Use of system-assigned Managed Identity in Azure Automation for Exchange activities

Question

We are migrating our runbooks from Azure automation account that uses runas account for authentication to account which uses Managed Identity.

We have already granted Exchange.ManageAsApp and Exchange Admin permission on managed identity. It authenticate and successfully establish connection to ExchangeOnline but when used with commands to perform some activities, it throws below error.

"exception calling "shouldprocess" with "3" argument(s): "a command that prompts the user failed because the host program or the command type does not support user interaction. the host was attempting to request confirmation with the following message: are you sure you want to perform this action? "

Below is the code.

$azureContext = Connect-AzAccount -Identity
$azureContext = Set-AzContext -SubscriptionName $azureContext.context.Subscription -DefaultProfile $azureContext.context
$graphToken = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/"
$aadToken = Get-AzAccessToken -ResourceUrl "https://graph.windows.net"
Connect-AzureAD -AccountId $azureContext.account.id -TenantId $azureContext.tenant.id -AadAccessToken $aadToken.token -MsAccessToken $graphToken.token

Connect-ExchangeOnline -ManagedIdentity -Organization "****.com"

##Enable remote PowerShell for users

$EnableUsers = @(Get-AzureADGroupMember -ObjectId "*****" -All $true| Select DisplayName, UserPrincipalName)
foreach($user in $EnableUsers)
{
        Set-User -identity $user.UserPrincipalName -RemotePowerShellEnabled $true
}

Answer 1

@Rajkumar Pawar , Thank you for posting this question.

Based on the error that you are getting as available in the question, the error is related to one of the script line prompting for response from use (note the highlighted section in the error below)

"a command that prompts the user failed because the host program or the command type does not support user interaction. the host was attempting to request confirmation with the following message: are you sure you want to perform this action?"

This is happening because Azure Automation does not allow user interaction during script execution. Based on the script, it looks like the message is being prompted for the line below:

Set-User -identity $user.UserPrincipalName -RemotePowerShellEnabled $true

I would suggest using the -Force and -confirm parameters with the set-user cmdlet, so that the script does not attempt to read user inputs during script execution. For more details, see the links below:

• -confirm in Set-User
• -Force in Set-user

I would also suggest adding try{} catch{} blocks in the script so that you can get additional information about the error. For details about try, catch in powerhsll, see about_Try_Catch_Finally.

A sample catch block that I generally use in runbook as below:

 catch  
   {  
   	write-error $_.Exception.Message  
       
       #Response Code received
       $StatusCode = $_.Exception.Response.StatusCode.value__  
       write-error "Error Code - $StatusCode"
   
   	#The scriptStackTrace would contains the line number for faulting code  
   	write-error $_.ScriptStackTrace    
   	throw ($_)  
   }  

Hope this helps.

If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.