Automating application permission grant while avoiding AppRoleAssignment.ReadWrite.All

In a previous blogpost, I had detailed out the steps for automating permission grants (for both delegated and application permissions) from a headless process, i.e. in automation, using a managed identity or service prinicipal. This is something you’d often use in DevOps.

There was a big downside in the approach I had outlined, it required you to grant AppRoleAssignment.ReadWrite.All to the automation account. To be fair, I did put a big warning there as follows.