Using Azure runbooks to pass Azure AD commands authenticated by service principal api permissions. What permission do i need?

Question

I am creating a business process for my org and am currently utilizing Azure runbooks to get the job done. The concern is that I don't want a Signed in user to be validated to run them and would like to granulate the permissions this "runbook" would have.

i have currently created the runbook to manipulate a user account. Created service principal and tried to adjust the API permission accordingly. And a service account that is for On-prem permissions. I was told that the API permissions for Azure active directory were being depricated and i could use the Graph API permissions instead, but the User.ReadWrite.All permission still does not allow me to use the set-azureaduser command in my runbook.

Is there a permission I may be missing or a process of running the runbook as the service principal? Currently I have an account that is part of the enterprise application authenticating on the runbook and the "run as" account.

Any help or guidance would be great.

Answer 1

Hello @ASaurdiff ,

Microsoft Graph API permission only works with Microsoft Graph API level calls (https://graph.microsoft.com/) and reason it was falling through PowerShell because AAD PowerShell V2 modules still uses Azure AD Graph API ( https://graph.windows.net) calls instead Microsoft Graph API to retrieve AAD resource information and this is an know behavior of AAD V2 PowerShell Module.

As we all know that "Azure AD Graph API" is on a deprecation path, so our product group is working on AAD module migration from Azure AD Graph API to Microsoft Graph API before it fully deprecate.

Therefore, you can either use Azure AD role or Azure AD Graph API permission for service principal to delegate the permission.

Alternatively, you could Check out Microsoft Graph PowerShell for Azure AD automation so you can granulate the permissions more by leveraging Microsoft Graph API permission (like: User.ReadWrite.All , User.Read.All etc..,) . To know more about refer this article

Here are some example cmdlet when you use Microsoft Graph PowerShell :

To install the latest version, run the Install-Module as Administrator as here.
Install-Module Microsoft.Graph -Repository PSGallery -force

To see a list of all commandlets (which is looong), use Get-Command -Module "Microsoft.Graph.*

Cmdlet to Connect Graph by using service principal :

Connect-Graph -AppId "447672e9-da89-123f-a2b5-99232a7bb08a" -CertificateThumbprint "2DBD6360F4D1EFB478BA1EF311F25CDA4ABA70BF"

To Get top 10 user: Get-MgUser -Top 10 -Select Id, DisplayName, UserPrincipalName, UserType
To get user with ID : Get-MgUser -UserId "669fd118-a9bc-4125-ba79-c8d397810c2d"
To update users attribute: Update-MgUser -UserId 669fd118-a9bc-4125-ba79-c8d397810c2d -JobTitle "IT Dept"

Screenshot

-----------------------------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hello @ASaurdiff ,

Thanks for reaching out.

Try assigning "Azure AD Directory Writers role" to Azure runbook service principal from "Roles and administrators" in Azure AD as shown below screenshot. I had tested it on my tenant which works as expected.

--------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.