😎
Docs
  • Tamm - Docs
  • Azure
    • Sentinel KQL Samples
    • Managed Identities
    • Deploy Sentinel with Terraform
  • Docker
    • Allow standard user to interact with Docker
    • Install Docker
    • Installing and working with Traefik
    • Installing specific version of Docker
    • Deploy Guacamole
    • Traefik geoblock
    • Unpoller Prometheus UCG Ultra
  • HomeAssistant
    • HAOS install on Proxmox
    • Zigbee2MQTT
    • HAOS Reverse Proxy
    • ZBDongle-E
  • Kali
    • Enable RDP
  • Kubernetes
    • Cert manager with Cloudflare
    • On prem loadbalancer metallb
    • Nginx ingress
    • Cloudinit Rancher ubuntu
    • Rancher Ubuntu 18.04 node template
    • Velero with minio backend
    • vsphere pvc (in-tree)
    • Velero cheat sheet
    • nginx annotations examples
  • Linux
    • Expand lvm disk vmware
    • Expand lvm disk fresh install
    • Disk usage
    • flush-dns
    • Netplan config example
    • Add user in photon OS
    • SSH-Keys
    • Set timezone
    • sudo nopasswd
    • Add custom alias
    • Rocky Linux commands
  • macOS
    • Uninstall System extensions
    • 1Password Github setup
  • Microsoft 365
    • Powershell Cheat sheet
  • Portainer
    • Install Portainer
    • Add docker node
  • Powershell
    • GenericList example
    • Mixed stuff n things
    • Synopsis Template
    • Powershell Oh-my-posh
    • Powershell Sync Profile
    • Cleanup and install MS Graph module
  • Proxmox
    • Disable No Subscription notification
    • Import from vmware error
    • Proxmox commands
    • Proxmox on Intel NUC
    • Proxmox E1000
  • Terraform
    • Getting started
    • Deploy Sentinel
  • Unifi
    • Unifi Network App (migration)
    • Slow vlan throughput
    • interface-explanation
  • Windows
    • Network settings access denied
    • Windows GVLK Keys
    • Windows Server 2025
Powered by GitBook
On this page
  • System assigned managed identity
  • User assigned managed identity
  • Assigning API permissions

Was this helpful?

  1. Azure

Managed Identities

Managed identities are awesome since we do not need to manage the credentials of it. There are two types

  • System assigned managed identity

  • User assigned managed identity

System assigned managed identity

System assigned managed identity follow the life cycle of the resource for which you assigned it to. If you for example create an identity which can access a storage blob, once you delete the storage blob, the identity is removed as well

User assigned managed identity

User assigned managed identity does not follow the lifecycle of the resource you use it on. It keeps on living until you decide to remove it

Assigning API permissions

This can be a PITA since this cannot be done via the portal. This can only be done via cli

This is just an example of how you can assign the api permissions

  • Machine.Isolate (WDATP)

  • Alert.ReadWrite.All (WDATP)

  • SecurityAlert.ReadWrite.All (MSGraph)

$DestinationTenantId = "YOUR-TENANT-ID"
$MsiName = "THE-NAME-OF-THE-IDENTITY" # Name of system-assigned or user-assigned managed service identity. (System-assigned use same name as resource).

# Connect to Azure Account
Connect-AzAccount

# Connect to MS Graph with specific scope 
Connect-MgGraph -TenantId $DestinationTenantId -Scopes AppRoleAssignment.ReadWrite.All, Directory.Read.All, Application.Read.All

# Roller för Appen WindowsDefenderATP 
$oPermissions = @(
 "Machine.Isolate"
 "Alert.ReadWrite.All"
)


$GraphAppId = "fc780465-2017-40d4-a0c5-307022471b92" # AppId of WDATP, DO NOT CHANGE
$oMsi = Get-AzADServicePrincipal -Filter "displayName eq '$MsiName'"
$oGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"
$oAppRole = $oGraphSpn.AppRole | Where-Object {($_.Value -in $oPermissions) -and ($_.AllowedMemberType -contains "Application")}
foreach($AppRole in $oAppRole)
{
  $oAppRoleAssignment = @{
    "PrincipalId" = $oMSI.Id
    "ResourceId" = $oGraphSpn.Id
    "AppRoleId" = $AppRole.Id
  }
  
  New-MgServicePrincipalAppRoleAssignment `
    -ServicePrincipalId $oAppRoleAssignment.PrincipalId `
    -BodyParameter $oAppRoleAssignment `
    -Verbose
}

$GraphAppId = "00000003-0000-0000-c000-000000000000" # Appid of MS Graph, DO NOT CHANGE
$oPermissions = @(
 "SecurityAlert.ReadWrite.All"
)

$oGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"
$oAppRole = $oGraphSpn.AppRole | Where-Object {($_.Value -in $oPermissions) -and ($_.AllowedMemberType -contains "Application")}

foreach($AppRole in $oAppRole)
{
  $oAppRoleAssignment = @{
    "PrincipalId" = $oMSI.Id
    "ResourceId" = $oGraphSpn.Id
    "AppRoleId" = $AppRole.Id
  }
  
  New-MgServicePrincipalAppRoleAssignment `
    -ServicePrincipalId $oAppRoleAssignment.PrincipalId `
    -BodyParameter $oAppRoleAssignment `
    -Verbose
}
PreviousSentinel KQL SamplesNextDeploy Sentinel with Terraform

Last updated 10 months ago

Was this helpful?