Hi,
i want to create a runbook that will add a specific role on a user account for a short period of time.
I decided to create a PS script and it's working well on my computer
Connect-AzureAD
$tenantID = "[]MyTenandID"
$roleDisplayName = "Global Administrator"
$roleDefinitionID = (Get-AzureADMSRoleDefinition -Filter "DisplayName eq '$roleDisplayName'").Id
*$targetuserID = (Get-AzureADUser -ObjectId *****@Mydomain.com).ObjectId # Replace user ID
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$schedule.EndDateTime = ((Get-Date).AddHours(6)).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
"# Create temporary active role assignment"
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -ResourceId $tenantID -RoleDefinitionId $roleDefinitionID -SubjectId $targetuserID -Type 'adminAdd' -AssignmentState 'Active' -schedule $schedule -reason "Addind MyUser to Global Admins for 6 hours"
This script is working well on my computer. But when i try to run this in a runbook in Automation Account, it's not working... i receive several errors.
So i decided to try using an Hybrid Worker and to run this script from a VM.
I'm able to go further but i still receive an error but i think that i'm really close to be happy :)
Open-AzureADMSPrivilegedRoleAssignmentRequest : Error occurred while executing OpenAzureADMSPrivilegedRoleAssignmentRequest Code: UnauthorizedAccessException Message: Attempted to perform an unauthorized operation. InnerError: RequestId: 394b84ad-91ad-461f-996f-5bba42fe9742 DateTimeStamp: Thu, 07 Apr 2022 18:07:59 GMT HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed At line:77 char:1 + Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Open-AzureADMSP...signmentRequest], ApiException + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.OpenA zureADMSPrivilegedRoleAssignmentRequest
Any idea what could cause this issue ?
My automation account has several permissions already
Microsoft.Graph / PrivilegeAccess.ReadAzureAD Type Application
Microsoft.Graph / PrivilegeAccess.ReadWriteAzureAD Type Application
Also has the "Privileged role administrator"