Last Updated on October 25, 2024 by Michael Morten Sonne
Introduction
Introducing a new PowerShell tool for Managing Managed Identity Permissions in Azure/Entra ID!
I am thrilled to announce the release of a brand-new PowerShell tool designed to make managing Managed Identity permissions more straightforward and efficient. This tool is aimed at helping both system administrators and developers take full control over their Managed Identity permissions, offering a clear, consolidated approach to handling access management tasks.
With this release, I’ve focused on providing powerful functionality while ensuring simplicity in managing Managed Identity permissions across your Entra ID/Azure environment.
Whether you’re an Azure novice or a seasoned admin, this tool is built to streamline permission management while minimizing risks and errors.
And as always, I welcome feedback and suggestions for improvements – also your support as stuff like this takes time to create and maintain! 🤩🤘
Why this tool is needed
Over the years, many scripts and tools have emerged to manage Managed Identity permissions, but they often lack cohesion, consistency, and ease of use. Many administrators and customers I help still struggle to find a streamlined solution that is both comprehensive and easy to implement… 🙈
This PowerShell tool addresses those gaps by providing:
- Simplicity: No more searching for various scripts or trying to piece together different approaches. This tool consolidates everything in one place.
- Security: With confirmation prompts for high-risk tasks and robust logging, it ensures that permission changes are made with caution and transparency.
- Efficiency: Whether you’re handling permissions for a single identity or many, this tool helps you complete tasks quickly and accurately.
How this tool will help you
Build Confidence: The tool’s logging and confirmation features give you peace of mind by ensuring transparency and accuracy in your actions.
Save time: With everything in one place, there’s no need to waste time searching for scripts or guessing how to modify permissions.
Reduce errors: By offering user-friendly steps and confirmations, the tool helps avoid common mistakes like accidentally removing important permissions.
Increase efficiency: Manage permissions for multiple identities or access scopes quickly and easily, whether you’re making minor tweaks or revamping access.
Key features of the Initial release
Here’s a quick overview of the key features that make this tool a game-changer:
- List all Managed Identities: Retrieve a complete list of all Managed Identities in your connected Entra ID tenant. This feature offers clear visibility into the identities you’re responsible for, allowing you to monitor permissions more effectively.
- View assigned permissions: Quickly view a detailed list of current assigned permissions for any selected Managed Identity, giving you an immediate overview of what access has been granted.
- Support for Multiple Access Scopes: Manage permissions across one or many access scopes, with support for handling a single API service at a time, such as Microsoft Graph. This focused approach ensures you can manage specific APIs without getting overwhelmed by too many services (more will come over time).
- Add permissions without overwriting: Seamlessly add new permissions to Managed Identities without removing or altering existing permissions, ensuring continuity and preventing accidental permission loss.
- Set permissions by resetting current assignments: If you need a fresh start with permissions for any Managed Identity, you can reset all existing assignments and apply the new permissions configured through the tool.
- Remove individual permissions: Need to fine-tune access? This tool allows you to selectively remove permissions from any Managed Identity, giving you precise control over who has access to which resources.
- Remove all permissions: For cases where you need to completely revoke access, you can strip all permissions from a Managed Identity, perfect for decommissioning or retiring identities no longer in use.
- List Access Scopes with filtering: Find exactly the access scopes you need to add or edit by filtering through the available options, simplifying the process of working with complex permission sets.
- Confirmation for High-Risk tasks: To enhance user confidence and avoid unintended changes, the tool includes confirmation prompts for high-risk actions, such as removing all permissions from an identity.
- Full logging for transparency: Every action you perform is logged in detail (local, for the tools – if you need log in Azure/Entra ID – you need to have logging in-place and setup), including changes to assigned permissions (both additions and removals).
These logs are essential for auditing and maintaining a record of all permission management activities. - And a lot more to come as the tools is developed to the better…
How looks the tool – for now
Here is some screenshots of the tool, when you perform some of the actions it can.
After you have connected to Microsoft Graph, you have some options as listed here under, and you are ready to rock! 🚀
Some screenshots here can have some older text/layouts vs. in v. 1 released
Get permissions for a service
You have the options to get a full list of permissions scopes tossible to assign on the diffrent service applications like Microsoft Graph and Exchange Online.
