question

cthivierge avatar image
1 Vote"
cthivierge asked AnuragSingh-MSFT commented

Adding PIM roles using automation account

Hi,

i want to create a runbook that will add a specific role on a user account for a short period of time.

I decided to create a PS script and it's working well on my computer


Connect-AzureAD

$tenantID = "[]MyTenandID"
$roleDisplayName = "Global Administrator"
$roleDefinitionID = (Get-AzureADMSRoleDefinition -Filter "DisplayName eq '$roleDisplayName'").Id
$targetuserID = (Get-AzureADUser -ObjectId MyUser@Mydomain.com).ObjectId # Replace user ID


$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$schedule.EndDateTime = ((Get-Date).AddHours(6)).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")


"# Create temporary active role assignment"
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -ResourceId $tenantID -RoleDefinitionId $roleDefinitionID -SubjectId $targetuserID -Type 'adminAdd' -AssignmentState 'Active' -schedule $schedule -reason "Addind MyUser to Global Admins for 6 hours"



This script is working well on my computer. But when i try to run this in a runbook in Automation Account, it's not working... i receive several errors.
So i decided to try using an Hybrid Worker and to run this script from a VM.

I'm able to go further but i still receive an error but i think that i'm really close to be happy :)

Open-AzureADMSPrivilegedRoleAssignmentRequest : Error occurred while executing OpenAzureADMSPrivilegedRoleAssignmentRequest Code: UnauthorizedAccessException Message: Attempted to perform an unauthorized operation. InnerError: RequestId: 394b84ad-91ad-461f-996f-5bba42fe9742 DateTimeStamp: Thu, 07 Apr 2022 18:07:59 GMT HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed At line:77 char:1 + Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Open-AzureADMSP...signmentRequest], ApiException + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.OpenA zureADMSPrivilegedRoleAssignmentRequest


Any idea what could cause this issue ?

My automation account has several permissions already
Microsoft.Graph / PrivilegeAccess.ReadAzureAD Type Application
Microsoft.Graph / PrivilegeAccess.ReadWriteAzureAD Type Application
Also has the "Privileged role administrator"




azure-automationazure-ad-privileged-identity-management
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AnuragSingh-MSFT avatar image
0 Votes"
AnuragSingh-MSFT answered AnuragSingh-MSFT commented

Hi @cthivierge,

Thanks for posting the question. Apologies for the delayed response.

Based on the error, it seems to be related to authorization issue (the run-as account does not have enough permission to perform this operation). While navigating through the AzureADPreview module's documentation, I came across the RBAC requirements for role assignments - Prerequisites for role assignment. According to it:

192120-image.png

This does not seem to be related to Azure Automation, however, to rule it out, you may also use same account to run the script outside Automation (using Powershell on a machine) and see if that works.

Please let me know if you have any questions.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.


image.png (29.7 KiB)
· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image cthivierge ·

Hi @AnuragSingh-MSFT
thanks for your answer.

Unfortunately, the automation account as well as he AzureRunAsAccount are both members of the "Global Administrators" group. Also, the Automation account has probably more permissions that it should need but it's only a test ;)

192444-1111111.png




I also tried using the runtime version 7.1 (preview) but still the same issue.

As i said in my original post, if i run the script on my computer using my credentials (Connect-AzureAD), everything work great.
I'm still able to run the script on the VM that is configured as the hybrid worker.
But as soon as the authentication is the Automation account, it failed.


Any other ideas ?

Thanks!

0 Votes 0 ·
1111111.png (47.8 KiB)
AnuragSingh-MSFT avatar image AnuragSingh-MSFT cthivierge ·

@cthivierge, thank you for the clarification. Did you try running the script on your local machine using the same account as being used in Automation runas but in PowerShell (and not as Automation job)? (I am sorry if I missed this information in the post above).

0 Votes 0 ·
cthivierge avatar image cthivierge ·

Hi @AnuragSingh-MSFT

I cannot run the same script on my computer because i don't have the Automation Account certificate in my computer store but i did installed it on my Azure VM (the hybrid worker) and if i logon locally on this VM and i try to run the same script, it fail with the same error message.

Open-AzureADMSPrivilegedRoleAssignmentRequest : Error occurred while executing OpenAzureADMSPrivilegedRoleAssignmentRequest
Code: UnauthorizedAccessException
Message: Attempted to perform an unauthorized operation.
InnerError:
RequestId: 5c622a5a-4275-4913-bb46-90e45a6d987d
DateTimeStamp: Wed, 13 Apr 2022 04:07:27 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:47 char:11
+ $result = Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId ' ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Open-AzureADMSP...signmentRequest], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.OpenAzureADMSPrivilegedRoleAssignmentRequest



But, if i run the same Powershell script using my credentials and not the Automation Account creds, the script is working well.

Thanks!

0 Votes 0 ·
AnuragSingh-MSFT avatar image AnuragSingh-MSFT cthivierge ·

@cthivierge, thank you for the information. I am reaching out to our team for a review and help on it. We will keep you posted. Thank you

0 Votes 0 ·