question

DaleMontgomery-8740 avatar image
0 Votes"
DaleMontgomery-8740 asked tbgangav-MSFT commented

Permission error when running Add-AzureADGroupMember in an Azure RunBook

Permission error when running Add-AzureADGroupMember in an Azure PowerShell RunBook:

Error occurred while executing AddGroupMember
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.


Running Set-AzureADUser does not produce an error, but also doesn't alter the JobTitle attribute.

Editing Exchange related attributes like default email address and additional email addresses are successful.


This Azure Automation account uses a Certificate and an Azure RunAsAccount. The RunAsAccount has the Role "Contributor" assigned.

Permission granted via App Registration API are seen in this image:


201669-permissions.jpg


What API permissions are needed to permit Add-AzureADGroupMember and set Set-AzureADUser to be successful?


azure-automation
permissions.jpg (35.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaleMontgomery-8740 avatar image
0 Votes"
DaleMontgomery-8740 answered DaleMontgomery-8740 edited

Tested assignment of Global Administrator Role to the RunAsAccount via

Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Global Administrator"}).Objectid -RefObjectId $servicePrincipalObjectId

and it permits the RunBook to make changes to the Azure user and Azure group.

This is unacceptable as a solution because of granting too much permission.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaleMontgomery-8740 avatar image
0 Votes"
DaleMontgomery-8740 answered tbgangav-MSFT commented

Created custom Azure Roles using the built in Azure Role templates:

 # enable Groups Administrator from template
 Enable-AzureADDirectoryRole -RoleTemplateId "fdd7a751-b60b-444a-984c-02652fe8fa1c"
 Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Groups Administrator"}).Objectid -RefObjectId $servicePrincipalObjectId
    
 # enable User Administrator from template
 Enable-AzureADDirectoryRole -RoleTemplateId "fe930be7-5e62-47db-91af-98c3a49a38b1"
 Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "User Administrator"}).Objectid -RefObjectId $servicePrincipalObjectId

Additionally we removed the API permissions "GroupMember.ReadWrite.All" and "User.ReadWrite.All" (seen in the image above) and the RunBook can still edit Azure users and Azure groups.

This resolved the problem and with the minimal permissions we need.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @DaleMontgomery-8740,

Glad to know that you have self-resolved the question and thanks for sharing it. This would be of great help for other community users who might be looking for similar information.

0 Votes 0 ·