Reputation: 1864
Using System Managed Identity in Azure Automation Account with PowerShell module MicrosoftTeams
Using System Managed Identity in Azure Automation Account with PowerShell module MicrosoftTeams.
The Connect-MicrosoftTeams supports login with a system managed identity with the -Identity switch.
What I'm not sure of is which permissions needs to be assigned to the service principal in order to use the MicrosoftTeams PowerShell module cmdlets.
I want to assign TeamsAppPermissionPolicy and TeamsAppSetupPolicy using PowerShell and with a system managed identity. (This of course works great using my personal cloud account. Using Teams Administrator role i.e not using managed identity)
The current assigned permissions are these:
Whenever executing the command Get-Team I'm able to list all the Teams.
When I'm executing Grant-csTeamsAppSetupPolicy or Grant-csTeamsAppPermissionPolicy I'm getting an error: Grant-csTeamsAppPermissionPolicy : The remote server returned an error: (404) Not Found. It is these two legacy commands I need to use.
I'm providing some code here if anyone wants to test this out:
For assigning permissions to service principal:
$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'automatebro2'" # Get Service Princiap / Automation Account
$GraphApp = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" # Microsoft Graph
$Permissions = 'Directory.Read.All', 'Group.Read.All', 'Team.ReadBasic.All', 'TeamSettings.ReadWrite.All'
foreach ($permission in $Permissions) {
$role = $GraphApp.AppRoles | Where-Object {$_.Value -eq $permission}
New-AzureAdServiceAppRoleAssignment `
-ObjectId $sp.ObjectId `
-PrincipalId $sp.ObjectId `
-ResourceId $GraphApp.ObjectId `
-Id $role.Id
}
$skypeandteamsApp = Get-AzureADServicePrincipal -Filter "AppId eq '48ac35b8-9aa8-4d74-927d-1f4a14a0b239'" # Skype and Teams
$Permissions = 'application_access', 'application_access_custom_sba_appliance'
foreach ($permission in $Permissions) {
$role = $skypeandteamsApp.AppRoles | Where-Object {$_.Value -eq $permission}
New-AzureAdServiceAppRoleAssignment `
-ObjectId $sp.ObjectId `
-PrincipalId $sp.ObjectId `
-ResourceId $skypeandteamsApp.ObjectId `
-Id $role.Id
}
$AzureADGraph = Get-AzureADServicePrincipal -Filter "AppId eq '00000002-0000-0000-c000-000000000000'" # Azure AD graph
$Permissions = 'Directory.Read.All'
foreach ($permission in $Permissions) {
$role = $AzureADGraph.AppRoles | Where-Object {$_.Value -eq $permission}
New-AzureAdServiceAppRoleAssignment `
-ObjectId $sp.ObjectId `
-PrincipalId $sp.ObjectId `
-ResourceId $AzureADGraph.ObjectId `
-Id $role.Id
}
Test code for MicrosoftTeams:
Connect-MicrosoftTeams -Identity
Grant-csTeamsAppPermissionPolicy -Identity <UPN> -PolicyName <customPolicy>
As far as I know basic authentication is available in Azure Automation Account.
Any ideas for how to accomplish this?
Upvotes: 2
Views: 974
Answers (1)
Reputation: 1460
-Cs cmdlets currently don't support Managed Service Identity.
Upvotes: 1
Related Questions
- Accessing Azure AD using a Managed Identity
- Best way to authenticate an Azure Automation Powershell script
- How can I established credentials in PowerShell script running in an Azure Automation Account
- Azure Automation Hybrid-Worker Get-AutomationPSCredential for PowerShell 7
- Azure automation account - how to use custom service principal for login instead of run as account?
- Getting the service principal for an Azure Automation Account connection using PowerShell
- Use powershell to log into azure for an account that I am co-administrator for
- Automation account is linked to a workspace Azure
- Azure automation - credentials delivered by Get-PSAutomationCredential don't work with Add-AzureAccount?
- How to use Microsoft (not Organizational) account with Add-AzureAccount?