Azure Functions: Managed Identity, Microsoft Graph, and Roles to Read Security Events

It may be necessary to automate processing of Security Alerts from Microsoft Graph through an Azure Function. In order to do this, the Azure Function needs to have the role permissions to read Security Events in Microsoft Graph.

To accomplish this, you’ll need to create a Managed Identity for the Azure Function. Once that has been created, we’ll use PowerShell to assign the permissions to that Managed Identity in Azure.

$msi = Get-AzureADServicePrincipal -ObjectId <Managed Identity GUID>
$graph = Get-AzureADServicePrincipal -Filter “AppId eq ‘00000003-0000-0000-c000-000000000000′”
$role = $graph.AppRoles | Where{$_.Value -eq “SecurityEvents.Read.All”}
New-AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -PrincipalId $msi.ObjectId -Id $role.Id -ResourceId $graph.ObjectId

Now that the permission has been assigned, your Azure Function should be able to read the Security Events from Microsoft Graph. This is because the AzureServiceTokenProvider automatically leverages the managed identity when you use it to obtain an Access Token for Microsoft Graph.

Happy dev’ing!