Azure Runbook can't modify Azure AD application











up vote
0
down vote

favorite












I'm trying to execute this in an Azure Automation runbook



$app = Get-AzureADApplication -ObjectId $ApplicationId
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $TenantName + " Users"
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = "Users of the tenant"
$appRole.Value = $TenantName

$app.AppRoles.Add($appRole)

Set-AzureADApplication -ObjectId $ApplicationId -AppRoles $app.AppRoles


Reading the application works fine, when I print the app variable I can see it's the correct application. Executing the script from my own machine also gives no errors. Yet executing it via the runbook gives me:



Set-AzureADApplication : Error occurred while executing SetApplication 
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed


By now I have given the automation application registration in Azure AD all rights of the Active Directory API. I have also clicked "Grant Permissions". I know it's the correct app registration because the script also invites an external user, when I gave the correct rights on the "Graph Api" that started to work.



configuration










share|improve this question






















  • After your comment on my other post stackoverflow.com/questions/51651889/… I tried out a runbook myself. Please see answer for details. I hope it solves your issue.
    – Rohit Saigal
    Nov 10 at 3:38

















up vote
0
down vote

favorite












I'm trying to execute this in an Azure Automation runbook



$app = Get-AzureADApplication -ObjectId $ApplicationId
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $TenantName + " Users"
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = "Users of the tenant"
$appRole.Value = $TenantName

$app.AppRoles.Add($appRole)

Set-AzureADApplication -ObjectId $ApplicationId -AppRoles $app.AppRoles


Reading the application works fine, when I print the app variable I can see it's the correct application. Executing the script from my own machine also gives no errors. Yet executing it via the runbook gives me:



Set-AzureADApplication : Error occurred while executing SetApplication 
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed


By now I have given the automation application registration in Azure AD all rights of the Active Directory API. I have also clicked "Grant Permissions". I know it's the correct app registration because the script also invites an external user, when I gave the correct rights on the "Graph Api" that started to work.



configuration










share|improve this question






















  • After your comment on my other post stackoverflow.com/questions/51651889/… I tried out a runbook myself. Please see answer for details. I hope it solves your issue.
    – Rohit Saigal
    Nov 10 at 3:38















up vote
0
down vote

favorite









up vote
0
down vote

favorite











I'm trying to execute this in an Azure Automation runbook



$app = Get-AzureADApplication -ObjectId $ApplicationId
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $TenantName + " Users"
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = "Users of the tenant"
$appRole.Value = $TenantName

$app.AppRoles.Add($appRole)

Set-AzureADApplication -ObjectId $ApplicationId -AppRoles $app.AppRoles


Reading the application works fine, when I print the app variable I can see it's the correct application. Executing the script from my own machine also gives no errors. Yet executing it via the runbook gives me:



Set-AzureADApplication : Error occurred while executing SetApplication 
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed


By now I have given the automation application registration in Azure AD all rights of the Active Directory API. I have also clicked "Grant Permissions". I know it's the correct app registration because the script also invites an external user, when I gave the correct rights on the "Graph Api" that started to work.



configuration










share|improve this question













I'm trying to execute this in an Azure Automation runbook



$app = Get-AzureADApplication -ObjectId $ApplicationId
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $TenantName + " Users"
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = "Users of the tenant"
$appRole.Value = $TenantName

$app.AppRoles.Add($appRole)

Set-AzureADApplication -ObjectId $ApplicationId -AppRoles $app.AppRoles


Reading the application works fine, when I print the app variable I can see it's the correct application. Executing the script from my own machine also gives no errors. Yet executing it via the runbook gives me:



Set-AzureADApplication : Error occurred while executing SetApplication 
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed


By now I have given the automation application registration in Azure AD all rights of the Active Directory API. I have also clicked "Grant Permissions". I know it's the correct app registration because the script also invites an external user, when I gave the correct rights on the "Graph Api" that started to work.



configuration







azure azure-active-directory azure-runbook






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 9 at 22:08









BennyM

2,4291020




2,4291020












  • After your comment on my other post stackoverflow.com/questions/51651889/… I tried out a runbook myself. Please see answer for details. I hope it solves your issue.
    – Rohit Saigal
    Nov 10 at 3:38




















  • After your comment on my other post stackoverflow.com/questions/51651889/… I tried out a runbook myself. Please see answer for details. I hope it solves your issue.
    – Rohit Saigal
    Nov 10 at 3:38


















After your comment on my other post stackoverflow.com/questions/51651889/… I tried out a runbook myself. Please see answer for details. I hope it solves your issue.
– Rohit Saigal
Nov 10 at 3:38






