Using Managed Identity for Microsoft Graph Authentication with Logic App (Real Demo)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
So today we're going to talk about how can we go about using manage identity using the graph Explorer so we would be adding the graph application permission or to the manage identity using the graph Explorer and how you can use manage identity to authenticate Microsoft graph so what we'll be doing is uh we'll be creating an Azure logic app and using manage identity as the authentication provider so in this case we won't be needing any kind of credentials like if you talk about graph then we would ideally need delegated permission or application permission but in this case we would be authenticating using the manage identity provided by Microsoft azure so uh I I use manage identity in Azure for a lot of different automating scenarios but for example if I want to run like logic app or an Azure function that should securely call a graph API so in such scenario the manage identity represented by its service principle needs to be granted application permission to the API let's say for example uh you want to list in tune devices manage that and manage devices in your organization for example uh so we'll be using uh get managed devices using the in Indian graph API so we can use logic app for example to connect to Microsoft graph using the manage identity so then you'll need to give the manage identity an app role assignment for an application permission in graph okay let's enough talking let's let's get started uh so I'll be creating a logic app so I'll just go ahead and create a logic app so here it would be a new uh Resource Group you can name it anything name of the logic app as logic app new again it could be anything else you want we'll be checking if this name exists or maybe it is not following the naming convention having the capital letters I think it should work now yeah it is all right let's let's go to the consumption plan you can choose any plan as you want I'll just go on review and create okay let's create So currently there's no way to manage this application role assignment and Azure portal using the user interface that like you cannot give this logic app permission to use Microsoft graph API using this Azure portal user interface you there is a Powershell commandlet that will help you do this so I'll paste the link in the description but uh today I'll I would show you like how can you do this using the G uh user interface using the Microsoft graph Explorer all right so so prerequisite uh for this tutorial is uh you need to have an active Azure subscription yeah you should be familiar with the manage identity and also you should be the global admin for the usage of graph Explorer all right so here I think our logic app is ready I'll go back to the logic app and turn on the identity manage identity so if I go to the identity section I'll just turn it on and click on Save yeah click on Save okay and in Access control I am click on ADD add role assignment so this part is creating the managed identity so let's select owner select manage identity select members okay so here should be should be the name of your logic app so if you go here and this is the name of a logic app I'll just select it and click on select all right I'll click on review and assign and this should create our managed identity for the logic app foreign okay so once we did that I'll go to the logic app designer and click on blank logica I'll need a https connector so I'll type in HTTPS let's see um couldn't find it here let's type in again oh it should be HTTP Maybe I guess all right there you go HTTP request all right I'll click on new and it should be HTTP to invoke the service this is what we need this I'll delete this okay I'll delete this we got it okay so now we have got the HTTP method uh we should be using this logic app to call Microsoft graph so I'll just change this to get request and um uh managed devices okay so we'll be using Microsoft graph for managed devices so I'll click on the first link here you go so this is the URL that we need along with that we might also need uh craft.microsoft.com this is it this is the whole URL that we need okay so now I think we should we are good uh We additionally we need this uh permission to run this API okay so right now if I go to the authentication section so I'll be selecting authentication in the authentication type I need to select managed identity so right now we have system managed identity so let's select that and in the audience we should be selecting Microsoft graph so currently we have a constant string available uh that can be used to uh uh represent Microsoft graph okay so we'll be looking at it and starts with the zero zero zero something let's let's find it later but right now this part is uh over the logic app part now we will be moving uh to find the service principle of managed identity so to find to do that let's head on to the graph Explorer so in graph Explorer you need to sign in so that you can access your organization data via graph API note that the organization might have restricted uh restriction in place for users consenting to the permission for this API and in in any case if you want to use the example that we will be using here you'll need to have a global administrator rights anyway okay so the first thing first we would need uh to do is find the service principle of uh the manage identities so to list the service principle we have another graph API that we could be using so I'll just copy this and paste it over here okay and apart from that I think I'll be using some query parameters to quickly search for the one that we are looking for so let's do it search equal to display name and that should be the name of the service principle so if I go back let's save this for now now we just need to add the audience pattern we should be done with it but let's save this for now I'll go to the IM section and the rule assignment yeah logic app new so this is the name let's see if we can find this okay and yeah let's see okay there's something wrong with the with the name or maybe the okay so the error says we need the header as consistency level eventual so let's put this header consistency level and it should be eventual okay let's add this header and try to run the query and there you go it run as expected um yeah so we got the service principle so we'll be copying the ID of this service principle so this is the ID you should be taking a note of okay let's open a new Notepad and take a note of it so this is the service principle of your manage identity okay so this part is done so we'll be needing this ID later you can also get the service principle directly by ID by just copying this ID and doing a get call okay so now we need to find the service principle of Microsoft graph so let's remove this and search for graph I'm gonna do a