If you require a user-assigned managed identity to access graph it cannot to my knowledge be done via the portal. You need to find the service principal id using graph.

Here I’m using the graph module in powershell to get the id from the msi

$displayname = "msi-test"
$spId = Get-MgServicePrincipal -ConsistencyLevel eventual -Search "DisplayName:$displayName" | select-object id

I also need to get the approle ids that are available. There is a Microsoft Graph Application in your tenant that always have the same guid.

$mgGraphAppId = "00000003-0000-0000-c000-000000000000"
$roleData = Get-MgServicePrincipal -ConsistencyLevel eventual -Search "appId:$mgGraphAppId" | Select-Object appDisplayName, appId, appRoles
$roleId = $roleData.appRoles | Where-Object { $_.value -eq $roleValue } | Select-Object -ExpandProperty Id

Now we need to get the app id

$mgGraphId = Get-MgServicePrincipal -ConsistencyLevel eventual -Search "appId:$mgGraphAppId" | Select-Object -ExpandProperty Id 

Putting it all together and adding the role

$roleId = Application.Read.All
$params = @{
    principalId = $spId
    resourceId  = $mgGraphId
    appRoleId   = $roleId
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $spId -BodyParameter $params