After your comment on my other post stackoverflow.com/questions/51651889/… I tried out a runbook myself. Please see answer for details. I hope it solves your issue.
– Rohit Saigal
Nov 10 at 3:38














1 Answer
1






active

oldest

votes

















up vote
3
down vote



accepted










I tried out your exact script in a run book and to make it work, I had to add code to "Login as the service principal" just before your PowerShell script. You can see more details here:
Using Azure Run As Account in Azure Automation



On the permissions front, I only gave 1 application permission (i.e. "Read and write all applications") and then clicked "Grant Permissions" as it did need Admin consent. Steps were done by a user with "Global administrator" directory role in my Azure AD.



Here is my final working PowerShell script (copied from edit runbook):



# Get Azure Run As Connection Name
$connectionName = "AzureRunAsConnection"
# Get the Service Principal connection details for the Connection name
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName

# Logging in to Azure AD with Service Principal
"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

$ApplicationId = "redacted-xxxx-xxxx-xxxx-xxxxxxxe3"
$TenantName = "RohitTenant"
$app = Get-AzureADApplication -ObjectId $ApplicationId
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $TenantName + " Users"
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = "Users of the tenant"
$appRole.Value = $TenantName
$app.AppRoles.Add($appRole)

Set-AzureADApplication -ObjectId $ApplicationId -AppRoles $app.AppRoles




Here are screenshots from some other important steps that I followed, which you may or may not have done already.





  1. Create Azure Run As account while creating automation account



    enter image description here




  2. Make sure account settings for your automation account has the run as accounts now.



    enter image description here




  3. Find the App Registration created for Run as Account and give it permission to read and write all Azure AD applications.



    enter image description here



    enter image description here








share|improve this answer





















  • I swear I did all this yesterday. Today I revoked all permissions and added only the one you specfied. It started to work.
    – BennyM
    Nov 10 at 9:15











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53233876%2fazure-runbook-cant-modify-azure-ad-application%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
3
down vote



accepted










I tried out your exact script in a run book and to make it work, I had to add code to "Login as the service principal" just before your PowerShell script. You can see more details here:
Using Azure Run As Account in Azure Automation



On the permissions front, I only gave 1 application permission (i.e. "Read and write all applications") and then clicked "Grant Permissions" as it did need Admin consent. Steps were done by a user with "Global administrator" directory role in my Azure AD.



Here is my final working PowerShell script (copied from edit runbook):



# Get Azure Run As Connection Name
$connectionName = "AzureRunAsConnection"
# Get the Service Principal connection details for the Connection name
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName

# Logging in to Azure AD with Service Principal
"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

$ApplicationId = "redacted-xxxx-xxxx-xxxx-xxxxxxxe3"
$TenantName = "RohitTenant"
$app = Get-AzureADApplication -ObjectId $ApplicationId
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $TenantName + " Users"
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = "Users of the tenant"
$appRole.Value = $TenantName
$app.AppRoles.Add($appRole)

Set-AzureADApplication -ObjectId $ApplicationId -AppRoles $app.AppRoles




Here are screenshots from some other important steps that I followed, which you may or may not have done already.





  1. Create Azure Run As account while creating automation account



    enter image description here




  2. Make sure account settings for your automation account has the run as accounts now.



    enter image description here




  3. Find the App Registration created for Run as Account and give it permission to read and write all Azure AD applications.



    enter image description here



    enter image description here








share|improve this answer





















  • I swear I did all this yesterday. Today I revoked all permissions and added only the one you specfied. It started to work.
    – BennyM
    Nov 10 at 9:15















up vote
3
down vote



accepted










I tried out your exact script in a run book and to make it work, I had to add code to "Login as the service principal" just before your PowerShell script. You can see more details here:
Using Azure Run As Account in Azure Automation



On the permissions front, I only gave 1 application permission (i.e. "Read and write all applications") and then clicked "Grant Permissions" as it did need Admin consent. Steps were done by a user with "Global administrator" directory role in my Azure AD.



Here is my final working PowerShell script (copied from edit runbook):



# Get Azure Run As Connection Name
$connectionName = "AzureRunAsConnection"
# Get the Service Principal connection details for the Connection name
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName

# Logging in to Azure AD with Service Principal
"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

$ApplicationId = "redacted-xxxx-xxxx-xxxx-xxxxxxxe3"
$TenantName = "RohitTenant"
$app = Get-AzureADApplication -ObjectId $ApplicationId
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $TenantName + " Users"
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = "Users of the tenant"
$appRole.Value = $TenantName
$app.AppRoles.Add($appRole)

Set-AzureADApplication -ObjectId $ApplicationId -AppRoles $app.AppRoles




Here are screenshots from some other important steps that I followed, which you may or may not have done already.





