It is now (has been for a while) possible to modify Azure AD via the Azure Automation. The example below uses the Run As Automation Account to first Connect to Azure AD and then run the appropriate commands. You can also create a dedicated Run As account if you want, as well as use a username and password (less secure).
Before you write your code make sure that you:
- Add the “AzureAD” module to the Automation Account
- Give the Azure Automation Run As account the appropriate permission as show at the end of this article
Automation Code example (list all the groups in AD):
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
$ErrorActionPreference = "Stop"
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure Active Directory"
Connect-AzureAD `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
Get-AzureADGroup
|
Give the Azure Automation Run As account the appropriate permissions:
- Go to Azure Active Directory -> App registrations -> The Run Ass Account.
- Then go to the API access as show:
- Give the appropriate access, example below:
Don’t forget to click grant permissions!
Is this still working for you? Executed verbatim, I get the following output:
Failed
Error occurred while executing GetGroups
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
(Error occurred while executing GetGroups
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
)
This is after assigning the “Read and write directory data” permission, as well as a 2nd attempt to just grant it all access for temporary testing.
I did have a brief consultation with Microsoft Suport on this, and they mentioned that service principals have some limitations. For example, “you can’t retrieve things like role assignments using a service principal”.
Just curious if this is still working for you – and if so, were there any other setups or configurations needed that were maybe not covered here?
Thanks!
Just select 「Read and write directory data」and don’t forget to click 「grant permissions」 button!
hi, Teddysun,
great post! When click “grant permission” button, I get message
{“errorCode”:”Authorization_RequestDenied”,”localizedErrorDetails”:{“errorDetail”:”This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization’s administrators.”
Not sure if it is really about my permission or there were something wrong. The only odd thing I found is that. when click “app registration”, the name of the app is something like “aadauto_zVPvIX6……blabla”. the aadauto is actually my automation account.