Do I need to assign EntraID (AzureAD) Roles AND Graph API permissions to an Automation Account Managed Identity?

Question

I wrote an offboarding powershell script that I put into an Automation Account. I'm triggering the script from EntraID Lifecycle Workflows. I gave the Automation Account Managed Identity the appropriate Graph API permissions, as shown in this link (fwiw, the script works as expected when run from my local machine using my admin creds and these same Graph API scopes).

Managed Identity Permissions

I've also assigned EntraID roles to the Automation Account, such as Group Administrator.

Groups Administrator Role Assignment

Curiously, these assigned roles do NOT show up under the Roles and administrators blade for the Managed Identity.

Managed Identity EntraID Roles and administrators

Some parts of my script are failing when run from the Automation Account. Do I need BOTH the Graph API permissions AND the EntraID Roles? Or are the graph API permissions enough?

There are two parts of the script that fail:

1. Reset-MgUserAuthenticationMethodPassword. I gave the Managed Identity the UserAuthenticationMethod.ReadWrite.All API permission AND the Authentication Administrator EntraID role.

2. Remove-MgGroupMemberByRef. I gave the Managed Identity the Group.ReadWrite.All and GroupMember.ReadWrite.All API permissions AND the Groups Administrator EntraID role.

Are both Graph API permissions AND EntraID roles required? Which permissions and/or roles could I be missing??

Answer 1

Initially, I created one automation account and granted same permissions to managed identity service principal as below:

Now, I assigned "Authentication Administrator" role to above service principal like this:

When I ran below PowerShell script to reset user's password from automation account, I got error as below:

# Connect to Microsoft Graph
Connect-MgGraph -Identity

Import-Module Microsoft.Graph.Users.Actions

$params = @{
    newPassword = "xxxxxxxx"
}

$userId = "userId"
$authenticationMethodId = "methodId"

Reset-MgUserAuthenticationMethodPassword -UserId $userId -AuthenticationMethodId $authenticationMethodId -BodyParameter $params

Response:

The error occurred as this Graph API operation of resetting passwords is not supported with permissions of 'Application' type. You can check this MS Doc.

In such cases, the calling service principal must be assigned a higher privileged administrator role like Privileged Authentication Administrator or Global Administrator.

If still the error exists, make use of Update user API call to reset user's password by updating passwordProfile property like this:

# Connect to Microsoft Graph
Connect-MgGraph -Identity

Import-Module Microsoft.Graph.Users

$params = @{
    passwordProfile = @{
        forceChangePasswordNextSignIn = $false
        password = "xxxxxxx"
    }
}

$userId = "userId"

Update-MgUser -UserId $userId -BodyParameter $params

For removing member from group, make use of below PowerShell command by fetching the member with directory Object ID:

Import-Module Microsoft.Graph.Groups

Remove-MgGroupMemberDirectoryObjectByRef -GroupId $groupId -DirectoryObjectId $directoryObjectId

To know what permissions are required for that specific operation, you can check the MS Graph API documentation as MS Graph PowerShell SDK commands calls API in backend.

References:

Microsoft Entra built-in roles - Microsoft Entra ID

Remove member - Microsoft Graph v1.0