## Assign API Permissions ```powershell # Your tenant id (in Azure Portal, under Azure Active Directory -> Overview ) $TenantID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # Microsoft Graph App ID (DON'T CHANGE) $GraphAppId = "00000003-0000-0000-c000-000000000000" # Windows Defender ATP App ID (DON'T CHANGE) $AtpAppId = "fc780465-2017-40d4-a0c5-307022471b92" # Name of the manage identity (same as the Logic App name) $DisplayNameOfMSI="MySystemManagedID" # Check the Microsoft Graph documentation for the permission you need for the operation $GraphPermissionName = "SecurityEvents.Read.All" # Check the Windows Defender ATP documentation for the permission you need for the operation $AtpPermissionName = "Score.Read.All" # Install the module (You need admin on the machine) # Install-Module AzureAD Connect-AzureAD -TenantId $TenantID $MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'") Start-Sleep -Seconds 10 $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'" $GraphAppRole = $GraphServicePrincipal.AppRoles | ` Where-Object {$_.Value -eq $GraphPermissionName -and $_.AllowedMemberTypes -contains "Application"} $AtpServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$AtpAppId'" $AtpAppRole = $AtpServicePrincipal.AppRoles | ` Where-Object {$_.Value -eq $AtpPermissionName -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $GraphAppRole.Id New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId ` -ResourceId $AtpServicePrincipal.ObjectId -Id $AtpAppRole.Id ```