Azure Automation: Runbook, RunAs Account: How to allow access to AAD (e.g. for Get-AzADUser)?

一个人想着一个人 提交于 2021-02-20 05:12:33

问题


Good afternoon

I have selected stackoverflow for this question because probably mainly programmers are confronted with this question:

This is the issue:

If we call Get-AzADUser to get all AAD Users in the Azure Automation Runbook, then we get: Error 'Insufficient privileges'

We do it like this:

  1. We have an Automation Account with an "Azure Run As Account"
  2. In the PowerShell Runbook we call:
    # Connect to AAD
    $Conn = Get-AutomationConnection -Name AzureRunAsConnection
    $account = Connect-AzAccount -ServicePrincipal `
               -TenantId $Conn.TenantID  `
               -ApplicationId $Conn.ApplicationID  `
               -CertificateThumbprint $Conn.CertificateThumbprint
    # Get All AAD Users
    $AllADUsers = Get-AzADUser
  1. If we start the Runbook, we get the Error:
> Get-AzADUser : Insufficient privileges to complete the operation.
> FullyQualifiedErrorId :
> Microsoft.Azure.Commands.ActiveDirectory.GetAzureADUserCommand

This is the permissions configuration:

  1. The Automation Account has set Run as accounts » Azure Run As Account (and not an Azure Classic Run As Account)
  2. In fact, Azure Run As Account is misleading, it is a Registered App and can be found in Azure App registrations
  3. The Registered App has these settings:

» A custom role with all permissions.

» API Permissions:

Microsoft Graph (6)
Delegated    Directory.AccessAsUser.All
Delegated    Directory.ReadWrite.All
Delegated    User.ReadWrite.All
Application  Directory.ReadWrite.All
Application  User.Export.All
Application  User.ReadWrite.All

» All API Permissions are Granted for our Tenant

Unfortunately, we still get the Error 'Insufficient privileges'

Thanks a lot for any help!

Kind regards, Thomas


回答1:


According to some test, you need to add the permissions of Azure AD but not Micorsoft Graph. It seems the Get-AzADUser command use Azure AD graph in the backend but not microsoft graph. So we need to do the operations as below:

After that we can use the command Get-AzADUser successfully(if you test the command in powershell, when you add the Azure AD permission, please close the powershell and reopen it and re-connect to avoid the impact of cache)

I test it in my side, it shows same error with yours' and it can get the users successful after adding this permission. Hope it helps~



来源:https://stackoverflow.com/questions/61407244/azure-automation-runbook-runas-account-how-to-allow-access-to-aad-e-g-for-g

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!