Managing permissions for Managed Identities in Azure/Entra ID has been a long-standing challenge. Microsoft has yet not provided a built-in interface for this, leaving administrators reliant on PowerShell to handle permissions – even if the “same” exists for App Registrations and Enterprise Applications.
To bridge this gap, I developed this PowerShell-based tool to the community as a Microsoft MVP that simplifies and streamlines the management of Managed Identity permissions. To my surprise, the tool has gained significant traction, with over 3.7k downloads from GitHub so far as this post is published – this is insane! ππ²
What is a Managed Identity?
A Managed Identity in Entra ID (formerly Azure Active Directory) is an automatically managed identity that enables secure authentication and connection to Azure services without the need for explicit credential management (such as certificates or secrets).
Types of Managed Identities
β System-Assigned Managed Identity
- Tied to a single Azure resource (e.g., Virtual Machine, Function App or Logic App).
- Automatically deleted when the resource is removed.
- Used to authenticate securely with services like Key Vault, Storage, or Microsoft Graph.
β User-Assigned Managed Identity
- A standalone identity that can be assigned to multiple Azure resources.
- Managed separately from resources, making it reusable.
- Ideal for scenarios requiring shared identity across multiple resources.
Key Benefits of Managed Identities
- π No credential management β Azure automatically handles identity lifecycle.
- π Secure authentication β Uses OAuth 2.0 tokens instead of passwords.
- π― RBAC-based access control β Assign roles for controlled permissions.
Common Use Cases
- π© Managing Microsoft 365 mailboxes via Microsoft Graph & Automation Accounts.
- π Secure access to Azure Key Vault (without storing secrets).
- π Connecting Azure Functions to databases securely.
- π₯ Authenticating Azure Virtual Machines with other services.
Locate a Managed Identity
When you create a Managed Identity, it is also registered in Azure/Entra ID in the form of Enterprise Application.
Navigate to Entra ID and search for the appropriate Managed Identity as shown below.
- Navigate to Enterprise Applications are all Managed Identities are stored
- Navigate to All applications (here is a direct link)
- In the search, filter based on Application Type = Managed Identities
- Search based on your Managed Identity name.
What about API Permissions?
When you create a Managed Identity, it won’t have access to any resources until you explicitly assign the necessary permissions.
API Permissions are the access rights granted to an application to interact with APIs securely. These permissions are typically used with Entra ID to control what operations an application can perform against protected resources like Microsoft Graph API or other APIs like Exchange Online.
If you etc. are building a application/script in which you want to access Microsoft Entraβs Users/Group information, then you need to provide the below API permissions:
- User.Read.All
- GroupMember.Read.All
To get a complete list of all Microsoft Graph permissions, you can see a reference list here too (but is live data in the tool also from the API itself: Microsoft Graph permissions reference – Microsoft Graph | Microsoft Learn)
Unfortunately, the Azure/Entra ID portal doesnβt providing access to Manage Microsoft Graph permissions/Enterprise Application permissions as of this writing (and been like this for years…). Therefor, I developed this PowerShell tool to provide API permissions and reporting capabilities with the help of Microsoft Graph libraries.
Adding Microsoft Graph permissions to a Managed Identity in Azure/Entra ID is essential for enabling specific capabilities in applications and scripts that need to interact with Microsoft Graph resources.
Letβs now understand what Microsoft Graph is and how to get started working with the same.
What is Microsoft Graph?
Microsoft Graph is a unified API endpoint provided by Microsoft that gives access to data and intelligence across Microsoft 365 services, Entra ID, and other Microsoft offerings. It allows developers to interact consistently with resources such as users, groups, files, emails, calendar events, tasks, and a lot more.
You can read a lot more about it here: Microsoft Graph overview – Microsoft Graph | Microsoft Learn
So why this tool is needed?
For years, IT professionals have relied on scattered scripts to manage Managed Identity permissions. These scripts often lack cohesion, consistency, and ease of use, making administration cumbersome. Many customers and administrators still struggle to find an intuitive, comprehensive solution.
How my PowerShell Tool fills the gaps
- Simplicity: No more searching for multiple scriptsβeverything is in one place.
- Security: Confirmation prompts for high-risk tasks and robust logging for transparency.
- Efficiency: Manage permissions for one or many identities quickly and accurately.
How this tool will help you
- Build confidence β Transparent logging and confirmation prompts ensure accuracy.
- Save time β A single, unified tool eliminates the hassle of managing multiple scripts.
- Reduce errors β User-friendly design and validation prevent accidental mistakes.
- Increase efficiency β Manage permissions for multiple identities effortlessly.
The tool itself
The tool have a easy to use and understandable user interface – you have all you need to manage and report permissions for all your Managed Identities in your tenant in one place.
And for a small fun fact: The tool have about 2800 lines of PowerShell code in the backend π²
The overview of the features the tool comes with now make it indispensable:
- List all Managed Identities: Retrieve a complete list of Managed Identities in your Azure environment.
- View assigned permissions: Quickly view current permissions assigned to any Managed Identity.
- Support for multiple access scopes: Manage permissions for various APIs like Microsoft Graph.
- Add permissions without overwriting: Add new permissions without losing existing ones.
- Set permissions by resetting assignments: Reset and apply new permissions from scratch.
- Remove individual permissions: Remove specific permissions from an identity.
- Remove all permissions: Strip all permissions when retiring or decommissioning identities.
- List access Scopes with filtering: Filter available access scopes for easier management.
- Confirmation for High-Risk tasks: Prompts for tasks like removing all permissions.
- Full logging for transparency: Logs all actions for audit purposes.
- Detailed input validation: Provides clear feedback on any missing fields, ensuring a smoother user experience.
- Selected Scopes validation: Ensures that selected scopes are properly logged and managed.
- Dark and light mode: Showing the UI it the theme you have in Windows – option to select yourself too
- Build-in function to get the last v. here from GitHub direct in the tool!
- And more to come…
Sample use of the tool
Prerequisites
Before using the tool, ensure you meet the following requirements:
- PowerShell Microsoft Graph Modules: Install
Microsoft.Graph.AuthenticationandMicrosoft.Graph.Applications. (the tool will install it also, if not installed) - Entra ID Directory Permissions: You need Global Administrator to manage Microsoft Graph permission or equivalent roles to manage permissions for etc. Exchange Online as Exchange Administrator.
How to get the tool
Are you ready to streamline your Managed Identity permissions management? You can download the tool and start using it today! Simply follow the link below to get access:
Download and see more of the tool here on GitHub
The tool is easy to set up and whether youβre managing permissions for a single identity or multiple ones across your Azure/Entra ID tenant, this tool has you covered.
The trust on the tool in the community and our customers
The tool has earned strong trust and appreciation from both the tech community and our customers. It’s widely used and frequently shared among professionals, reflecting its value and ease of use. At MINDCORE, several of our customers have already adopted it – and the feedback has been fantastic! Everyone from IT support teams to IT managers has praised how intuitive and user-friendly it is. Hearing that kind of positive response from real users is incredibly rewarding! π
How do you feel the tool, something you think can be better or optimized? Let me hear in the comments or at GitHub! π
Conclusion
Based on this, you’ve learned the fundamentals of Managed Identities, including the different types, how to assign permissions to them. Since the Azure/Entra ID Portal doesnβt currently support this functionality, it’s important to know how to handle it programmatically.