  1. Create Azure Run As account while creating automation account



    enter image description here




  2. Make sure account settings for your automation account has the run as accounts now.



    enter image description here




  3. Find the App Registration created for Run as Account and give it permission to read and write all Azure AD applications.



    enter image description here



    enter image description here








share|improve this answer





















  • I swear I did all this yesterday. Today I revoked all permissions and added only the one you specfied. It started to work.
    – BennyM
    Nov 10 at 9:15













up vote
3
down vote



accepted







up vote
3
down vote



accepted






I tried out your exact script in a run book and to make it work, I had to add code to "Login as the service principal" just before your PowerShell script. You can see more details here:
Using Azure Run As Account in Azure Automation



On the permissions front, I only gave 1 application permission (i.e. "Read and write all applications") and then clicked "Grant Permissions" as it did need Admin consent. Steps were done by a user with "Global administrator" directory role in my Azure AD.



Here is my final working PowerShell script (copied from edit runbook):



# Get Azure Run As Connection Name
$connectionName = "AzureRunAsConnection"
# Get the Service Principal connection details for the Connection name
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName

# Logging in to Azure AD with Service Principal
"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

$ApplicationId = "redacted-xxxx-xxxx-xxxx-xxxxxxxe3"
$TenantName = "RohitTenant"
$app = Get-AzureADApplication -ObjectId $ApplicationId
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $TenantName + " Users"
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = "Users of the tenant"
$appRole.Value = $TenantName
$app.AppRoles.Add($appRole)

Set-AzureADApplication -ObjectId $ApplicationId -AppRoles $app.AppRoles




Here are screenshots from some other important steps that I followed, which you may or may not have done already.





  1. Create Azure Run As account while creating automation account



    enter image description here




  2. Make sure account settings for your automation account has the run as accounts now.



    enter image description here




  3. Find the App Registration created for Run as Account and give it permission to read and write all Azure AD applications.



    enter image description here



    enter image description here








share|improve this answer












I tried out your exact script in a run book and to make it work, I had to add code to "Login as the service principal" just before your PowerShell script. You can see more details here:
Using Azure Run As Account in Azure Automation



On the permissions front, I only gave 1 application permission (i.e. "Read and write all applications") and then clicked "Grant Permissions" as it did need Admin consent. Steps were done by a user with "Global administrator" directory role in my Azure AD.



Here is my final working PowerShell script (copied from edit runbook):



# Get Azure Run As Connection Name
$connectionName = "AzureRunAsConnection"
# Get the Service Principal connection details for the Connection name
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName

# Logging in to Azure AD with Service Principal
"Logging in to Azure AD..."
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

$ApplicationId = "redacted-xxxx-xxxx-xxxx-xxxxxxxe3"
$TenantName = "RohitTenant"
$app = Get-AzureADApplication -ObjectId $ApplicationId
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $TenantName + " Users"
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = "Users of the tenant"
$appRole.Value = $TenantName
$app.AppRoles.Add($appRole)

Set-AzureADApplication -ObjectId $ApplicationId -AppRoles $app.AppRoles




Here are screenshots from some other important steps that I followed, which you may or may not have done already.





  1. Create Azure Run As account while creating automation account



    enter image description here




  2. Make sure account settings for your automation account has the run as accounts now.



    enter image description here




  3. Find the App Registration created for Run as Account and give it permission to read and write all Azure AD applications.



    enter image description here



    enter image description here









share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 10 at 3:34









Rohit Saigal

2,4622216




2,4622216












  • I swear I did all this yesterday. Today I revoked all permissions and added only the one you specfied. It started to work.
    – BennyM
    Nov 10 at 9:15


















  • I swear I did all this yesterday. Today I revoked all permissions and added only the one you specfied. It started to work.
    – BennyM
    Nov 10 at 9:15
















I swear I did all this yesterday. Today I revoked all permissions and added only the one you specfied. It started to work.
– BennyM
Nov 10 at 9:15




I swear I did all this yesterday. Today I revoked all permissions and added only the one you specfied. It started to work.
– BennyM
Nov 10 at 9:15


















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53233876%2fazure-runbook-cant-modify-azure-ad-application%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Guess what letter conforming each word

Port of Spain

Run scheduled task as local user group (not BUILTIN)