question

NusratJahanShaikh-3674 avatar image
0 Votes"
NusratJahanShaikh-3674 asked NusratJahanShaikh-3674 edited

Connect-AzureAD using PSCredential

I am trying to Add user into AAD group using Automation Service -Runbook Powershell.

I have created a Credentials Username : XYZ pwd:ABC

and then trying below Powershell script, but getting below error.

Powershell script:
$aadAdminCred = Get-AutomationPSCredential -Name 'PSCredUser'
Connect-AzureAD -TenantId "xxxx" -Credential $aadAdminCred


Error:
+ Connect-AzureAD -TenantId "xxxx" -Cr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : AuthenticationError: (:) [Connect-AzureAD], AggregateException
+ FullyQualifiedErrorId : Connect-AzureAD,Microsoft.Open.Azure.AD.CommonLibrary.ConnectAzureAD


Connect-AzureAD : parsing_wstrust_response_failed: Parsing WS-Trust response failed
At line:9 char:1
+ Connect-AzureAD -TenantId "xxxx" -Cr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : AuthenticationError: (:) [Connect-AzureAD], AdalException
+ FullyQualifiedErrorId : Connect-AzureAD,Microsoft.Open.Azure.AD.CommonLibrary.ConnectAzureAD

windows-server-powershellazure-automation
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

tbgangav-MSFT avatar image
1 Vote"
tbgangav-MSFT answered NusratJahanShaikh-3674 edited

Hi @NusratJahanShaikh-3674,

I have tried to reproduce the error (parsing_wstrust_response_failed: Parsing WS-Trust response failed) but was not able to see any such error.
If you are trying to authenticate to the tenant using ADFS credentials from an Azure Automation runbook then AFAIK it is not supported.
Azure Automation Run As Account is a great way to authenticate securely with certificates and a service principal name without needing to store a username and password in a credential object. So, we could use this same Azure Automation Run As Account to log in to your Azure AD tenant for the possibility to run Azure AD PowerShell commands. Below is a sample runbook to connect to Azure AD tenant and get users.

 #Login to Azure AD PowerShell With Admin Account
 $connectionName="AzureRunAsConnection"
 $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName         
 #Now you can login to Azure PowerShell with your Service Principal and Certificate
 Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId -ApplicationId $servicePrincipalConnection.ApplicationId -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
 Get-AzureADUser | Select ObjectType, UserPrincipalName
 Disconnect-AzureAD

70449-image.png

Make sure the Azure Automation Run As Account (App) has sufficient permissions i.e., in this case

  1. add User.Read.All API permission (Azure portal -> Azure AD -> API permissions -> Microsoft Graph -> Application permissions -> User.Read.All ) and

  2. assign the directory readers role (Azure portal -> Azure AD -> roles and Administrator -> Directory Readers role -> assign this role) to it.

70450-image.png

70465-image.png

Similarly you may have to add Group.Read.All app permission, etc. if you want to read AD group information as well, etc.

On the other hand, if you want us to troubleshoot or deep dive regarding "parsing_wstrust_response_failed: Parsing WS-Trust response failed" error then to fast-track resolution of your issue, please send mail to AzCommunity@microsoft.com include your subscriptioin ID and a link to this thread (for context) and my team will work with you via our technical support channel. Please include "Attn:Krishna" in the subject line so we can engage asap. Alternatively, you can raise a technical support request if you have a support plan.

Sources of above response:
Use Azure AD to authenticate to Azure
Manage Office 365 services
Using the Azure Run As Account in Azure Automation to Connect to Azure AD with a Service Principal
Using a Service Principal to connect to a directory in PowerShell
Connect Azure Automation Runbook script with service principal for AzureAD
Authorization_RequestDenied



image.png (73.7 KiB)
image.png (107.4 KiB)
image.png (64.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @tbgangav-MSFT Thank you for your reply , we have tried this automation using Logic apps as well but we are not getting read only permissions on AD application from Admin team hence we were unable to automate this.

Is there any security breach issue if we get read access on Azure AD application.....

also how can we automate this without having application level access.

Appreciate your help.

Thanks,
Nusrat

0 Votes 0 ·