Reputation: 56
How to connect to SharePoint Online "Sites.Selected" using an Azure Automation account Managed Identity
I have an Automation account that is using a Managed Identity already to connect to Az and Exchange successfully, but having issues with Sharepoint using "Sites.Selected".
Almost identical issue to the below: Managed identity and Sites.Selected permission for SharePoint
I have set it up as per the second result, and I can see the permissions on the Managed Identity within Entra.
I have then successfully run the below to give the automation account access to the site (differs from step 4 in previous):
$params = @{
roles = @(
"read","write"
)
grantedToIdentities = @(
@{
application = @{
id = $appid # Target Application’s Object Id
displayName = $AutomationName # Target Application’s Display name
}
}
)
}
New-MgSitePermission -SiteId $siteId -BodyParameter $params
I can then either use Graph Explorer GET https://graph.microsoft.com/v1.0/sites/{site-id}/permissions or get-mgsitepermission -SiteId $siteId to see the permission has been setup, and the "id" matched the "objectid of the Entra Application.
So the error comes when running the Automation runbook. First, I will confirm that the list can be updated using sharepoint ise/vscode using the values below (all list fields are text). Runbook code:
write-output "Connect-AzAccount -Identity"
Connect-AzAccount -Identity
# Get the access token for Microsoft Graph
$token = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com" #-AsSecureString
write-output "token: $($token.token)"
# Import the module for Microsoft Graph Authentication
write-output "Import-Module Microsoft.Graph.Authentication"
Import-Module Microsoft.Graph.Authentication
# Connect to Microsoft Graph using the access token
write-output "connecting..."
Connect-MgGraph -AccessToken ($token.Token | ConvertTo-SecureString -AsPlainText -Force)
(get-mgcontext).Scopes
$siteid = "domain.sharepoint.com,Guid1,Guid2"
$listid = "ListIDGuid"
$params = @{
fields = @{
DateTime = "$(get-date)".ToString()
UserEmail = "[email protected]".ToString()
LicenseType = "E3".ToString()
Successful = "Yes".ToString()
}
}
write-output "New-MgSiteListItem:"
New-MgSiteListItem -SiteId $siteId -ListId $listId -BodyParameter $params
Error: [AccessDenied] : Either scp or roles claim need to be present in the token.
Interestingly, since I have included (get-mgcontext).Scopes in the output (Edit: nope, its the Connect-MgGraph output), I can see the guid that the Automation Account is signing in as, which is the Managed identities "Application ID" in Entra.
However, all the permissions as per the previous post use the "Object ID" of the same object to set up the permissions.
It is not possible to assign the permissions to the Application ID, as it is not an object.
So, if I go to https://jwt.io/ and inspect the token, there are no scopes provided in the token. Is there a way to force mggraph to use the objectid instead?
Upvotes: 0
Views: 447
Answers (0)
Related Questions
- Managed identity and Sites.Selected permission for SharePoint
- Errors using Azure Managed Identity to connect to Azure Automation from VS Code
- Azure Automation Account MAnaged Identity and New-MgServicePrincipalAppRoleAssignment
- Certificate authentication to Graph API in Azure Automation Account
- Azure Service Principal rotation (Graph API permission to managed identity)
- Azure Runbook to make dynamic groups in Azure AD
- Connect-MgGraph with managed identity in Azure Automation produces an error
- Call Graph from Azure App Service using Managed Identity
- Connect to SharePoint via Graph, Sites.Selected and Managed Identity