Using Azure runbooks to pass Azure AD commands authenticated by service principal api permissions. What permission do i need?

ASaurdiff 101 Reputation points
2021-01-29T21:20:48.633+00:00

I am creating a business process for my org and am currently utilizing Azure runbooks to get the job done. The concern is that I don't want a Signed in user to be validated to run them and would like to granulate the permissions this "runbook" would have.

i have currently created the runbook to manipulate a user account. Created service principal and tried to adjust the API permission accordingly. And a service account that is for On-prem permissions. I was told that the API permissions for Azure active directory were being depricated and i could use the Graph API permissions instead, but the User.ReadWrite.All permission still does not allow me to use the set-azureaduser command in my runbook.

Is there a permission I may be missing or a process of running the runbook as the service principal? Currently I have an account that is part of the enterprise application authenticating on the runbook and the "run as" account.

Any help or guidance would be great.

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,143 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,852 questions
0 comments No comments
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,566 Reputation points
    2021-02-05T12:40:36.587+00:00

    Hello @ASaurdiff ,

    Microsoft Graph API permission only works with Microsoft Graph API level calls (https://graph.microsoft.com/) and reason it was falling through PowerShell because AAD PowerShell V2 modules still uses Azure AD Graph API ( https://graph.windows.net) calls instead Microsoft Graph API to retrieve AAD resource information and this is an know behavior of AAD V2 PowerShell Module.

    As we all know that "Azure AD Graph API" is on a deprecation path, so our product group is working on AAD module migration from Azure AD Graph API to Microsoft Graph API before it fully deprecate.

    Therefore, you can either use Azure AD role or Azure AD Graph API permission for service principal to delegate the permission.

    Alternatively, you could Check out Microsoft Graph PowerShell for Azure AD automation so you can granulate the permissions more by leveraging Microsoft Graph API permission (like: User.ReadWrite.All , User.Read.All etc..,) . To know more about refer this article

    Here are some example cmdlet when you use Microsoft Graph PowerShell :

    To install the latest version, run the Install-Module as Administrator as here.
    Install-Module Microsoft.Graph -Repository PSGallery -force

    To see a list of all commandlets (which is looong), use Get-Command -Module "Microsoft.Graph.*

    Cmdlet to Connect Graph by using service principal :

    Connect-Graph -AppId "447672e9-da89-123f-a2b5-99232a7bb08a" -CertificateThumbprint "2DBD6360F4D1EFB478BA1EF311F25CDA4ABA70BF"

    To Get top 10 user: Get-MgUser -Top 10 -Select Id, DisplayName, UserPrincipalName, UserType
    To get user with ID : Get-MgUser -UserId "669fd118-a9bc-4125-ba79-c8d397810c2d"
    To update users attribute: Update-MgUser -UserId 669fd118-a9bc-4125-ba79-c8d397810c2d -JobTitle "IT Dept"

    Screenshot

    64592-graph-powershell-output.png

    -----------------------------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


1 additional answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,566 Reputation points
    2021-02-02T13:28:59.943+00:00

    Hello @ASaurdiff ,

    Thanks for reaching out.

    Try assigning "Azure AD Directory Writers role" to Azure runbook service principal from "Roles and administrators" in Azure AD as shown below screenshot. I had tested it on my tenant which works as expected.
    63141-aad-directory-writes-role.jpg

    --------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.