Azure Automation RunAs account access to Active Directory resource

0
votes

I am trying to create a Runbook which does some maintenance in Active Directory. On creation of an Automation Account an "RunAs" account was created. In the runbook I connect to AD using the below command.

$connectionName = "AzureRunAsConnection"

# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName         

"Logging in to AzureAD..."
Connect-AzureAD `
 -TenantId $servicePrincipalConnection.TenantId `
 -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint `
 -ApplicationId $servicePrincipalConnection.ApplicationId `
 -LogLevel Info

This command runs fine, however the subsequent use of AD CMDLETS gives the following error,

$Users = Get-AzureADUser

Get-AzureADUser : Error occurred while executing GetUsers Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. 
HttpStatusCode: Forbidden 
HttpStatusDescription: Forbidden 
HttpResponseStatus: Completed

The same is true for other CMDLETS in the AD module, not just this I have tried adding API permission through the registered application (relating to the Automation Account connection resource) in Active Directory but I am still facing the above privileges issue.

1
azureazure-active-directoryazure-powershellazure-automation
Have you grant the admin consent after adding the permission in registered application in AD ?Hury Shen
Yeh I have granted admin consent for a set of API permissions in this case those relating to reading users - User.Read, User.Read.All, User.ReadBasic.Allfelix
And did you add application permissions? Delegated permissions won't work in this context.juunas
@felix I test it in my side(connect with service principal) and meet the same issue with you. I will do some research and come back.Hury Shen
Hi @felix May I know if the permission I mentioned below can solve your problem ?Hury Shen

1 Answers

2
votes

According to some test, you need to add the permissions of Azure AD but not Micorsoft Graph. It seems the Get-AzureADUser command use Azure AD graph in the backend. So we need to do the operations as below: enter image description here

enter image description here

After that we can use the command Get-AzureADUser successfully(if you test the command in powershell, when you add the Azure AD permission, please close the powershell and reopen it and re-connect)