Adding PIM roles using automation account

cthivierge 4,056 Reputation points


i want to create a runbook that will add a specific role on a user account for a short period of time.

I decided to create a PS script and it's working well on my computer


$tenantID = "[]MyTenandID"
$roleDisplayName = "Global Administrator"
$roleDefinitionID = (Get-AzureADMSRoleDefinition -Filter "DisplayName eq '$roleDisplayName'").Id
$targetuserID = (Get-AzureADUser -ObjectId # Replace user ID

$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$schedule.EndDateTime = ((Get-Date).AddHours(6)).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")

"# Create temporary active role assignment"
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -ResourceId $tenantID -RoleDefinitionId $roleDefinitionID -SubjectId $targetuserID -Type 'adminAdd' -AssignmentState 'Active' -schedule $schedule -reason "Addind MyUser to Global Admins for 6 hours"

This script is working well on my computer. But when i try to run this in a runbook in Automation Account, it's not working... i receive several errors.
So i decided to try using an Hybrid Worker and to run this script from a VM.

I'm able to go further but i still receive an error but i think that i'm really close to be happy :)

Open-AzureADMSPrivilegedRoleAssignmentRequest : Error occurred while executing OpenAzureADMSPrivilegedRoleAssignmentRequest Code: UnauthorizedAccessException Message: Attempted to perform an unauthorized operation. InnerError: RequestId: 394b84ad-91ad-461f-996f-5bba42fe9742 DateTimeStamp: Thu, 07 Apr 2022 18:07:59 GMT HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed At line:77 char:1 + Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Open-AzureADMSP...signmentRequest], ApiException + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.OpenA zureADMSPrivilegedRoleAssignmentRequest

Any idea what could cause this issue ?

My automation account has several permissions already
Microsoft.Graph / PrivilegeAccess.ReadAzureAD Type Application
Microsoft.Graph / PrivilegeAccess.ReadWriteAzureAD Type Application
Also has the "Privileged role administrator"

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,162 questions
Microsoft Entra
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AnuragSingh-MSFT 20,996 Reputation points

    Hi @cthivierge ,

    Thanks for posting the question. Apologies for the delayed response.

    Based on the error, it seems to be related to authorization issue (the run-as account does not have enough permission to perform this operation). While navigating through the AzureADPreview module's documentation, I came across the RBAC requirements for role assignments - Prerequisites for role assignment. According to it:


    This does not seem to be related to Azure Automation, however, to rule it out, you may also use same account to run the script outside Automation (using Powershell on a machine) and see if that works.

    Please let me know if you have any questions.

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.