MgGraph with Azure Automation Runbook

Question

MgGraph with Azure Automation Runbook

Mattps 5

Hi,

I am trying to use MgGraph in an Azure runbook but keep hitting a dead end and would appreciate any suggestions. I have the MgGraph modules loaded in the Automation account and credentials saved in the credentials section of the automation account. To test I am just trying to connect to MgGraph first but failing to even do this. This is my PowerShell code:

$Cred = Get-AutomationPSCredential -Name "#######"
Install-Module -Name Microsoft.Graph
Connect-MgGraph -ClientID $TAECred -TenantID "########-####-####-####-############"

The error I receive is:

Connect-MgGraph : The term 'Connect-MgGraph' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:5 char:1 + Connect-MgGraph -ClientID $Cred -TenantID "########-####-####-#### ... + ~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Connect-MgGraph:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException

Any ideas?

tbgangav-MSFT 10,431 Reputation points

2024-01-24T11:38:42.1133333+00:00

Hi @Mattps , Did you follow this process to import the cmdlet related module? If not, please do it and give it a try.

Mattps 5

Hi tbgangav-MSFT, Yes, I have the following modules imported: | |



Microsoft.Graph.Authentication	Available	Custom	2.12.0	7.2	6,221.3 KB	24/01/2024, 08:25
Microsoft.Graph.Identity.SignIns	Available	Custom	2.12.0	7.2	4,171.3 KB	24/01/2024, 07:48

Mattps 5 Reputation points

2024-01-24T12:04:08.5833333+00:00

Hi,

Yes. I have Microsoft.Graph.Automation and Microsoft.Graph.Identity.SignIns imported.

Matt
Mattps 5 Reputation points

2024-01-25T12:18:33.9233333+00:00
So I have tried a different way of connecting MS Graph, using managed identities. However I am still having connection issues.
I have created a user managed identity and added it in the required role. I've taken the client ID of that managed identity and used it in the runbook connection command. The code I am using in the runbook:

Connect-MgGraph -Identity -ClientID "########-####-####-####-############"

The error returned is:

Connect-MgGraph : ManagedIdentityCredential authentication failed: Managed Identity with passed Identity not found! Status: 400 (Bad Request) Content: {"Message":"Managed Identity with passed Identity not found!"}
tbgangav-MSFT 10,431 Reputation points

2024-01-30T15:44:45.89+00:00

Hi @Mattps, Follow this article and see if it helps to resolve your issue.
EPNAdam 50 Reputation points

2024-08-06T15:07:56.5333333+00:00

Do not provide the: -ClientID "########-####-####-####-############" if you want to connect using System Assigned Managed Identity. System Assigned identity is enabled by default (I think) on newly created Automation Accounts.

If you must use a user-assigned identity then this is a good source for connecting to Graph and this is a good source on user assigned identities in Azure Automation.

See my proposed answer below for system assigned managed identity but the links do cover user managed identities as well.

I recently recoded all my runbooks to use the System Assigned Managed Identity which makes things smoother where we don't need to rotate certificates etc. But it depends on your use cases and architecture. Manged Identity Best Practices

1 answer

Your answer

tbgangav-MSFT 10,431 Reputation points

2024-01-24T11:38:42.1133333+00:00

Hi @Mattps , Did you follow this process to import the cmdlet related module? If not, please do it and give it a try.
Mattps 5 Reputation points

2024-01-24T12:02:55.1266667+00:00

Hi tbgangav-MSFT, Yes, I have the following modules imported: | |

Microsoft.Graph.Authentication Available Custom 2.12.0 7.2 6,221.3 KB 24/01/2024, 08:25

Microsoft.Graph.Identity.SignIns Available Custom 2.12.0 7.2 4,171.3 KB 24/01/2024, 07:48
Mattps 5 Reputation points

2024-01-24T12:04:08.5833333+00:00

Hi,

Yes. I have Microsoft.Graph.Automation and Microsoft.Graph.Identity.SignIns imported.

Matt
Mattps 5 Reputation points

2024-01-25T12:18:33.9233333+00:00

So I have tried a different way of connecting MS Graph, using managed identities. However I am still having connection issues.
I have created a user managed identity and added it in the required role. I've taken the client ID of that managed identity and used it in the runbook connection command. The code I am using in the runbook:

Connect-MgGraph -Identity -ClientID "########-####-####-####-############"

The error returned is:

Connect-MgGraph : ManagedIdentityCredential authentication failed: Managed Identity with passed Identity not found! Status: 400 (Bad Request) Content: {"Message":"Managed Identity with passed Identity not found!"}
tbgangav-MSFT 10,431 Reputation points

2024-01-30T15:44:45.89+00:00

Hi @Mattps, Follow this article and see if it helps to resolve your issue.
EPNAdam 50 Reputation points

2024-08-06T15:07:56.5333333+00:00

Do not provide the: -ClientID "########-####-####-####-############" if you want to connect using System Assigned Managed Identity. System Assigned identity is enabled by default (I think) on newly created Automation Accounts.

If you must use a user-assigned identity then this is a good source for connecting to Graph and this is a good source on user assigned identities in Azure Automation.

See my proposed answer below for system assigned managed identity but the links do cover user managed identities as well.

I recently recoded all my runbooks to use the System Assigned Managed Identity which makes things smoother where we don't need to rotate certificates etc. But it depends on your use cases and architecture. Manged Identity Best Practices

Answer 1

EPNAdam 50

Hi,

Please see this: https://docs.microsoft.com/en-us/azure/automation/enable-managed-identity-for-automation#authenticate-access-with-system-assigned-managed-identity

Tested in my automation account running PowerShell 7.2 in a runtime environment with the Az and Microsoft.Graph.Authentication modules installed.

Code which connects to Azure and Microsoft.Graph using managed identity:

Disable-AzContextAutosave -Scope Process    # Ensures you do not inherit an AzContext in your runbook
$azureContext = (Connect-AzAccount -Subscription $SubScriptionId -Tenant $TenantId -Identity).context

Write-Output "-> Setting context"
$azureContext = Set-AzContext -SubscriptionName $azureContext.Subscription -DefaultProfile $azureContext

Write-Output "`n+ Connecting to Graph (Managed Identity)"
Connect-MgGraph -Identity -NoWelcome

Output:

User's image

EPNAdam 50 Reputation points

2024-08-06T14:39:04.6666667+00:00

If you do not want to use Managed Identity but rather a Service Principal (Application Registration) then you need to provide the -ApplicationId or -ClientId or -AccessToken (or what authentication method you have configured) to the Connect-MgGraph call.

See this: https://learn.microsoft.com/en-us/powershell/microsoftgraph/authentication-commands?view=graph-powershell-1.0

Share via

MgGraph with Azure Automation Runbook

1 answer

Your answer