To get the list of possible permissions scopes to assign, click on Get access scopes for service, and you will get the hole list possible to mange for the selected service – and there is a lot, so nice to have a list you can search in!
Filter possible permissions for a service to manage
You have the options to filter the full list of permissions scopes tossible to assign on the diffrent service applications selected like Microsoft Graph here.
Get current permissions for a Mananged Identity
To get the list of current assigned permissions scopes for a selected Managed Identity, click on “Get current assigned permissions” and you will get the hole list currently assigned with more information like discription, scope and service the access scope gives access to.
Add new access scope
To add a permissions scope to add, you can search for it and then add it to the Permissions to edit via Add selected access scope for edit – it will be added to the upper textbox to view the access scopes in a central place you are about to manage.
Press encure the permission action Add is selected, and click on Submit – now the tool will assign the new permission, and you can after that get the assigned access scopes on the Managed Identity via Get current assigned permissions.
By default when you adding access scopes, the current assigned access scopes is removed (how the PowerShell behind works 😂) – so by default the tool is set to keep them when you add or remove access scopes – but the option can also be turned off like it as you can see here – you need to confirm it, as it will remove all current assigned access scopes when you hit Submit for changes!
Confirm to remove all current assigned access scopes
You can remove all current assigned sccess scopes for the selected Managed Identity. To comfirm the actions, you will be promted to confirm it.
After confirming the removal, the tool will start performing the action and remove all the assigned access scopes.
Now you can check if the access scopes is removed via the Get current assigned permissions button.
Some development history
If you’re interested in how this tool evolved, I’ve shared some behind-the-scenes development updates on LinkedIn. From early Proof of Concept (PoC) stages to the final release here (v. 1 ), the journey has been full of exciting changes and feature additions. It’s been amazing to see how much the tool has transformed since those initial ideas—new functionalities have been added, and the overall design has been refined based on feedback and testing.
Check out my LinkedIn post here and here to see the full development history. It’s fun to look back and see how far it has come – and I thank you all for the super support here and reactions! 🤘🥳
Here is some of the early PoC and development state:
After days of development, testing, and feedback from the community (and some special testers like Harm Veenstra to validate this and his good PowerShell skills) ❤️🤩
Download
Ready to streamline your Managed Identity permissions management? You can download the PowerShell tool and start using it today! Simply follow the link below to get access:
Download and see more of the tool here on GitHub
The tool is easy to set up and whether you’re managing permissions for a single identity or multiple ones across your Azure tenant, this tool has you covered.
What’s next?
This is just the beginning! 🤘🚀
As I gather feedback from the community, there will be new features and improvements added to enhance the tool even further. The goal is to continuously refine it based on real-world use cases and community input, so don’t hesitate to share your experiences and ideas to make it better – bug reporting is also much welcome! 😄
Feel free to ping me, comment belove and via GitHub!
Conclusion
This PowerShell tool is designed to fill a critical gap in the management of Managed Identity permissions, providing an easy-to-use, robust, and secure solution for both Azure administrators and developers. I’m excited for you to try it out, and I’m confident it will simplify your work while giving you more control over your environment.
In summary, this tool provides the “easy-to-use” solution that has been missing from the PowerShell community for managing Managed Identity permissions, making it invaluable for both simplifying daily tasks and enhancing security.
I would love to hear feedback from the community, so feel free to try it out and share your thoughts – I look forward to your feedback and suggestions for future updates!
Stay tuned for future updates as we plan to add more features based on user feedback and new Azure services.
Happy scripting and reading!
Thank you for taking the time to visit my blog. Kindly share it with others if it also could be helpful for them! 😉🔐👍
Remember you can allways support me and my development of tools and creating of content and so via Why donate? – Blog – Sonne´s Cloud (sonnes.cloud)
Stay tuned for the new post about something cool! 🥳
References
Get-MgServicePrincipal (Microsoft.Graph.Applications) | Microsoft Learn
Connect-MgGraph (Microsoft.Graph.Authentication) | Microsoft Learn
Get-MgServicePrincipalAppRoleAssignment (Microsoft.Graph.Applications) | Microsoft Learn
Remove-MgServicePrincipalAppRoleAssignment (Microsoft.Graph.Applications) | Microsoft Learn
New-MgServicePrincipalAppRoleAssignment (Microsoft.Graph.Applications) | Microsoft Learn