Azure Question posted in
The official documentation to get you started can be found here.

Azure – Error when assigning Microsoft Graph permissions in Bicep

In Bicep, I am attempting to create a User Assigned Identity, and then assigning that identity a few scopes using the new Microsoft.Graph bicep capabilities:

resource sqlIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  location: location
  name: 'id-sqlserver-${environment}'
}

//https://learn.microsoft.com/en-us/graph/templates/reference/oauth2permissiongrants?view=graph-bicep-1.0

resource graphPermissions 'Microsoft.Graph/[email protected]' = {
  clientId: sqlIdentity.properties.clientId
  consentType: 'Principal'
  resourceId: sqlIdentity.id
  scope: 'User.Read.All GroupMember.Read.All Application.Read.All'
}

However, I get the following error message: The identity of the calling application could not be established. Another user tried that has elevated permissions but got the same error. How can I assign Microsoft Graph permissions using Bicep?

Tags:

2

Answers


  1. 0

    Not the matter of Insufficient permissions, It’s about oauth2PermissionGrants conception. Remember it is representing delegated permissions which have been granted for client applications to access APIs on behalf of signed-in users. So your resourceId in the bicep should be the APIs which your want to access, not the identity itself. the APIs resourceId such as ‘Microsoft Graph’ can be found in AAD Enterprise Application with copy its objectId.

    So your bicep should something like below:

    main.bicep

    provider microsoftGraph

param location string = resourceGroup().location

param environment string = 'wb'

resource sqlIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  location: location
  name: 'id-sqlserver-${environment}'
}

//https://learn.microsoft.com/en-us/graph/templates/reference/oauth2permissiongrants?view=graph-bicep-1.0

resource graphPermissions 'Microsoft.Graph/[email protected]' = {
  clientId: sqlIdentity.properties.clientId
  consentType: 'Principal'
  resourceId: 'xxx-xxxxxxxx-xxx'
  scope: 'User.Read'
}

    After deployment complete, which means the sqlIdentity can on behalf of your to access the microsoft graph api with Read permission.

    Just remember that this resource id comes from the API provided by Microsoft or the API you developed and exposed yourself, not the identity you created.

    Login or Signup to reply.
  2. 0

    It is a bit confusing but:

    • clientId represents the objectid of the client application: in your case the managed identity
    • resourceId represents the objectid of the target resource: in your case the service principal of MS Graph in your tenant.

    This should work:

    provider microsoftGraph

param location string = resourceGroup().location
param environment string = 'wb'

// create a managed identity
resource sqlIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  location: location
  name: 'id-sqlserver-${environment}'
}

// Reference to the Ms Graph Service Principal in the tenant
resource msgraphSp 'Microsoft.Graph/[email protected]' existing = {
  appId: '00000003-0000-0000-c000-000000000000'
}

// Asiggned delegated permissions
resource oauth2PermissionGrant 'Microsoft.Graph/[email protected]' = {
  clientId: sqlIdentity.properties.principalId
  consentType: 'AllPrincipals'
  resourceId: msgraphSp.id
  scope: 'User.Read.All GroupMember.Read.All Application.Read.All'
}
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search