updated powershell script for microsoft graph powershell

rwike77 · rwike77 · commit fefe39cb33e0 · 2023-04-05T16:02:04.000-07:00
diff --git a/articles/active-directory/develop/multi-service-web-app-access-microsoft-graph-as-app.md b/articles/active-directory/develop/multi-service-web-app-access-microsoft-graph-as-app.md
@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: app-service
 ms.topic: tutorial
 ms.workload: identity
-ms.date: 08/19/2022
+ms.date: 04/05/2023
 ms.author: ryanwi
 ms.reviewer: stsoneff
 ms.devlang: csharp, javascript
@@ -54,32 +54,38 @@ When accessing the Microsoft Graph, the managed identity needs to have proper pe
 # [PowerShell](#tab/azure-powershell)
 
 ```powershell
-# Install the module. (You need admin on the machine.)
-# Install-Module AzureAD.
+# Install the module.
+# Install-Module Microsoft.Graph -Scope CurrentUser
 
-# Your tenant ID (in the Azure portal, under Azure Active Directory > Overview).
-$TenantID="<tenant-id>"
-$resourceGroup = "securewebappresourcegroup"
-$webAppName="SecureWebApp-20201102125811"
+# The tenant ID
+$TenantId = "11111111-1111-1111-1111-111111111111"
 
-# Get the ID of the managed identity for the web app.
-$spID = (Get-AzWebApp -ResourceGroupName $resourceGroup -Name $webAppName).identity.principalid
+# The name of your web app, which has a managed identity.
+$webAppName = "SecureWebApp-20201106120003" 
+$resourceGroupName = "SecureWebApp-20201106120003ResourceGroup"
 
-# Check the Microsoft Graph documentation for the permission you need for the operation.
-$PermissionName = "User.Read.All"
+# The name of the app role that the managed identity should be assigned to.
+$appRoleName = "User.Read.All"
 
-Connect-AzureAD -TenantId $TenantID
+# Get the web app's managed identity's object ID.
+Connect-AzAccount -Tenant $TenantId
+$managedIdentityObjectId = (Get-AzWebApp -ResourceGroupName $resourceGroupName -Name $webAppName).identity.principalid
 
-# Get the service principal for Microsoft Graph.
-# First result should be AppId 00000003-0000-0000-c000-000000000000
-$GraphServicePrincipal = Get-AzureADServicePrincipal -SearchString "Microsoft Graph" | Select-Object -first 1
+Connect-MgGraph -TenantId $TenantId -Scopes 'Application.Read.All','AppRoleAssignment.ReadWrite.All'
 
-# Assign permissions to the managed identity service principal.
-$AppRole = $GraphServicePrincipal.AppRoles | `
-Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
+# Get Microsoft Graph app's service principal and app role.
+$serverApplicationName = "Microsoft Graph"
+$serverServicePrincipal = (Get-MgServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
+$serverServicePrincipalObjectId = $serverServicePrincipal.Id
 
-New-AzureAdServiceAppRoleAssignment -ObjectId $spID -PrincipalId $spID `
--ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
+$appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id
+
+# Assign the managed identity access to the app role.
+New-MgServicePrincipalAppRoleAssignment `
+    -ServicePrincipalId $managedIdentityObjectId `
+    -PrincipalId $managedIdentityObjectId `
+    -ResourceId $serverServicePrincipalObjectId `
+    -AppRoleId $appRoleId
 ```
 
 # [Azure CLI](#tab/azure-cli)
diff --git a/articles/app-service/includes/tutorial-microsoft-graph-as-app/introduction.md b/articles/app-service/includes/tutorial-microsoft-graph-as-app/introduction.md
@@ -50,35 +50,38 @@ When accessing the Microsoft Graph, the managed identity needs to have proper pe
 
 1. Run the following script to add the requested Microsoft Graph API permissions to the managed identity service principal object.
 
-    # [PowerShell](#tab/azure-powershell)
+    # Install the module.
+    # Install-Module Microsoft.Graph -Scope CurrentUser
     
-    ```powershell
-    # Install the module. (You need admin on the machine.)
-    # Install-Module AzureAD.
+    # The tenant ID
+    $TenantId = "11111111-1111-1111-1111-111111111111"
     
-    # Your tenant ID (in the Azure portal, under Azure Active Directory > Overview).
-    $TenantID="<tenant-id>"
-    $resourceGroup = "securewebappresourcegroup"
-    $webAppName="SecureWebApp-20201102125811"
+    # The name of your web app, which has a managed identity.
+    $webAppName = "SecureWebApp-20201106120003" 
+    $resourceGroupName = "SecureWebApp-20201106120003ResourceGroup"
     
-    # Get the ID of the managed identity for the web app.
-    $spID = (Get-AzWebApp -ResourceGroupName $resourceGroup -Name $webAppName).identity.principalid
+    # The name of the app role that the managed identity should be assigned to.
+    $appRoleName = "User.Read.All"
     
-    # Check the Microsoft Graph documentation for the permission you need for the operation.
-    $PermissionName = "User.Read.All"
+    # Get the web app's managed identity's object ID.
+    Connect-AzAccount -Tenant $TenantId
+    $managedIdentityObjectId = (Get-AzWebApp -ResourceGroupName $resourceGroupName -Name $webAppName).identity.principalid
     
-    Connect-AzureAD -TenantId $TenantID
+    Connect-MgGraph -TenantId $TenantId -Scopes 'Application.Read.All','AppRoleAssignment.ReadWrite.All'
     
-    # Get the service principal for Microsoft Graph.
-    # First result should be AppId 00000003-0000-0000-c000-000000000000
-    $GraphServicePrincipal = Get-AzureADServicePrincipal -SearchString "Microsoft Graph" | Select-Object -first 1
+    # Get Microsoft Graph app's service principal and app role.
+    $serverApplicationName = "Microsoft Graph"
+    $serverServicePrincipal = (Get-MgServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
+    $serverServicePrincipalObjectId = $serverServicePrincipal.Id
     
-    # Assign permissions to the managed identity service principal.
-    $AppRole = $GraphServicePrincipal.AppRoles | `
-    Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
+    $appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id
     
-    New-AzureAdServiceAppRoleAssignment -ObjectId $spID -PrincipalId $spID `
-    -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
+    # Assign the managed identity access to the app role.
+    New-MgServicePrincipalAppRoleAssignment `
+        -ServicePrincipalId $managedIdentityObjectId `
+        -PrincipalId $managedIdentityObjectId `
+        -ResourceId $serverServicePrincipalObjectId `
+        -AppRoleId $appRoleId
     ```
 
     # [Azure CLI](#tab/azure-cli)
diff --git a/articles/app-service/scenario-secure-app-access-microsoft-graph-as-app.md b/articles/app-service/scenario-secure-app-access-microsoft-graph-as-app.md
@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: app-service
 ms.topic: tutorial
 ms.workload: identity
-ms.date: 03/14/2023
+ms.date: 04/05/2023
 ms.author: ryanwi
 ms.reviewer: stsoneff
 ms.devlang: csharp
