Trying to connect with Azure AD from Automation runbook account but getting Code: Authorization_RequestDenied

0
votes

Running the below code and trying to get value from Azure AD using Automation runbook account.Its giving permission denied error. I have Followed these steps, Still unable to get a result. please let me know if someone faces a similar issue or know how to solve it

Code:

$connectionName = "AzureRunAsConnection"
# Get the Service Principal connection details for the Connection name
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName         

# Logging in to Azure AD with Service Principal
"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
    -ApplicationId $servicePrincipalConnection.ApplicationId `
    -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

"List Tenant Org Details:"
Get-AzureADTenantDetail | Select DisplayName, Street, PostalCode, City, CountryLetterCode

"Member Account Synced Count:"
(Get-AzureADUser -All $true -Filter "userType eq 'Member' and accountEnabled eq true" | Where-Object {$_.DirSyncEnabled -eq $true}).Count
"Disabled Users Count:"
(Get-AzureADUser -All $true -Filter 'accountEnabled eq false').Count
"Guest User Count:"
(Get-AzureADUser -All $true -Filter "userType eq 'Guest'").Count
"Cloud Only Account Count:"
(Get-AzureADUser -All $true -Filter "userType eq 'Member'" | Where-Object {$_.userPrincipalName -like "*onmicrosoft.com"}).Count

Error:

Get-AzureADUser : Error occurred while executing GetUsers Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. RequestId: "" DateTimeStamp: Fri, 26 Jun 2020 04:07:45 GMT HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed

At line:21 char:2

  • (Get-AzureADUser -All $true -Filter "userType eq 'Guest'").Count
  •  + CategoryInfo          : NotSpecified: (:) [Get-AzureADUser], ApiException
 + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetUser
1
azureautomationazure-active-directoryazure-powershellazure-runbook
Hi, since you mentioned follow another post steps, I guess you have already added the ad graph permission(Directory.Read.All). If you already added the perminssion, please don't forget grant admin consent for it. And please open another powershell window to re-connect with service principal and then try to do Get-AzureADUser command because maybe there's a caching problem in powershell window.Hury Shen
@HuryShen It's still getting the same error. I have applied ad graph permission(Directory.Read.All)and grant admin consent for it. I am using Automation runbook for the above script. Do you think, I need to add permission on service account?rishi
No, I don't think you need to add permission to the account. As you connect AD by service principal, so you just need to add permissions to the app registered in AD. It seems your steps are correct. Could you please try run the same script in PowerShell to test it it can get the users success ?Hury Shen

1 Answers

2
votes

@Hury shen

Found the answer

Go to Azure portal --> Azure AD --> roles and Administrator-->Directory Readers role --> assign this role to the runbook account name