Open in app

Sign in

Write

Sign in

How to use Azure Automation Account to query Azure AD with Managed Identity

suman saha
4 min readMar 14, 2023

--

As we all know that Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. So prior to that deadline, we need to start migrating our runbooks to use managed identities. Now Microsoft has given a detailed step-by-step guide for such migration from Run As accounts to Managed Identity here. However, this mostly covers RBAC scenarios. An example of it is reading a Secret from Key Vault through a PowerShell runbook within the security context of the Managed Identity of the Automation account which has a Secret Reader role.

Here I will try to cover how we can interact with an Azure AD tenant from an automation account through a PowerShell runbook within the context of a Managed Identity (either System- or User- assigned). I will not use either a client secret or a certificate for avoiding periodic maintenance overhead of those.

Prerequisites

  • An Azure Subscription.
  • An Azure Automation Account with a System-Assigned Identity (see here for how to create one).

Let’s build it up!

First thing we’ll need is to grant some relevant permissions to this Managed Identity of Automation Account. This will enable the security principle to read directory of the tenant and/ or users and groups and so on.

Locate the security principle corresponding to the automation account in your Azure AD tenant. Typically the name of the identity is the same as the name of the automation account (or copy the Guid from identity blade of the automation account).

Now depending on what license you have on your tenant you may be able to achieve this in the following ways.

Free tier license or non-premium ones

Execute the following azure cli script from a bash shell. Ensure to login as a Global Administrator.

az login #Uncomment if running from outside of Azure Cloud Shell (bash) - https://shell.azure.com/

accountName="Your automation Account Name"

spId=$(az resource list -n $accountName --query [*].identity.principalId --out tsv)

graphResourceId=$(az ad sp list --display-name "Microsoft Graph" --query [0].id --out tsv)

uri=https://graph.microsoft.com/v1.0/servicePrincipals/$spId/appRoleAssignments

appRoleId=$(az ad sp list --display-name "Microsoft Graph" --query "[0].appRoles[?value=='Group.Read.All' && contains(allowedMemberTypes, 'Application')].id" --output tsv)
body="{'principalId':'$spId','resourceId':'$graphResourceId','appRoleId':'$appRoleId'}"
az rest --method post --uri $uri --body $body --headers "Content-Type=application/json"

appRoleId2=$(az ad sp list --display-name "Microsoft Graph" --query "[0].appRoles[?value=='User.Read.All' && contains(allowedMemberTypes, 'Application')].id" --output tsv)
body="{'principalId':'$spId','resourceId':'$graphResourceId','appRoleId':'$appRoleId2'}"
az rest --method post --uri $uri --body $body --headers "Content-Type=application/json"

Once you execute the above script it will add the following roles to the security principle for the automation account

If you have a P2 license

  • Open PIM.
  • Go to Azure PIM and locate Azure AD roles under manage blade.
  • Then click on Roles again under manage blade.
  • Add an assignment for your Managed Identity of Automation Account for Directory Reader role.
  • Set it as a permanently active for non-interrupted service (or eligible if your organizational policy restricts it make an active assignment).

Let’s create a runbook now!

Create a PowerShell runbook from within your automation account. I used v5.1.

"Logging in to Azure..."
Connect-AzAccount -Identity

$Token = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/"
"Token obtained..."

Notice the -Identity parameter for Connect-AzAccount cmdlet. This will allow the current identity (of the automation account) to login.

Next step, get a raw access token by making a call to cmdlet Get-AzAccessToken.

Connect-MgGraph -AccessToken $Token.Token

And then make the calls to cmdlets like Get-MgUser or Get-MgGroup.

Full code is like this.

try
{
    "Logging in to Azure..."
    Connect-AzAccount -Identity

    $Token = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/"
    "Token obtained..."

    Connect-MgGraph -AccessToken $Token.Token

    Write-Host "USERS:"
    Write-Host "======================================================"
    # List first 50 users
    Get-MgUser -Property "id,displayName" -PageSize 50 | Format-Table DisplayName, Id

    Write-Host "GROUPS:"
    Write-Host "======================================================"
    # List first 50 groups
    Get-MgGroup -Property "id,displayName" -PageSize 50 | Format-Table DisplayName, Id

    # Disconnect
    Disconnect-MgGraph
}
catch {
    Write-Error -Message $_.Exception
    throw $_.Exception
}

Conclusion

Through this article we saw how we can use the Managed Identity of an Automation Account to interact with an Azure AD tenant. Hopefully this will be beneficial to those planning to migrate (or already migrating) from Run As accounts to Identity-based ones.

Azure Automation Account
Managed Identity
Powershell Runbook
Azure Active Directory
Microsoft Graph Api

--

--

suman saha

Written by suman saha

114 Followers

Cloud Applications Developer | DevSecOps | Agile Practitioner

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams