To prepare your environment you can give Bsure Insights managed identity all permissions now to support upcoming features.
Copy script below and paste as plain text to run it in cloud shell.
$BSureSpnName = 'Bsure-Umi-'
$BsurePermissions = @(
"Directory.Read.All"
"AuditLog.Read.All"
"Domain.Read.All"
"Reports.Read.All"
"Policy.Read.All"
"MailboxSettings.Read"
"Application.Read.All"
"Device.Read.All"
"DeviceManagementManagedDevices.Read.All"
"RoleManagement.Read.All"
)
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$msGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"
$RolesToAdd = $msGraphSpn.AppRole | Where-Object {($_.Value -in $BsurePermissions) -and ($_.AllowedMemberType -contains "Application")}
(Get-AzADServicePrincipal -DisplayNameBeginsWith $BSureSpnName) | ForEach-Object{
$script:graphAPIReqHeader = @{
Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).token)"
Host = "graph.microsoft.com"
}
$currentSPN = $_
$currentSPN
$assignedPermissionsUri = "https://graph.microsoft.com/v1.0/servicePrincipals/$($currentSPN.Id)/appRoleAssignments"
$currentAssignments = Invoke-RestMethod -Method Get -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader | Select-Object -ExpandProperty value
$RolesToAddClean = $RolesToAdd | Where-Object {($_.id -notin $($currentAssignments.appRoleId))}
foreach($AppRole in $RolesToAddClean)
{
$body = @{
principalId = $currentSPN.Id
resourceId = $msGraphSpn.id
appRoleId = $AppRole.id
} | ConvertTo-Json -Depth 99 -Compress -EscapeHandling EscapeNonAscii
Invoke-RestMethod -Method Post -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader -Body $body -ContentType "application/json"
}
$RolesToRemoveClean = $currentAssignments.appRoleId | Where-Object {($_ -notin $($RolesToAdd.id))}
foreach($AppRole in $RolesToRemoveClean)
{
$toRemoveId = $currentAssignments | Where-Object -Property appRoleId -eq $AppRole | Select-Object -ExpandProperty id
Invoke-RestMethod -Method Delete -Uri "$assignedPermissionsUri/$toRemoveId" -Headers $script:graphAPIReqHeader
}
}
Write-Host "Done setting permissions for $($spnBsure.DisplayName) ($($spnBsure.Id))"
