question

ASaurdiff-2020 avatar image
0 Votes"
ASaurdiff-2020 asked sikumars commented

Using Azure runbooks to pass Azure AD commands authenticated by service principal api permissions. What permission do i need?

I am creating a business process for my org and am currently utilizing Azure runbooks to get the job done. The concern is that I don't want a Signed in user to be validated to run them and would like to granulate the permissions this "runbook" would have.

i have currently created the runbook to manipulate a user account. Created service principal and tried to adjust the API permission accordingly. And a service account that is for On-prem permissions. I was told that the API permissions for Azure active directory were being depricated and i could use the Graph API permissions instead, but the User.ReadWrite.All permission still does not allow me to use the set-azureaduser command in my runbook.

Is there a permission I may be missing or a process of running the runbook as the service principal? Currently I have an account that is part of the enterprise application authenticating on the runbook and the "run as" account.

Any help or guidance would be great.

azure-active-directoryazure-automationazure-ad-graph
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered sikumars commented

Hello @ASaurdiff-2020 ,

Microsoft Graph API permission only works with Microsoft Graph API level calls (https://graph.microsoft.com/) and reason it was falling through PowerShell because AAD PowerShell V2 modules still uses Azure AD Graph API ( https://graph.windows.net) calls instead Microsoft Graph API to retrieve AAD resource information and this is an know behavior of AAD V2 PowerShell Module.

As we all know that "Azure AD Graph API" is on a deprecation path, so our product group is working on AAD module migration from Azure AD Graph API to Microsoft Graph API before it fully deprecate.

Therefore, you can either use Azure AD role or Azure AD Graph API permission for service principal to delegate the permission.

Alternatively, you could Check out Microsoft Graph PowerShell for Azure AD automation so you can granulate the permissions more by leveraging Microsoft Graph API permission (like: User.ReadWrite.All , User.Read.All etc..,) . To know more about refer this article

Here are some example cmdlet when you use Microsoft Graph PowerShell :

To install the latest version, run the Install-Module as Administrator as here.
Install-Module Microsoft.Graph -Repository PSGallery -force

To see a list of all commandlets (which is looong), use Get-Command -Module "Microsoft.Graph.*

Cmdlet to Connect Graph by using service principal :

Connect-Graph -AppId "447672e9-da89-123f-a2b5-99232a7bb08a" -CertificateThumbprint "2DBD6360F4D1EFB478BA1EF311F25CDA4ABA70BF"


To Get top 10 user: Get-MgUser -Top 10 -Select Id, DisplayName, UserPrincipalName, UserType
To get user with ID : Get-MgUser -UserId "669fd118-a9bc-4125-ba79-c8d397810c2d"
To update users attribute: Update-MgUser -UserId 669fd118-a9bc-4125-ba79-c8d397810c2d -JobTitle "IT Dept"

Screenshot

64592-graph-powershell-output.png




Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you this is very clear and concise. Just to help me understand, your recommendation is to use the Microsoft-graph cmdlets instead of the azure-ad calls? This would allow me to use a PowerShell cmdlet level while still utilizing my current "Graph-API" permissions I have access too?

My solution would be: install Microsoft graph module > replace Azure-ad cmdlets with equivalent Graph module cmdlets > and access could be managed with graph api permissions ???
Does this sound right?

0 Votes 0 ·

Yes, you can explore equivalent Graph module cmdlets and see if that best suit for your environment. Thanks !

0 Votes 0 ·
sikumars avatar image
0 Votes"
sikumars answered ASaurdiff-2020 commented

Hello @ASaurdiff-2020,

Thanks for reaching out.

Try assigning "Azure AD Directory Writers role" to Azure runbook service principal from "Roles and administrators" in Azure AD as shown below screenshot. I had tested it on my tenant which works as expected.
63141-aad-directory-writes-role.jpg



Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I see I can do that, but my team and I are attempting to granulate the permissions more. Is there no explanation on the API permissions allowing the equivalent of that role? They say that the AzureAD Graph is retired but all the permissions I have for the API don't allow powershell scripts to run. Am I looking at this wrong? Do those graph api permissions ONLY work with graph level calls? I thought they would be equivalent to a custom Role.

0 Votes 0 ·