Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All", "Application.Read.All"

$managedIdentityName = "INSERT NAME OF YOUR MANAGED IDENTITY"
$permissions = @("Device.ReadWrite.All", "GroupMember.Read.All")

$graphSpn = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" | Select-Object -First 1
$miSpn = Get-MgServicePrincipal -Filter "DisplayName eq '$managedIdentityName'" | Select-Object -First 1

Write-Host "MI SPN Id: $($miSpn.Id)"
Write-Host "Graph SPN Id: $($graphSpn.Id)"

foreach ($perm in $permissions) {
    $role = $graphSpn.AppRoles | Where-Object { $_.Value -eq $perm -and $_.AllowedMemberTypes -contains "Application" }

    if (-not $role) {
        Write-Warning "Role $perm not found."
        continue
    }

    Write-Host "Assigning role $perm with Id $($role.Id)"

    try {
        New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $miSpn.Id -ResourceId $graphSpn.Id -AppRoleId $role.Id
        Write-Host "Successfully assigned $perm"
    }
    catch {
        Write-Warning "Failed to assign $perm: $_"
    }
}