Reputation: 491
Azure Automation: Runbook, RunAs Account: How to allow access to AAD (e.g. for Get-AzADUser)?
Good afternoon
I have selected stackoverflow for this question because probably mainly programmers are confronted with this question:
This is the issue:
If we call Get-AzADUser to get all AAD Users in the Azure Automation Runbook, then we get: Error 'Insufficient privileges'
We do it like this:
- We have an Automation Account with an "Azure Run As Account"
- In the PowerShell Runbook we call:
# Connect to AAD
$Conn = Get-AutomationConnection -Name AzureRunAsConnection
$account = Connect-AzAccount -ServicePrincipal `
-TenantId $Conn.TenantID `
-ApplicationId $Conn.ApplicationID `
-CertificateThumbprint $Conn.CertificateThumbprint
# Get All AAD Users
$AllADUsers = Get-AzADUser
- If we start the Runbook, we get the Error:
> Get-AzADUser : Insufficient privileges to complete the operation.
> FullyQualifiedErrorId :
> Microsoft.Azure.Commands.ActiveDirectory.GetAzureADUserCommand
This is the permissions configuration:
- The
Automation Accounthas setRun as accounts»Azure Run As Account(and not an Azure Classic Run As Account) - In fact,
Azure Run As Accountis misleading, it is a Registered App and can be found in AzureApp registrations - The Registered App has these settings:
» A custom role with all permissions.
» API Permissions:
Microsoft Graph (6)
Delegated Directory.AccessAsUser.All
Delegated Directory.ReadWrite.All
Delegated User.ReadWrite.All
Application Directory.ReadWrite.All
Application User.Export.All
Application User.ReadWrite.All
» All API Permissions are Granted for our Tenant
Unfortunately, we still get the Error 'Insufficient privileges'
Thanks a lot for any help!
Kind regards, Thomas
Upvotes: 0
Views: 1859
Answers (1)
Reputation: 15724
According to some test, you need to add the permissions of Azure AD but not Micorsoft Graph. It seems the Get-AzADUser command use Azure AD graph in the backend but not microsoft graph. So we need to do the operations as below:
After that we can use the command Get-AzADUser successfully(if you test the command in powershell, when you add the Azure AD permission, please close the powershell and reopen it and re-connect to avoid the impact of cache)
I test it in my side, it shows same error with yours' and it can get the users successful after adding this permission. Hope it helps~
Upvotes: 1
Related Questions
- Run Get-AzADApplication from an Azure Runbook using a Managed Identity
- Azure Automation / Runbooks / Authentication
- Azure Automation Account Runbook error with AZ
- Runbook Run Powershell as azure acccount
- Trying to connect with Azure AD from Automation runbook account but getting Code: Authorization_RequestDenied
- Azure Automation Runbooks, Connect-AzAccount, Assigning rights
- Azure Automation RunAs account access to Active Directory resource
- Multiple RunAs Accounts in Azure Automation
- How to use Connect-AzAccount in a Powershell Runbook with an AutomationConnection
- Creating Azure Run As account for automation