Managed Identities

Managed identities are awesome since we do not need to manage the credentials of it. There are two types

  • System assigned managed identity

  • User assigned managed identity

System assigned managed identity

System assigned managed identity follow the life cycle of the resource for which you assigned it to. If you for example create an identity which can access a storage blob, once you delete the storage blob, the identity is removed as well

User assigned managed identity

User assigned managed identity does not follow the lifecycle of the resource you use it on. It keeps on living until you decide to remove it

Assigning API permissions

This can be a PITA since this cannot be done via the portal. This can only be done via azure cli/powershell (probably via graph as well, havent tested)

This is just an example of how you can assign the api permissions

  • Machine.Isolate (WDATP)

  • Alert.ReadWrite.All (WDATP)

  • SecurityAlert.ReadWrite.All (MSGraph)

$DestinationTenantId = "YOUR-TENANT-ID"
$MsiName = "THE-NAME-OF-THE-IDENTITY" # Name of system-assigned or user-assigned managed service identity. (System-assigned use same name as resource).

# Connect to Azure Account
Connect-AzAccount

# Connect to MS Graph with specific scope 
Connect-MgGraph -TenantId $DestinationTenantId -Scopes AppRoleAssignment.ReadWrite.All, Directory.Read.All, Application.Read.All

# Roller för Appen WindowsDefenderATP 
$oPermissions = @(
 "Machine.Isolate"
 "Alert.ReadWrite.All"
)


$GraphAppId = "fc780465-2017-40d4-a0c5-307022471b92" # AppId of WDATP, DO NOT CHANGE
$oMsi = Get-AzADServicePrincipal -Filter "displayName eq '$MsiName'"
$oGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"
$oAppRole = $oGraphSpn.AppRole | Where-Object {($_.Value -in $oPermissions) -and ($_.AllowedMemberType -contains "Application")}
foreach($AppRole in $oAppRole)
{
  $oAppRoleAssignment = @{
    "PrincipalId" = $oMSI.Id
    "ResourceId" = $oGraphSpn.Id
    "AppRoleId" = $AppRole.Id
  }
  
  New-MgServicePrincipalAppRoleAssignment `
    -ServicePrincipalId $oAppRoleAssignment.PrincipalId `
    -BodyParameter $oAppRoleAssignment `
    -Verbose
}

$GraphAppId = "00000003-0000-0000-c000-000000000000" # Appid of MS Graph, DO NOT CHANGE
$oPermissions = @(
 "SecurityAlert.ReadWrite.All"
)

$oGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"
$oAppRole = $oGraphSpn.AppRole | Where-Object {($_.Value -in $oPermissions) -and ($_.AllowedMemberType -contains "Application")}

foreach($AppRole in $oAppRole)
{
  $oAppRoleAssignment = @{
    "PrincipalId" = $oMSI.Id
    "ResourceId" = $oGraphSpn.Id
    "AppRoleId" = $AppRole.Id
  }
  
  New-MgServicePrincipalAppRoleAssignment `
    -ServicePrincipalId $oAppRoleAssignment.PrincipalId `
    -BodyParameter $oAppRoleAssignment `
    -Verbose
}
PreviousSentinel KQL SamplesNextDeploy Sentinel with Terraform

Last updated