Object reference not set when using New-MgInvitation with Runbook and Managed Identities

Mattps 5 Reputation points
2024-02-09T14:10:29.94+00:00

Hi Everyone - pulling my hair out over this one :)

I am trying to send an AzureAD guest invitation using an Azure Runbook. I have created a system managed identity for this (can successfully run Connect-MgGraph -identity in the runbook).
When I try and execute:

New-MgInvitation -InvitedUserDisplayName "John Doe" -InvitedUserEmailAddress johndoe@contoso.com -InviteRedirectUrl "https://myapplications.microsoft.com" -SendInvitationMessage:$true

I get the following error:

New-MgInvitation : Object reference not set to an instance of an object. At line:4 char:1 + New-MgInvitation -InvitedUserDisplayName "John Doe" -InvitedUser ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [New-MgInvitation_CreateExpanded], NullReferenceException + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.NewMgInvitation_CreateExpanded

If I run this in PS locally the invitation is sent and received. I have the required graph.identity.signins and graph.authentication modules loaded in the runbook.

Any seen this before? Thanks in advance,
Matt

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,126 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sedat SALMAN 13,160 Reputation points
    2024-02-09T15:36:37.2733333+00:00

    as a recommendation ensure the Managed Identity has the necessary Microsoft Graph permissions, specifically User.Invite.All. Update the Microsoft Graph PowerShell SDK modules in your Azure Automation account to the latest version. And you can use Try-Catch for detailed error logging in your script.

  2. Mattps 5 Reputation points
    2024-02-14T15:01:15.5+00:00

    I wasn't able to resolve this but found a workaround. Instead of using the dedicated PowerShell command I was able to use the REST API to generate the same request:

    $body = ConvertTo-Json -InputObject @{InvitedUserEmailAddress="email address removed for privacy reasons";InviteRedirectURL="https://myapps.microsoft.com";SendInvitationMessage= $true}

$uri="https://graph.microsoft.com/v1.0/invitations"

$response = Invoke-MgGraphRequest -method POST -Uri $URi -Body $Body
  3. AnuragSingh-MSFT 20,106 Reputation points
    2024-02-20T10:25:58.4366667+00:00

    Mattps, thank you for sharing your workaround with the community.

    I used the exact code shared by you, as shown below, and my runbook executed successfully:

    Connect-MgGraph -identity
New-MgInvitation -InvitedUserDisplayName "John Doe" -InvitedUserEmailAddress XXXX.XXX@XXX.XXX -InviteRedirectUrl "https://myapplications.microsoft.com" -SendInvitationMessage:$true

    The permission granted to managed identity was as below, as mentioned in the doc for New-MgInvitation

    User's image

    Also, note that my runbook is of type v5.1 (as I was facing issues with 7.2 version runbook)

    With this information at hand, looking at the error as posted in question, I see:

    At line:4 char:1

    It appears that there are 2-3 more lines in the runbook before the line where it fails. Are you reading certain variables from Azure Automation or getting certain parameters from somewhere else?

    One common reason for the error you are getting (Object reference not set to an instance of an object.) could be that you are trying to read certain parameters stored as Automation Variable (or from execution of another runbook), but authentication for Azure context was not done at the beginning of the runbook as shown here - Authenticate access with system-assigned managed identity. In this case, the runbook context is not authorized to read assets of Automation Account and thus fails with similar errors.

    Hope this helps.

    0 comments