Share via

Most secure way to enable Azure automation python runbook to access Microsoft Graph for an organisatinon

Grant Fullston 25 Reputation points
2024-04-30T01:31:37.85+00:00

Hi all,

I am needing to create an azure automation python runbook that accesses an organisation's Microsoft Graph and Microsoft 365, with the permissions to read and write to the Graph. I have seen several ways to do this, but am worried since this solution would be going into a production environment, what the most secure way to do this would be? Also, what permissions do i have to set on either end, do I need to specify RBAC on both the automation resource and through the admin portal on Microsoft 365 admin?

I have looked into certificate access and credentials, both stored on the runbook resource and accessed through the code (also please remind me how to access these credentials in python scripts for authentication), is there a better way? I am not sure.

Could someone please provide a solution with some explanation on how to implement it, and explain a bit of the pros and cons of each solution from a security point of view?

Thank you in advance

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,763 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,137 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carolyne-3676 201 Reputation points
    2024-05-07T15:27:00.09+00:00

    Thank you for raising this question. One of the secure ways to access the Microsoft Graph API from your Azure Automation Runbooks is to use Managed Identity. You can use the Managed Identity to authenticate to any service that supports Entra ID authentication without storing credentials in your code. This Managed Identity can be granted access to Microsoft Graph by creating an App Registration in Entra ID and granting the required permissions.

    Here are the steps:

    1. Enable Managed Identity on your Automation Account-Documentation- Quickstart - Enable managed identities for your Automation account using the Azure portal | Microsoft Learn.
    2. Create an App Registration.
    3. Grant the required Graph API permissions to the App Registration.
    4. Use the Managed Identity to authenticate to Graph API in your python runbook.

    Some advantages of using this approach:

    • No need to store credentials in your code
    • You can control the permissions granted to the Managed Identity in a granular way.
    • The Managed Identity is automatically managed by Azure, you don't have to worry about key rotation or secure storage.

    There is also Certificated-Based Authentication which is described here - Microsoft identity platform certificate credentials - Microsoft identity platform | Microsoft Learn

    The steps would typically include:

    1. Creating an App Registration in Azure AD and granting it the necessary permissions to access Microsoft Graph API.
    2. Create a self-signed certificate using a tool of your choice.
    3. Upload the public key of the certificate to the App Registration.
    4. Install the private key of the certificate on the Azure Automation account that will be running the Python runbook.
    5. Use the certificate to authenticate the runbook when making calls to Microsoft Graph API

    In the event the private key is lost or compromised, you will need to generate a new one and update the App Registration. I would advise that you evaluate these and see which fits your scenario.

    0 comments