**Note** that: It is not possible to assign delegated permissions to Azure managed identity. Refer this [**SO Thread**](https://stackoverflow.com/questions/78086044/implementing-delegated-permissions-with-managed-identities-in-azure-retrieving) by *juunas*.
- Using Managed identities you would not be able to sign in as a user. and hence you cannot assign delegated permissions to managed identity. - Only Application type API permissions can be assigned to managed identity.
If you are adding scope under ***Expose an API*** tab, then it is a **delegated** scope:
***And hence you cannot assign this kind of permission to user managed assigned and generate token.***
As a ***workaround***, you can instead **create app roles in the Microsoft Entra application**:
**Now assign this app role to User managed identity:**
```powershell Connect-AzureAD
New-AzureADServiceAppRoleAssignment -ObjectId MIObjectID -Id AppRoleID -PrincipalId MIObjectID -ResourceId MicrosoftEntraServicrPrincipalObjID ```
***ObjectID and PrincipalId will be:***
*Go to Enterprise application -> Search your managed identity (*with filter as All applications*):*
***ResourceID is the Microsoft Entra Service principal objectID:***
Now, you can generate token by using below code:
```csharp using System; using Azure.Identity; using Azure.Core;
class Program { static async Task Main(string[] args) { string clientId = "XXX"; // The Client ID of the user assigned identity
AccessToken token = await new DefaultAzureCredential( new DefaultAzureCredentialOptions { ManagedIdentityClientId = clientId }) .GetTokenAsync( new TokenRequestContext( new[] { "api://XXX/.default" } ));
Console.WriteLine(token.Token); } } ```
**Note** that: Managed Identity cannot be used locally because the security boundary of the managed identity is the Azure resource to which it is attached to.
- Hence you need to make use of VMs, Web Apps or any other Azure resources to enable the identity and run the code. Refer this [**Microsoft QnA**](https://learn.microsoft.com/en-us/answers/questions/454910/how-to-use-managed-identity-with-visual-studio-use) - Refer this [**blog**](https://www.c-sharpcorner.com/article/calling-web-api-to-web-api-without-user-interaction-by-using-azure-managed-ident/) by *Vikas Hooda*, for step-by-step implementation.

**To use SPN identity for creating MSAL token/Access token, check the below:**
For *sample*, I used the below PowerShell script to **assign permissions to the managed identity**: ```bash Connect-AzureAD
$TenantID="TenantID" $GraphAppId = "00000003-0000-0000-c000-000000000000" $NameOfMSI="ruktestMI" $PermissionName = "User.Read.All"
$MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$NameOfMSI'") Start-Sleep -Seconds 10 $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'" $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id ```
Now to generate token, you can make use of below code as a workaround: ```csharp using System; using Azure.Identity; using Azure.Core;
class Program { static async Task Main(string[] args) { string clientId = "XXXX"; // The Client ID of the user assigned identity
AccessToken token = await new DefaultAzureCredential( new DefaultAzureCredentialOptions { ManagedIdentityClientId = clientId }) .GetTokenAsync( new TokenRequestContext( new[] { "https://graph.microsoft.com/.default" } ));
Console.WriteLine(token.Token); } } ```
[![enter image description here][1]][1]
***By using the above access token, you can call Microsoft Graph API***
**Note that:** Either make use of Managed identity or interactive flow ( without passing the client secret). OR make use of ROPC flow which is non interactive and doesnt need client Secret to generate token. Using SPN identity and without client secret and non interactively it is not possible to generate token.
**Reference:**
[Options for obtaining an access token with Azure application to application authentication by Anoop](https://anoopt.medium.com/few-ways-of-obtaining-access-token-in-azure-application-to-application-authentication-40a9473a2dde)

[1]: https://i.stack.imgur.com/4p8HK.png