Share via

How to connect Azure AD from runbook

Subhash B 25 Reputation points
2023-06-21T01:57:28.63+00:00

How do I connect Azure AD from runbook. Normally connect-AzureAD works fine after giving credentials from powershell. But I'm not sure how to do from runbook. I could see the parameters like thumbprint, application ID which I'm not sure how to generate. Is there way to connect without using these parameters. Please advise.

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,366 questions
0 comments
Accepted answer
  1. SwathiDhanwada-MSFT 18,996 Reputation points Moderator
    2023-06-22T10:14:29.3733333+00:00

    @Subhash B As @Luke Murray mentioned, Azure AD PowerShell is being deprecated, its recommended to use Microsoft Graph. Below is the sample script for your reference on how to connect to Azure AD using Microsoft Graph v1 and v2 written by a community member. Ref : https://gist.github.com/AlexFilipin/daace2f2d7989545e8ab0b969de2aaed

    # Assign Graph application permissions to managed identity (outside of Azure Automation)

    $spID = "c3bfc803-bc8a-47af-a8a4-eed98dce8bca" #Managed Identity SP

    $PermissionName = "User.Read.All"

    $GraphServicePrincipal = Get-MgServicePrincipal -Filter "startswith(DisplayName,'Microsoft Graph')" | Select-Object -first 1 #Graph App ID: 00000003-0000-0000-c000-000000000000

    $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}

    New-MgServicePrincipalAppRoleAssignment -AppRoleId $AppRole.Id -ServicePrincipalId $spID -ResourceId $GraphServicePrincipal.Id -PrincipalId $spID

    $AppRoleAssignments = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $spID

    # Please note you can also give an managed identity permissions via:

    # Role assignments, such as User Administrator scoped to an Administrative Unit

    # Ownership, such as owner of a group to manage the membership with the MI

    # This can be done via UI and in many cases allows you to better follow the concept of least privilege

    # Connect to Microsoft Graph within Azure Automation (Microsoft Graph PowerShell v1)

    Connect-AzAccount -Identity

    $token = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com"

    Connect-MgGraph -AccessToken $token.Token

    # Connect to Microsoft Graph within Azure Automation (Microsoft Graph PowerShell v2 - see https://devblogs.microsoft.com/microsoft365dev/microsoft-graph-powershell-v2-is-now-in-public-preview-half-the-size-and-will-speed-up-your-automations/)

    # System-assigned managed identity

    Connect-MgGraph -Identity

    # User-assigned managed identity

    Connect-MgGraph -Identity -ClientId "User_Assigned_Managed_identity_Client_Id"

    Some references articles to get you started with Microsoft Graph within azure automation.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luke Murray 11,436 Reputation points MVP Volunteer Moderator
    2023-06-22T08:53:19.8766667+00:00

    Hi, Subhash

    You can still pass credentials through, by adding your credentials as variables on the Azure Automation account and pulling them in: https://learn.microsoft.com/en-us/powershell/module/az.automation/get-azautomationcredential?view=azps-10.0.0

    https://www.sharepointdiary.com/2021/07/how-to-connect-to-azure-ad-using-powershell.html

    That should get you going with Connect-AzureAD.

    Having said that, these cmdlets are being deprecated, in favor of Microsoft Graph. If your developing a new script, then look at using Microsoft Graph, and you can use Application authentication - using the same azure automation credentials processes.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.