Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
649 questions
Granting permission to managed identity for PIM approvals
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 34%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Jack S
0
Reputation points
I am building a logic app that will send adaptive cards in teams to PIM role approvers when a user requests to activate it. However, I am unable to find a way to allow a managed identity within the logic app to authenticate via the graph API to approve the PIM approval. Is it possible to grant a managed identity / Service principal permissions to complete the PIM role approval via graph API? Thank you.
{count} votes
-
MayankBargali-MSFT 69,946 Reputation points2024-03-19T10:34:46.1166667+00:00 @Jack S Thanks for reaching out. From logic app perspective you can authenticate logic apps against Microsoft graph using managed identity.
You can use the HTTP connector and in authentication type you can select the Managed Identity and define system identity and audience as below.
At your application end you can define the specific graph permission that are listed here.
I am not an expert in graph API what exact permission would be needed for your scenario, but looking into this document Directory write permission (Directory.ReadWrite.All) should help you.
I will wait for the graph API experts to confirm if there is any permission that could help you in your use case.
-
Jack S 0 Reputation points
2024-03-19T11:16:16.54+00:00 Thank you for your response!
Unfortunetely i had read through that documentation already and upon testing it discovered that a managed identity would still recieve the following error response:
This appears to be because the managed identity isn't listed as an Approver within the PIM role settings in EntraID. Only a user account or group can be assigned as approvers within the UI.
It would be great if someone is aware of a way to set the managed identity as an approver, or alternatively if it's a pssoible for a users authentication can be passed from a teams adaptive card button into a follow-on HTTP action in the logic app.
-
MayankBargali-MSFT 69,946 Reputation points
2024-03-19T11:33:39.1033333+00:00 @Jack S Thanks for your response. Looks like there is no delegate permission which can be used at your application for Role DecisionMaker and I will wait for the Entra and graph API experts to comment on this and if there is any possible way.
Sign in to comment