Using PowerShell to Assign Azure AD Group to Azure Services

Harris Kristanto
4 min readAug 15, 2023

--

System Assigned Managed Identity via AD Group

Introduction

I’m currently in the midst of implementing system-assigned identities for a set of our Logic Apps API connections across a range of Azure resources by leveraging the Azure AD group.

In my previous blog post, we looked at some of the advantages of employing a system-managed identity. The standout benefit is that it provides controlled and secure access to Azure resources without needing to manage individual secrets or passwords.

We also looked at the steps to assign Logic Apps to Azure AD groups using a handy PowerShell script. This time let’s look at the steps for assigning Azure AD group permissions to various Azure resources, it is a procedure that needs to be done only once when attempting to allow permissions to a new resource in Azure, for example when setting up API connection of a new Azure SQL instance from Logic Apps for the first time.

I will update this blog post with additional scripts as I bring more Azure Services on board with the Managed Identity. Feel free to bookmark this page for easy reference.

Assigning Roles

We currently use the Azure Powershell to assign the Azure AD Group permissions to the other Azure services, you can either run the scripts below directly in Azure Portal or locally on your machine.

You will need to use an Azure account that has permission to assign roles in Azure resources, in most cases it’s “Owner” permission to the resource.

Please note that while this article mainly uses Logic Apps as an example, the permissions can also be granted to Function Apps, App Services, and some other Azure resources by assigning their managed identity to the same AD Group.

1. Azure Blob Storage

Logic Apps require the “Storage Blob Data Contributor” role to be able to read, delete and write Blob to the container, use the script below to assign permission:

$resourceGroup = ''
$storageAccountName = ''
$adGroupName = ''

# Get the storage account resource ID
$storageAccount = Get-AzStorageAccount -ResourceGroupName $resourceGroup -Name $storageAccountName
$storageAccountId = $storageAccount.Id

# Assign the Storage Blob Data Contributor role to the Azure AD group
New-AzRoleAssignment -ObjectId (Get-AzADGroup -DisplayName $adGroupName).Id -RoleDefinitionName "Storage Blob Data Contributor" -Scope $storageAccountId

Write-Host "Assigned Storage Blob Data Contributor role to Azure AD group '$adGroupName' for storage account '$storageAccountName'"

Replace the following variables with actual values:

  • $resourceGroup: Azure resource group containing the Storage Account.
  • $storageAccountName: Name of the Storage Account where the Blob resides at.
  • $adGroupName: Name of the Azure AD group.

2. Azure Event Grid

Logic Apps require the Contributor” role to be able to listen to events from the Event Grid topic in a storage account, use the script below to assign permission:

$resourceGroup = ''
$storageAccountName = ''
$adGroupName = ''

# Get the storage account resource ID
$storageAccount = Get-AzStorageAccount -ResourceGroupName $resourceGroup -Name $storageAccountName
$storageAccountId = $storageAccount.Id

# Assign the Contributor role to the Azure AD group
New-AzRoleAssignment -ObjectId (Get-AzADGroup -DisplayName $adGroupName).Id -RoleDefinitionName "Contributor" -Scope $storageAccountId
Write-Host "Assigned Storage Blob Data Contributor role to Azure AD group '$adGroupName' for storage account '$storageAccountName'"

Replace the following variables with actual values:

  • $resourceGroup: Azure resource group containing the Storage Account.
  • $storageAccountName: Name of the Storage Account where the Blob resides at.
  • $adGroupName: Name of the Azure AD group.

3. Azure Service Bus

Logic Apps require the “Azure Service Bus Data Owner” role to be able to retrieve and write to Service Bus Topic and Queue, use the script below to assign permission:

$resourceGroup = ''
$servicebusName = ''
$adGroupName = ''


# Get the Service Bus resource ID
$serviceBus = Get-AzServiceBusNamespace -ResourceGroupName $resourceGroup -Name $servicebusName
$serviceBusId = $serviceBus.Id

# Assign the SB role to the Azure AD group
New-AzRoleAssignment -ObjectId (Get-AzADGroup -DisplayName $adGroupName).Id -RoleDefinitionName "Azure Service Bus Data Owner" -Scope $serviceBusId

Write-Host "Assigned Azure Service Bus Data Owner Group role to Azure AD group '$adGroupName' for Service Bus namespace '$servicebusName'"

Replace the following variables with actual values:

  • $resourceGroup: Azure resource group containing the Service Bus.
  • $servicebusName: Name of the Service Bus namespace.
  • $adGroupName: Name of the Azure AD group.

Check existing Role Assignments

To verify the current role assignments, meaning the resources and corresponding permissions assigned to the AD group, navigate to the AD Group and access the “Azure role assignments” tab.

--

--

Harris Kristanto

System Integration and DevOps specialist working in the cloud with Microsoft Azure and Dell Boomi. https://www.linkedin.com/in/mrkristanto/