Using PowerShell to Assign Azure System-Assigned Identity to Azure AD Group
Introduction
In the Azure cloud environment, managing access and permissions to various resources is paramount to your organisation's security and governance. Azure Active Directory (Azure AD) groups provide a convenient way to organize and manage access control for Azure resources.
Benefits of managing access via Azure AD Group
Azure AD groups offer several advantages over individually assigning resource access control, some of which are:
- Simplified Management: By organizing resources into groups, you can manage access control at a group level, making it easier to assign or revoke permissions across multiple resources simultaneously.
- Granular Access Control: Azure AD groups allow you to assign permissions to various resources such as Service Bus, Storage accounts, or other Azure services. This provides a more centralized and manageable approach to access control.
- Efficient Collaboration: By adding users or service principals to Azure AD groups, you can streamline collaboration and ensure consistent access across different resources for a specific group of users andAzure resources.
Prerequisites
Before proceeding with the script, ensure you have the following:
- Azure PowerShell module installed (if running on self-hosted deployment agent)
- Appropriate permissions to manage Azure resources and Azure AD groups, for example, Service Connection in Azure DevOps
Let’s take a look at how we can achieve this by using a Powershell script which you can run in a DevOps pipeline or an automation runbook:
# Get all Logic Apps with system-assigned identity enabled in Dev environment
$environment = "dev"
$logicApps = Get-AzResource -ResourceType "Microsoft.Logic/workflows" | Where-Object {$_.Identity.Type -eq "SystemAssigned" -and $_.Name -like "$environment"}
# Print the Logic Apps information
Write-Host "Logic Apps with System Assigned Identity Enabled:"
$logicApps | ForEach-Object {
Write-Host " Name: $($_.Name)"
Write-Host " Resource Group: $($_.ResourceGroupName)"
Write-Host " Logic App Principal ID: $($_.Identity.PrincipalId)"
Write-Host ""
}
# Get the Azure AD group members
$adGroupName = "your-ad-group-name"
$groupMembers = Get-AzADGroupMember -GroupDisplayName $adGroupName
# Add Logic Apps to the Azure AD group
foreach ($logicApp in $logicApps) {
$logicAppName = $logicApp.Name
$logicAppPrincipalId = $logicApp.Identity.PrincipalId
# Check if the Logic App is already a member of the Azure AD group
if ($groupMembers.Id -contains $logicAppPrincipalId) {
Write-Host "Logic App '$logicAppName' is already a member of the Azure AD group '$adGroupName'"
}
else {
# Add the Logic App to the Azure AD group
Add-AzADGroupMember -MemberObjectId $logicAppPrincipalId -TargetGroupDisplayName $adGroupName
Write-Host "Assigned Logic App '$logicAppName' to Azure AD group '$adGroupName'"
}
}
The script above enables you to assign Azure system-assigned identity to an Azure AD group. It performs the following actions:
- Retrieves all Logic Apps with system-assigned identity enabled and in the dev environment
- Prints the information of Logic Apps with system-assigned identity enabled.
- Retrieves the existing members of the Azure AD group.
- Adds Logic Apps to the Azure AD group if they are not already members.
You can tweak the Get-AzResource section to get the system IDs of other Azure resource types such as the Function App.
Summary
In this tutorial, we explored how to use a PowerShell script to assign Azure system-assigned identity to an Azure AD group. By leveraging Azure AD groups for access control, you can simplify management, achieve granular control over resource permissions, and enhance collaboration within your Azure environment. Use the provided script as a starting point and customize it to suit your specific requirements.
Remember to ensure proper testing and validation in a non-production environment before implementing any scripts in your production environment.