserTeamwork.Read.All
Read all virtual appointments for users, as authorized by online meetings application access policy	VirtualAppointment.Read.All
Read-write all virtual appointments for users, as authorized by online meetings app access policy	VirtualAppointment.ReadWrite.All
Send notification regarding virtual appointments as any user	VirtualAppointmentNotification.Send
Read all users' virtual events	VirtualEvent.Read.All
Read and write anonymous users' virtual event registrations	VirtualEventRegistration-Anon.ReadWrite.All
Read and write all Windows update deployment settings	WindowsUpdates.ReadWrite.All
Read and write workforce integrations	WorkforceIntegration.ReadWrite.All

Add Managed Identity permission

Now that we have defined our permission, we just need to apply it to the Managed Identity via PowerShell. To do this, we use the following commands:

$tenantId = "xxxx-xxxx-xxxx-xxxx-xxxxxxx" # Replace with your tenant ID - https://entra.microsoft.com

$graphApiAppId = "00000003-0000-0000-c000-000000000000" # Well known ID

$msiName = "function app name" # Name of your managed identity e.g. name of Function or Logic App

$graphPermissions = @("Mail.Send", "User.Read.All") # Add or remove permissions
 

Connect-AzureAD -TenantId $tenantId

$msi = Get-AzureADServicePrincipal -Filter "displayName eq '$msiName'" # Can take a few seconds, add a sleep if necessary

$graphApiAppRegistration = Get-AzureADServicePrincipal -Filter "appId eq '$graphApiAppId'"

$appRoles = $graphApiAppRegistration.AppRoles | Where-Object { $graphPermissions -contains $_.Value -and $_.AllowedMemberTypes -contains "Application" }

foreach ($appRole in $appRoles) {

      New-AzureAdServiceAppRoleAssignment -ObjectId $msi.ObjectId -PrincipalId $msi.ObjectId -ResourceId $graphApiAppRegistration.ObjectId -Id $appRole.Id

        }

This completes the permission changes. If you use an Azure Function and test it immediately to see if it works, you may still receive error messages such as “access denied” or similar. From time to time, Azure Function may not immediately recognize this or may still have cached information. Sometimes it takes several function restarts and stop/run commands and a few minutes of time.

Invoice Upload to ERP with Logic App and Azure Functions

This example is intended to show how quickly and easily workflows such as the automatic upload of invoices to the ERP system (in this case Lexoffice / Lexware Office) can be implemented using Azure Services.

Microsoft MVP awards 2019

On July 1st, Microsoft is honoring community work with the Most Valuable Professional (MVP) title all over the world. This years renewal cycle held some big surprises for us.