Merge pull request #233596 from rwike77/grantaccess

Updated powershell script for microsoft graph powershell

Author: JamesJBarnett

articles/active-directory/develop/multi-service-web-app-access-microsoft-graph-as-app.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: app-service
 ms.topic: tutorial
 ms.workload: identity
-ms.date: 08/19/2022
+ms.date: 04/05/2023
 ms.author: ryanwi
 ms.reviewer: stsoneff
 ms.devlang: csharp, javascript
@@ -54,32 +54,38 @@ When accessing the Microsoft Graph, the managed identity needs to have proper pe
 # [PowerShell](#tab/azure-powershell)
 
 ```powershell
-# Install the module. (You need admin on the machine.)
-# Install-Module AzureAD.
+# Install the module.
+# Install-Module Microsoft.Graph -Scope CurrentUser
 
-# Your tenant ID (in the Azure portal, under Azure Active Directory > Overview).
-$TenantID="<tenant-id>"
-$resourceGroup = "securewebappresourcegroup"
-$webAppName="SecureWebApp-20201102125811"
+# The tenant ID
+$TenantId = "11111111-1111-1111-1111-111111111111"
 
-# Get the ID of the managed identity for the web app.
-$spID = (Get-AzWebApp -ResourceGroupName $resourceGroup -Name $webAppName).identity.principalid
+# The name of your web app, which has a managed identity.
+$webAppName = "SecureWebApp-20201106120003" 
+$resourceGroupName = "SecureWebApp-20201106120003ResourceGroup"
 
-# Check the Microsoft Graph documentation for the permission you need for the operation.
-$PermissionName = "User.Read.All"
+# The name of the app role that the managed identity should be assigned to.
+$appRoleName = "User.Read.All"
 
-Connect-AzureAD -TenantId $TenantID
+# Get the web app's managed identity's object ID.
+Connect-AzAccount -Tenant $TenantId
+$managedIdentityObjectId = (Get-AzWebApp -ResourceGroupName $resourceGroupName -Name $webAppName).identity.principalid
 
-# Get the service principal for Microsoft Graph.
-# First result should be AppId 00000003-0000-0000-c000-000000000000
-$GraphServicePrincipal = Get-AzureADServicePrincipal -SearchString "Microsoft Graph" | Select-Object -first 1
+Connect-MgGraph -TenantId $TenantId -Scopes 'Application.Read.All','AppRoleAssignment.ReadWrite.All'
 
-# Assign permissions to the managed identity service principal.
-$AppRole = $GraphServicePrincipal.AppRoles | `
-Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
+# Get Microsoft Graph app's service principal and app role.
+$serverApplicationName = "Microsoft Graph"
+$serverServicePrincipal = (Get-MgServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
+$serverServicePrincipalObjectId = $serverServicePrincipal.Id
 
-New-AzureAdServiceAppRoleAssignment -ObjectId $spID -PrincipalId $spID `
--ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
+$appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id
+
+# Assign the managed identity access to the app role.
+New-MgServicePrincipalAppRoleAssignment `
+    -ServicePrincipalId $managedIdentityObjectId `
+    -PrincipalId $managedIdentityObjectId `
+    -ResourceId $serverServicePrincipalObjectId `
+    -AppRoleId $appRoleId
 ```
 
 # [Azure CLI](#tab/azure-cli)

articles/app-service/includes/tutorial-microsoft-graph-as-app/introduction.md

@@ -53,32 +53,38 @@ When accessing the Microsoft Graph, the managed identity needs to have proper pe
     # [PowerShell](#tab/azure-powershell)
 
     ```powershell
-    # Install the module. (You need admin on the machine.)
-    # Install-Module AzureAD.
+    # Install the module.
+    # Install-Module Microsoft.Graph -Scope CurrentUser
     
-    # Your tenant ID (in the Azure portal, under Azure Active Directory > Overview).
-    $TenantID="<tenant-id>"
-    $resourceGroup = "securewebappresourcegroup"
-    $webAppName="SecureWebApp-20201102125811"
+    # The tenant ID
+    $TenantId = "11111111-1111-1111-1111-111111111111"
     
-    # Get the ID of the managed identity for the web app.
-    $spID = (Get-AzWebApp -ResourceGroupName $resourceGroup -Name $webAppName).identity.principalid
+    # The name of your web app, which has a managed identity.
+    $webAppName = "SecureWebApp-20201106120003" 
+    $resourceGroupName = "SecureWebApp-20201106120003ResourceGroup"
     
-    # Check the Microsoft Graph documentation for the permission you need for the operation.
-    $PermissionName = "User.Read.All"
+    # The name of the app role that the managed identity should be assigned to.
+    $appRoleName = "User.Read.All"
     
-    Connect-AzureAD -TenantId $TenantID
+    # Get the web app's managed identity's object ID.
+    Connect-AzAccount -Tenant $TenantId
+    $managedIdentityObjectId = (Get-AzWebApp -ResourceGroupName $resourceGroupName -Name $webAppName).identity.principalid
     
-    # Get the service principal for Microsoft Graph.
-    # First result should be AppId 00000003-0000-0000-c000-000000000000
-    $GraphServicePrincipal = Get-AzureADServicePrincipal -SearchString "Microsoft Graph" | Select-Object -first 1
+    Connect-MgGraph -TenantId $TenantId -Scopes 'Application.Read.All','AppRoleAssignment.ReadWrite.All'
     
-    # Assign permissions to the managed identity service principal.
-    $AppRole = $GraphServicePrincipal.AppRoles | `
-    Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
+    # Get Microsoft Graph app's service principal and app role.
+    $serverApplicationName = "Microsoft Graph"
+    $serverServicePrincipal = (Get-MgServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
+    $serverServicePrincipalObjectId = $serverServicePrincipal.Id
     
-    New-AzureAdServiceAppRoleAssignment -ObjectId $spID -PrincipalId $spID `
-    -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
+    $appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id
+    
+    # Assign the managed identity access to the app role.
+    New-MgServicePrincipalAppRoleAssignment `
+        -ServicePrincipalId $managedIdentityObjectId `
+        -PrincipalId $managedIdentityObjectId `
+        -ResourceId $serverServicePrincipalObjectId `
+        -AppRoleId $appRoleId
     ```
 
     # [Azure CLI](#tab/azure-cli)

articles/app-service/scenario-secure-app-access-microsoft-graph-as-app.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: app-service
 ms.topic: tutorial
 ms.workload: identity
-ms.date: 03/14/2023
+ms.date: 04/05/2023
 ms.author: ryanwi
 ms.reviewer: stsoneff
 ms.devlang: csharp