Share via

Using system-assigned Managed Identity in Azure Automation account

Shawn Goodwin 176 Reputation points
May 17, 2023, 7:14 PM

I am trying to move an existing PS script into an automation account. The script updates various ExchangeOnline customattribute fields for use in Dynamic Disto Groups.

I have been working on this for 2 days so far, and I a stumped! I am using these resources:
Use Azure managed identities to connect to Exchange Online PowerShell | Microsoft Learn
Connect to Exchange Online PowerShell | Microsoft Learn
Tutorial - Create a PowerShell Workflow runbook in Azure Automation | Microsoft Learn
Add user to Distribution List - DamoBird365

What I've done so far:

  1. Created the Automation Account in our Azure tenant.

User's image

  1. Added a system-assigned Managed Identity to the automation account under the Identity slice.

User's image

  1. Saved the Object ID of the Managed Identity as a variable in the automation account, per Use Azure managed identities to connect to Exchange Online PowerShell | Microsoft Learn and Add user to Distribution List - DamoBird365

User's image

  1. Assigned Exchange Administrator role to the Automation Account Managed Identity.

User's image

  1. Ensured the ExchangeOnlineManagement module is available to the Automation Account.

User's image

  1. Created a very simple runbook to connect to ExchangeOnline then disconnect. The command is identical to the examples in Use Azure managed identities to connect to Exchange Online PowerShell | Microsoft Learn and Connect to Exchange Online PowerShell | Microsoft Learn

User's image

  1. It fails EVERY TIME with a useless error code.

User's image

What am I doing wrong? What steps am I missing? Are there other -- better -- sources of documentation that could help?

Thank you for your time.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,157 questions
0 comments No comments
{count} votes

Accepted answer
  1. Konstantinos Passadis 19,391 Reputation points MVP
    May 17, 2023, 7:27 PM

    Hello @Shawn Goodwin !

    I see you are having trouble with the Powershell running from Automation Account as Managed Identity for EXO commands

    I cannot see this important Step:

    Step 4: Grant the Exchange.ManageAsApp API permission for the managed identity to call Exchange Online

    The procedures in this step require the Microsoft Graph PowerShell SDK. For installation instructions, see Install the Microsoft Graph PowerShell SDK.

    1. Run the following command to connect to Microsoft Graph PowerShell with the required permissions:

    PowerShell

    1. Connect-MgGraph -Scopes AppRoleAssignment.ReadWrite.All,Application.Read.All

    If a Permissions requested dialog opens, select Consent on behalf of your organization, and then click Accept.

    1. Run the following commands to grant the Exchange.ManageAsApp API permission for the managed identity to call Exchange Online:

    PowerShell

    1. $AppRoleID = "dc50a0fb-09a3-484d-be87-e023b12c6440" $ResourceID = (Get-MgServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'").Id New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MI_ID -PrincipalId $MI_ID -AppRoleId $AppRoleID -ResourceId $ResourceID
    • $MI_ID is the Id (GUID) value of the managed identity that you stored in a variable in Step 2.
    • $AppRoleID is the Id (GUID) value of the Exchange.ManageAsApp API permission that's the same in every organization.
    • $ResourceID is the Id (GUID) value of the Office 365 Exchange Online resource in Azure Active Directory. The Id value is different in every organization.

    For detailed syntax and parameter information, see the following articles:

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards


1 additional answer

Sort by: Most helpful
  1. Shawn Goodwin 176 Reputation points
    May 18, 2023, 1:30 PM

    IT WORKED!

    To answer your question, yes, the $MI_ID was saved as a variable before I ran the commands. Thank you for further explaining Step 4.

    It was still failing so I added a simple get-mailbox command rather than just a connect and disconnect. Now, it returned the results of the get-mailbox command AND a different error message:

    System.Management.Automation.MethodInvocationException: Exception calling "ShouldProcess" with "3" argument(s): "A command that prompts the user failed because the host program or the command type does not support user interaction. The host was attempting to request confirmation with the following message: Press(Y/y/A/a) if you want to continue." --->...
    

    I realized it was waiting for a prompt on the disconnect command, so I added the -Confirm:$False to the command. now it works as expected.

    User's image

    Thank you very much for your help!!!!


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.