question

JesusChao-6831 avatar image
0 Votes"
JesusChao-6831 asked JesusChao-6831 commented

Connect-AzureAD using Managed Identity without Azure AD Graph Token

Recently, we received an email in regards to the retirement of Azure AD Graph. We understand that the retirement has been postponed to December 31, 2022.

I use connect-azuread powershell cmdlet to connect to AzureAD in Azure Automation using the System Managed Identity. I noticed that our function uses both the MS Graph token and the Azure AD token. When I attempted to remove the Azure AD token from the string, the Connect-AzureAD cmdlet does not work.

Can someone tell me if there is something I am missing when it comes to connecting to Azure AD using a System Managed Identity within Azure Automation? If Azure AD graph is retiring soon, how am I suppose to remove this parameter if it does not work?

 $AzureContext1 = Connect-azaccount -identity
 $global:AzureContext = Set-AzContext -SubscriptionName $AzureContext1.context.Subscription -DefaultProfile $AzureContext1.context
 $global:GraphToken = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/"
    
 #Original Code that works that has both MS Graph and AzureADGraph Tokens
 #$global:AzAdToken = Get-AzAccessToken -ResourceUrl "https://graph.windows.net" -erroraction stop
 #Connect-AzureAD -AccountId $AzureContext.account.id -TenantId $AzureContext.tenant.id -AadAccessToken $AzAdToken.token -MsAccessToken $GraphToken.token -erroraction stop | Out-Null
    
 # Removing the AzureADGraph Parameter
 Connect-AzureAD -AccountId $AzureContext.account.id -TenantId $AzureContext.tenant.id -MsAccessToken $GraphToken.token  | Out-Null
 disconnect-azaccount

Error when -AadAccessToken parameter is removed.
Cannot process command because of one or more missing mandatory parameters: AadAccessToken

azure-active-directoryazure-automation
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JesusChao-6831, Apologies for the delayed response. I'm checking it and I will get back to you soon. Thank you

0 Votes 0 ·
AnuragSingh-MSFT avatar image
0 Votes"
AnuragSingh-MSFT answered AnuragSingh-MSFT edited

Hi @JesusChao-6831

Welcome to Microsoft Q&A! Thanks for posting the question.

I understand that you are trying to migrate your Azure Automation Runbooks from Azure AD Graph to Microsoft Graph. Based on the doc here, Microsoft Graph is similar to the earlier Azure Active Directory (Azure AD) Graph. In many cases, simply change the endpoint service name and version in your code, and everything should continue to work. You may also refer to FAQ here for additional details: Azure AD Graph to Microsoft Graph migration FAQ.


Update 04/20
As part of this migration, users of AzureAD PowerShell module needs to migrate to Microsoft Graph PowerShell. Based on the migration guide, Azure AD PowerShell will continue to function after June 2022 to allow users more time to migrate to Microsoft Graph PowerShell. Please refer to the migration guide for PowerShell here: Azure AD PowerShell to Microsoft Graph PowerShell migration FAQ.

Also, please refer to this GitHub issue for using Microsoft Graph PowerShell SDK with Managed Identity.

Feel free to reach out to us in case you have any questions.


Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I did not get an error message HOWEVER when you run an Azure AD Cmdlet, you get the following error:

Error occurred while executing GetUser
Code: Authentication_ExpiredToken
Message: Your access token has expired. Please renew it before submitting the request.
HttpStatusCode: Unauthorized
HttpStatusDescription: Unauthorized
HttpResponseStatus: Completed

0 Votes 0 ·

@JesusChao-6831, thank you for the update. I am checking this further, and I will update this thread/answer.

0 Votes 0 ·

@JesusChao-6831, I am sorry for the missing information in my answer above. I have added it and have removed some incorrect ones from the answer.

To summarize - as part of this migration, users of AzureAD PowerShell module needs to migrate to Microsoft Graph PowerShell. Based on the migration guide, Azure AD PowerShell will continue to function after June 2022 to allow users more time to migrate to Microsoft Graph PowerShell. Please refer to the migration guide for PowerShell here: Azure AD PowerShell to Microsoft Graph PowerShell migration FAQ.

Also, please refer to this GitHub issue for using Microsoft Graph PowerShell SDK with Managed Identity.


Please 'Accept as answer' if it helped so that it can help others in the community looking for help on similar topics.

0 Votes 0 ·

Wait - so you completely changed your answer here.

So what you are saying here is that there is no solution for the AzureAD module in regards to retiring the aadaccesstoken parameter. Also you are saying that the Azure AD module itself is being retired? This is the first that I have heard of that.

We are already using Graph for other runbooks so this may not be an issue. If you are pushing everyone to Graph instead of addressing this issue in the AzureAD module, it would be nice if you updated the documentation for the AzureAD module to say that this module is being retired.

Thanks.

0 Votes 0 ·

Also I'd like to add that using Microsoft Graph module with Managed ID is not very good. We are using tokens because its the easiest way to connect at the moment. Microsoft needs to consider allowing a connection to graph with the -identity parameter as the connect-azaccount function does.

Thanks,

0 Votes 0 ·

@JesusChao-6831, I am sorry for the unpleasant experience. I am reaching out to our team to get more insights into it. Thank you.

0 Votes 0 ·

@JesusChao-6831, The AzureAD PowerShell module is planned to be deprecated and related information will be added to AzureAD PowerShell module documentation in future. This has not happened yet as we announced that Azure AD Graph API will not retire on June 30, 2022 - but later. Please refer to this link for more details: Azure AD: Change Management Simplified

In light of the announcement to not turn off the Azure AD Graph API on June 30th, our goal is to also provide guidance and tools for migrating existing scripts and PowerShell processes, reliant on the Azure AD Graph API and MSOnline module, to the Microsoft Graph PowerShell SDK. Therefore, you may continue to use AzureAD module for now until the deprecation date is updated.

Regarding Microsoft Graph PS module support with Managed Identity, we have an open item for it, and it's being tracked here: Add Support for Managed Service Identity. Please feel free to use the suggested workaround in this issue, until the support for MI is added with Microsoft Graph cmdlet.

Please let me know if you have any questions.


0 Votes 0 ·
RahulMahajan-9579 avatar image
0 Votes"
RahulMahajan-9579 answered JesusChao-6831 commented

@JesusChao-6831

Try Below code :

Ensures you do not inherit an AzContext in your runbook

Disable-AzContextAutosave -Scope Process | Out-Null

Connect using a Managed Service Identity

try {
$AzureContext = (Connect-AzAccount -Identity).context
}
catch{
Write-Output "There is no system-assigned user identity. Aborting.";
exit
}

set and store context

$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription `
-DefaultProfile $AzureContext

Get-AzADUser | Select -First 3

Just make sure your system-assigned identity have correct permission

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi - I stopped using the AzureAD PS module in unattended scripts based on the answer from MSFT in this post. Thanks for the suggestion but we have moved on.

Thanks!

0 Votes 0 ·