question

RossPhillips-3854 avatar image
0 Votes"
RossPhillips-3854 asked SwathiDhanwada-MSFT edited

Running get-azureaduser with Azure Automation Run book gets Authorizaition_RequestDenied

I have made the Run As account an owner for the Automation account but it still does not have authorization to call run the get-azureaduser commandlet.

Connect-azuread -TenantId 0650a7d8-f107-4bbf-b2df-7d9d6ab58a32 -ApplicationId 00ac0103-fd0d-4c3b-9e62-576729437767 -CertificateThumbprint 9CBA5AEC0ED6A87D9Dzzzzzzzzzzzzzzzz

$all_users= get-azureaduser -all 10000

How can I get a powershell script to use the AzureAD commandlets using the Run As account?

azure-automation
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SwathiDhanwada-MSFT avatar image
0 Votes"
SwathiDhanwada-MSFT answered SwathiDhanwada-MSFT edited

@RossPhillips-3854 The service principal for a Run As account does not have permissions to read Azure AD by default. If you want to add permissions to read or manage Azure AD, you must grant the permissions on the service principal under API permissions. To learn more, see Add permissions to access your web API.

To add required permissions in the token, you need to first copy the Client ID (aka App ID) that you are using in your request to get the Access Token and then navigate to:

Azure Portal > Azure Active Directory > App Registration > All Applications > Search with the ClientID/AppID of RunAsAccount

In that application Navigate to:

Api Permissions > Add a permission > Azure Active Directory Graph > Application permissions > Expand Directory > Select required permissions as shown below. Once the permissions are added, click on Grant Admin Consent for your tenant button.

109466-image.png

After adding permissions, try executing runbook.


image.png (98.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.