Assign Permissions to Enterprise Application (Managed Identity)

Question

Hi there,

I have assigned a managed identity to an Azure App Service, which shows up in Enterprise Applications in the Azure Active Directory.

Now, I want to give this identity some permissions related to the AAD, such as read permissions for AD groups. However, when I go into AAD --> Enterprise Application --> App Service Managed Identity --> Permissions, then Azure Portal shows a Not Found screen, which looks like a bug. Why would there be a section permission if it shows "Not Found"?

Now, my question is, how can I give permissions to my managed identity?

Don't hesitate to ask if you need further information.

Best regards,

Stefan

Answer 1

You can go to "User and Groups" options of the required application under the Enterprise application blade and provide access to specific users or groups.

Answer 2

I'm seeing the same thing. From what I can tell, it appears to be related to App Registration in that if you 'register' the application, this section is now active.

Why a managed identity doesn't automatically register the App, why an App registration needs to be done to access AzureAD resources when the managed identity can already be assigned resources and why manged identities are stored in a section called 'Enterprise Applications' are all mysteries I'm still trying to figure out. :)

If you have discovered the answers to any of these or gained any insights into this issue I would definitely be curious to hear from you!

Answer 3

I'm following up on this, please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions.

Thanks!

Answer 4

Hey Brad, in regards to some of your questions  :

Why a managed identity doesn't automatically register the App - That is because the app MSI is essentially a service principal, not a fully fledged custom application registration with an app object. There is definitely an argument for why it SHOULD create an app registration, if you're interested in pursuing this further please put it under azure feedback and the product team will look into it as soon as possible. https://feedback.azure.com/forums/34192--general-feedback

why an App registration needs to be done to access AzureAD resources when the managed identity can already be assigned resources and - The app registration is an app object, please refer to the app model docs for more information in regards to that : https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals

why manged identities are stored in a section called 'Enterprise Applications'  - This is because the managed identities are essentially service principals assigned to an app, and the SPs are put under enterprise applications.