Enable Conditional Access Policy from Azure Automation Runbook

COUMET Charles 41 Reputation points
2023-01-12T15:07:52.2533333+00:00

Hi !

I want to enable a Conditional Access Policy periodically with Azure Automation Account.

I'm using user assigned managed identity. I gave it the "Security adminisitrator" role from Azure AD.

I can successfuly connect to AzureAD from my runbook with this commands : 

Connect-AzAccount -Identity -AccountId 'XXX'
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id

I can get users successfuly so the connection is ok.

But when i try to do this : 

Set-AzureADMSConditionalAccessPolicy -PolicyId 'XXX' -State 'Enabled'

I have the error : "Object reference not set to an instance of an object."

In a second try, i've tried with MSGraph :

Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 'XXX' -State 'Enabled'

but this time i have : "Applications without a signed-in user are not allowed access to this report or data."

If anyone has ever seen this error ...

Thanks in advance :)

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,592 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,113 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 141.6K Reputation points MVP
    2023-01-12T15:29:01.7333333+00:00

    You typically will need to set the scope with MGGraph and pass the required parameters:

    [https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/update-mgidentityconditionalaccesspolicy?view=graph-powershell-1.0

    Connect-MgGraph -Scopes 'Policy.ReadWrite.ConditionalAccess'
  2. JamesTran-MSFT 36,371 Reputation points Microsoft Employee
    2023-01-17T23:10:08.7+00:00

    @COUMET Charles

    Thank you for your post and I apologize for the delayed response!

    Error Message:

    You cannot perform the requested operation, required scopes are missing in the token.

    From your error message and adding onto what was shared by @Andy David - MVP , you can login passing the Access Token when using Delegated Access. However, if you're using an identity other than CurrentUser, you'll have to sign-in specifying the -ContextScope parameter. For more info.

    Authentication and authorization errors:

    If you're using Delegated access, you can find the permissions required by running:

    Find-MgGraphCommand -command New-MgServicePrincipal | Select -First 1 -ExpandProperty Permissions

    Name IsAdmin Description FullDescription

    ---- ------- ----------- ---------------

    Application.ReadWrite.All True Read and write applications Allows the app to create, read, update and delete applications and service principals on your behalf. Does not allow management of consent grants.

    I hope this helps!

    0 comments