get query let's see if we can find graph API real quick foreign so I'll be using a filter query dollar filter dollar filter equal to amp ID equals so this is the long string that I was talking about the app ID so it has five zeros I think four five three or maybe the six zeros three and then triple zero uh four times zero again four times zero so this is the constant string uh it never changes this is constant for graph and Then followed by twelve zeros excuse me I should have kept a note of it but uh then work out okay I guess uh the app ID um there's some missing zeros over here let's um let's Google it let me check real quick foreign value that I have and I think it should give us the graph API app ID okay there you go so this is the one hopefully this would work and filter equal to app ID equals this thing and hopefully we won't get 400 bad requests there you go all right so we got the graph API app ID so let's copy this as well take a note of it okay and also the audience part of this okay let's complete the logic app for now since we got the audience part yeah here and there you go the audience part has to be the audience of Microsoft graph okay so this ID will be constant for you as well okay so we are ready to go with the logica and we need to save this let's save this so by the time this is getting saved uh I think it got saved successfully we need to find the application rule which is the last thing application rule that will be the permission that we would like to assign so what I'll have to do is I'll have to use service principle along with the graph API service principle and search for the app role so service principle slash uh we need graph API app ID so this is the service principle of graph API along with app roles okay all right so now we have got the ID app roles of all the permission which exist in Microsoft graph so all we need is device management managed devices so I'll go ahead in the graph Explorer and search for it Ctrl F and find uh in tune no so read all users profile I need InTune yeah read Microsoft device policy device management configuration I need device management and manage devices so let's search for manage devices yeah there you go so we got device management devices read all so just copy this ID so this is the permission that we need so I'll just copy this ID and take a note of it as well okay so now uh there are a lot of application role permission for Microsoft graph so we got the one that we needed all right so let's assign this application role to manage identity I'll be pasting the link to the documentation in the chat but we would be using the service principle API again and this time we would be using the app role assigned to okay so this is the API that we would be using let me quickly go to the documentation here you go so this is the API that we would be using I'll just copy the request body that we need and change this to post okay so the first part is the manage identity of the service principle of manage identity okay so let's go here and check the service principle of manage identity so I'll copy this and replace it over here the second part is the service principle of your graph API so let's copy this and the third part is the app role ID which you copied just now this is for the permission okay so once we are done over here I'll click on run query and this would allow the manage identity to give the permission of Microsoft graph to this logic app but before we do that I'll just quickly run this logic app to confirm that it would give us forbidden error and that is the result that we should be expecting right now because the app role is not assigned yet so we are waiting for the logic app to run after get that let's see the results there you go so you got okay so there are a bunch of errors that we got so all right let's let's try this now with the graph Explorer I'll click on run and you see uh you got 200 okay as the response 201 in fact and this tells you that the app role has been assigned to this logic app and the manage identity has been applied over here so let's try to run this again okay it still gave gave us the error okay okay looks like it was not found this particular graph API audience was not found let's let's see let's see if we can get this um by okay let's copy this oh there's a leading comma over there and that might be the reason why it failed I think now it is correct let's see if this quickly all right so this should be good we should be able to run the logic app now so the trigger has been successfully done and this should able to run the logic app successfully yeah there you go so we got the results from the Microsoft graph API using the InTune using the InTune API and using the authentication as manage identity so in this video I have showed you how you can use graph Explorer to add graph API application rule permission to your manage identity similar steps can be used for against any of the Azure ad protected apis other than graph so that you would like to use the manage identity with so just in case if you need any other permission uh so you'll be using the same method to get the permission like we did with Ctrl F I'll be pasting all the links that we have used here along with the kuwits and and the description below and if you have any other questions then feel free to let me know thank you
Info
Channel: Graph Explorer
Views: 5,034
Rating: undefined out of 5
Keywords:
Id: zzwPJ2She84
Channel Id: undefined
Length: 24min 58sec (1498 seconds)
Published: Mon Nov 21 2022
Related Videos
(UPDATED) Get Automatic Notifications on Expiring Azure AD secrets using Logic apps and Graph API
Graph Explorer
1K
Managed Identities with Azure AD (Active Directory) Tutorial
Adam Marczak - Azure for Everyone
140K
Using Certificate-Based Authentication with Microsoft Graph PowerShell SDK (Real Demo)
Graph Explorer
2.3K
Azure AD App Registrations, Enterprise Apps and Service Principals
John Savill's Technical Training
209K
Get Automatic Notifications on Expiring Azure App Registration Client Secrets with Logic Apps
Graph Explorer
13K
Azure DevOps Workload Identity Federation with Azure Overview. NO MORE SECRETS!
John Savill's Technical Training
11K
Using IMAP with oAuth Modern Authentication in POSTMAN (Real Demo)
Graph Explorer
5.3K
25. Managed Identity with Azure Logicapp and Storage Account | Use Storage Blob & LogicApp using MSI
Our Cloud School
2.9K
Application roles and security groups on the Microsoft identity platform
Microsoft Azure
16K
Microsoft Graph API Tutorial: Creating Azure AD App, Access Token, and Calling APIs (App Permission)
Dewiride Technologies
24K
Microsoft Azure Managed Identity Deep Dive
John Savill's Technical Training
75K
Use Azure Managed Identities and Azure Key Vault to Protect Your .NET API Secrets!
Israel Quiroz
3.4K
Azure Managed Identity and Local Development
Rahul Nath
17K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.