Thank you for raising this question. One of the secure ways to access the Microsoft Graph API from your Azure Automation Runbooks is to use Managed Identity. You can use the Managed Identity to authenticate to any service that supports Entra ID authentication without storing credentials in your code. This Managed Identity can be granted access to Microsoft Graph by creating an App Registration in Entra ID and granting the required permissions.
Here are the steps:
- Enable Managed Identity on your Automation Account-Documentation- Quickstart - Enable managed identities for your Automation account using the Azure portal | Microsoft Learn.
- Create an App Registration.
- Grant the required Graph API permissions to the App Registration.
- Use the Managed Identity to authenticate to Graph API in your python runbook.
Some advantages of using this approach:
- No need to store credentials in your code
- You can control the permissions granted to the Managed Identity in a granular way.
- The Managed Identity is automatically managed by Azure, you don't have to worry about key rotation or secure storage.
There is also Certificated-Based Authentication which is described here - Microsoft identity platform certificate credentials - Microsoft identity platform | Microsoft Learn
The steps would typically include:
- Creating an App Registration in Azure AD and granting it the necessary permissions to access Microsoft Graph API.
- Create a self-signed certificate using a tool of your choice.
- Upload the public key of the certificate to the App Registration.
- Install the private key of the certificate on the Azure Automation account that will be running the Python runbook.
- Use the certificate to authenticate the runbook when making calls to Microsoft Graph API
In the event the private key is lost or compromised, you will need to generate a new one and update the App Registration. I would advise that you evaluate these and see which fits your scenario.