Skip to content

User Managed Identity

Terraform Managed Identity Setup

Steps to Create Managed Identity

To create a managed identity for a MySQL server using Terraform, use the following configuration:

resource "azurerm_user_assigned_identity" "shared_mysql_identity" {
  resource_group_name = azurerm_resource_group.main.name
  location            = azurerm_resource_group.main.location
  name                = "${var.tags.environment_short}-${var.tags.region_short}-identity"
}

Assigning Microsoft Graph Permissions

After creating the managed identity for the MySQL server, you need to assign Microsoft Graph permissions so that the managed identity can use the access token to log in to the MySQL server. Follow these steps to assign the required permissions using a PowerShell script:

Required Permissions

The following Microsoft Graph permissions are required: - User.Read.All - Directory.Read.All - Application.Read.All

PowerShell Script

The PowerShell script below assigns the necessary permissions to the managed identity:

# Script to assign permissions to an existing UMI 
# The following required Microsoft Graph permissions will be assigned: 
#   User.Read.All
#   Directory.Read.All
#   Application.Read.All

Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications

$tenantId = ""        # Your tenant ID
$MSIName = ""         # Name of your managed identity

# Log in as a user with the "Global Administrator" or "Privileged Role Administrator" role
Connect-MgGraph -TenantId $tenantId -Scopes "AppRoleAssignment.ReadWrite.All,Application.Read.All"

# Search for Microsoft Graph
$MSGraphSP = Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"

# Ensure Microsoft Graph service principal was found
if ($MSGraphSP -eq $null) {
    Write-Error "Microsoft Graph service principal not found"
    Exit
}

# Retrieve the managed identity service principal
$MSI = Get-MgServicePrincipal -Filter "DisplayName eq '$MSIName'"
if ($MSI.Count -gt 1) {
    Write-Output "More than 1 principal found with that name. Please find your principal and copy its object ID. Replace the above line with the syntax $MSI = Get-MgServicePrincipal -ServicePrincipalId <your_object_id>"
    Exit
} elseif ($MSI.Count -eq 0) {
    Write-Error "No managed identity service principal found with the name '$MSIName'"
    Exit
}

# Define required permissions
$Permissions = @(
    "User.Read.All"
    "Directory.Read.All"
    "Application.Read.All"
)

# Find app roles for required permissions within Microsoft Graph application
$MSGraphAppRoles = $MSGraphSP.AppRoles | Where-Object { $_.Value -in $Permissions }

# Assign the managed identity app roles for each permission
foreach ($AppRole in $MSGraphAppRoles) {
    $AppRoleAssignment = @{
        principalId = $MSI.Id
        resourceId  = $MSGraphSP.Id
        appRoleId   = $AppRole.Id
    }

    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $AppRoleAssignment.principalId -BodyParameter $AppRoleAssignment -Verbose
}

Write-Output "Permissions assigned successfully."

Notes

  • Ensure you replace the placeholder values for $tenantId and $MSIName with your actual tenant ID and managed identity name.
  • This script requires the Microsoft.Graph.Authentication and Microsoft.Graph.Applications PowerShell modules, which can be installed from the PowerShell Gallery if not already available.
  • Ensure the user running the script has the necessary roles (Global Administrator or Privileged Role Administrator) to assign permissions.