Permission error when running Add-AzureADGroupMember in an Azure RunBook

DaleMontgomery-3783 6 Reputation points
2022-05-12T23:52:18.737+00:00

Permission error when running Add-AzureADGroupMember in an Azure PowerShell RunBook:

Error occurred while executing AddGroupMember
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.

Running Set-AzureADUser does not produce an error, but also doesn't alter the JobTitle attribute.

Editing Exchange related attributes like default email address and additional email addresses are successful.

This Azure Automation account uses a Certificate and an Azure RunAsAccount. The RunAsAccount has the Role "Contributor" assigned.

Permission granted via App Registration API are seen in this image:

201669-permissions.jpg

What API permissions are needed to permit Add-AzureADGroupMember and set Set-AzureADUser to be successful?

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,242 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. DaleMontgomery-3783 6 Reputation points
    2022-05-13T12:59:43.617+00:00

    Tested assignment of Global Administrator Role to the RunAsAccount via

    Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Global Administrator"}).Objectid -RefObjectId $servicePrincipalObjectId

    and it permits the RunBook to make changes to the Azure user and Azure group.

    This is unacceptable as a solution because of granting too much permission.

    0 comments No comments

  2. DaleMontgomery-3783 6 Reputation points
    2022-05-13T13:16:13.427+00:00

    Created custom Azure Roles using the built in Azure Role templates:

    # enable Groups Administrator from template
    Enable-AzureADDirectoryRole -RoleTemplateId "fdd7a751-b60b-444a-984c-02652fe8fa1c"
    Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Groups Administrator"}).Objectid -RefObjectId $servicePrincipalObjectId
    
    # enable User Administrator from template
    Enable-AzureADDirectoryRole -RoleTemplateId "fe930be7-5e62-47db-91af-98c3a49a38b1"
    Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "User Administrator"}).Objectid -RefObjectId $servicePrincipalObjectId
    

    Additionally we removed the API permissions "GroupMember.ReadWrite.All" and "User.ReadWrite.All" (seen in the image above) and the RunBook can still edit Azure users and Azure groups.

    This resolved the problem and with the minimal permissions we need.

    0 comments No comments

  3. tbgangav-MSFT 10,416 Reputation points
    2022-05-17T09:01:20.73+00:00

    Hi @Anonymous ,

    Glad to know that you have self-resolved the question and thanks for sharing it. This would be of great help for other community users who might be looking for similar information.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.