Connect-AzureAD using Managed Identity without Azure AD Graph Token

Question

Recently, we received an email in regards to the retirement of Azure AD Graph. We understand that the retirement has been postponed to December 31, 2022.

I use connect-azuread powershell cmdlet to connect to AzureAD in Azure Automation using the System Managed Identity. I noticed that our function uses both the MS Graph token and the Azure AD token. When I attempted to remove the Azure AD token from the string, the Connect-AzureAD cmdlet does not work.

Can someone tell me if there is something I am missing when it comes to connecting to Azure AD using a System Managed Identity within Azure Automation? If Azure AD graph is retiring soon, how am I suppose to remove this parameter if it does not work?

$AzureContext1 = Connect-azaccount -identity
$global:AzureContext = Set-AzContext -SubscriptionName $AzureContext1.context.Subscription -DefaultProfile $AzureContext1.context
$global:GraphToken = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/"

#Original Code that works that has both MS Graph and AzureADGraph Tokens
#$global:AzAdToken = Get-AzAccessToken -ResourceUrl "https://graph.windows.net" -erroraction stop
#Connect-AzureAD -AccountId $AzureContext.account.id -TenantId $AzureContext.tenant.id -AadAccessToken $AzAdToken.token -MsAccessToken $GraphToken.token -erroraction stop | Out-Null

# Removing the AzureADGraph Parameter
Connect-AzureAD -AccountId $AzureContext.account.id -TenantId $AzureContext.tenant.id -MsAccessToken $GraphToken.token  | Out-Null
disconnect-azaccount

Error when -AadAccessToken parameter is removed.
Cannot process command because of one or more missing mandatory parameters: AadAccessToken

Answer 1

Hi @Jesus Chao

Welcome to Microsoft Q&A! Thanks for posting the question.

I understand that you are trying to migrate your Azure Automation Runbooks from Azure AD Graph to Microsoft Graph. Based on the doc here, Microsoft Graph is similar to the earlier Azure Active Directory (Azure AD) Graph. In many cases, simply change the endpoint service name and version in your code, and everything should continue to work. You may also refer to FAQ here for additional details: Azure AD Graph to Microsoft Graph migration FAQ.

---
Update 04/20
As part of this migration, users of AzureAD PowerShell module needs to migrate to Microsoft Graph PowerShell. Based on the migration guide, Azure AD PowerShell will continue to function after June 2022 to allow users more time to migrate to Microsoft Graph PowerShell. Please refer to the migration guide for PowerShell here: Azure AD PowerShell to Microsoft Graph PowerShell migration FAQ.

Also, please refer to this GitHub issue for using Microsoft Graph PowerShell SDK with Managed Identity.

Feel free to reach out to us in case you have any questions.

---
Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

Answer 2

@Jesus Chao

Try Below code :

Ensures you do not inherit an AzContext in your runbook

Disable-AzContextAutosave -Scope Process | Out-Null

Connect using a Managed Service Identity

try {
$AzureContext = (Connect-AzAccount -Identity).context
}
catch{
Write-Output "There is no system-assigned user identity. Aborting.";
exit
}

set and store context

$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription `
-DefaultProfile $AzureContext

Get-AzADUser | Select -First 3

Just make sure your system-assigned identity have correct permission