Managed Identity With PowerShell And Azure Automation Accounts

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

first up we're going to set up the automation account so let's create a resource Group if you don't already have one I'm going to call mine rg- automation then we'll create an automation account I'll call mine aa- managed identity and let it deploy now we'll need a few modules to be able to connect to exchange Ash and graph so click on modules add a module and search for aad I'm using Powell 5.1 one for this example but feel free to use whatever you prefer next we'll add exchange online management and then microsoft. graph. authentication wait for the graph authentication module to be installed and then we can add all the graph modules we need in my case I'll do a call to get all users using the get mg user command LD if you look up the specific command LD you want to use in the documentation you can see which module it requires another way would be to use the API directly instead with the command LS in that case you wouldn't need any graph modules so just to finish off the module installations I'll add microsoft. graph. users and wait for that to install if you scroll down to account settings you'll see identity this will show us whether the managed identity is enabled and what the object ID of it is this is basically an automatically added service principle that is managed by Asher so you don't have to store any credentials there are two kinds the first one being system assigned which is what we'll be using today it is tied to the life cycle of this res Source if we delete the automation account it'll be deleted as well and it can only be used on this resource the second kind is user assigned this means you can create your own managed identity and assign it to multiple resources if you want to learn more about that I'll post a link in the description for the documentation for now let's copy the object ID as we will need it later when assigning permissions but before we look at permissions I want to create a runbook and show you how we'll connect in Powershell let's just give the runbook a name select Powershell as the runbook type and pick a runtime version make sure it's the same as the modules you installed earlier this script is how I'll connect to the different services and test that they work connect D exchange online needs the manag identity switch and the organization you're connecting to this will always be the on Microsoft domain connected to the tenant then we'll fetch the mailboxes and store it in a variable and if that variable is not empty we'll output some text connecting to Asha ad is very similar but we only need the identity switch which will add to connect Dash AC account be mindful that this doesn't allow access to all the old as a command LS unfortunately it does not support managed entity so you might have to find some substitutions in the AC Library instead of what you used to the good thing is that by now you can do most of the things you'll need with either graph or AC graph just like AC can be connected to using the same identity switch in case you want to use the API directly and not the command list you can get an access token from AC by using get AC access token D resource type name Ms graph and then call the API as normal with that bar token now if we start this rbook it will give an unauthorized error this is because the managed identity hasn't been given any permissions yet so let's go ahead and do that now a managed identity needs permissions just like a user and a service principle does the permissions vary for the different connections I'm going to show in this video and will overlap slightly when connecting to exchange online you'll need one of the following permissions shown here just for demonstration sake I'll assign my managed identity to exchange administrator R I will do this just as I would assign it to any user in the portal the permissions for the exchange online connection will work for AC and graph as well but graph permissions won't work for the exchange online connection so just keep that in mind now for exchange online we'll also need to assign exchange. manage as app which can only be done using Powershell so open up Powershell let's connect to graph with the scope of ab roll assignment. read write. all and let's store the op ID of the man entity in a variable called Mi app ID then I'll paste the parameters we need I'll leave a link to a git repository where you can view all the paral commands I've used in this video now I found these particular commands in an article by the Lac administrator so if you want more in-depth information regarding this part check out the link to the article in the description what we're passing into some parameters here is the reference to our managed identity and then we're adding The Exchange that manage as app API permission to the resource ID is what tells the call that we want to assign permissions to The Exchange online API and the ab roll ID will be the specific permission we want from set resource now to assign it we'll call new mg service principal AB roll assigned to and pass in the parameters this permission is necessary for app authentication with exchange online so now we have a role assigned to our managed identity and we've given it permission to manage exchang as in app if your script only needs to exchange online module then you're good to go by now in case you need AC or graph alongside the exchange administrator role will also give graph access to quite a few commands the proper way if you only use AC or graph would be to just assign permissions needed for the tasks you want to perform if we have a script that uses graph or AC and like our example just needs to get the list of users we will need the user. read. all permission as shown in the documentation on get mg user for this we'll also need to use Powershell we can connect to graph with the same Scopes as previously and we will still need the object ID of the managed identity then we need a reference to the graph aggregator service we want a reference to this because from that we can get the IDE of the different graph roles we'll do this by searching through our AB rols by piping it into we object and having it return where the value of ab R is equal to our wanted permission in this case user. read. all if you look at the ab roll that was returned you can see the allowed member type is application since we won't be getting any user consent in our script then we can assign the RO to or managed identity by using new mg service principal AB roll assignment the service principal ID and the principal ID will both be the object ID of our manag identity the ab roll ID will be the ID of the role we got from our search and the resource will be a reference to the graph aggregator service ID if we head over to entry ID and look at our Enterprise applications we can find the managed identity and see the two permissions we've given it so far to give it a different permission substitute user. read. all for something different on the commands I showed you now we can head back to our demo code and if we run a test again it will show us that we're connected and it has fetched the users with exchange online with AC and with graph meaning our permission assignment worked as intended and so we've reached the end of this video thanks for watching subscribe for more similar content and I hope this helped you out

Info

Channel: Blue Hippo

Views: 241

Rating: undefined out of 5

Keywords: automation, microsoft, managed identity, powershell, powershell for beginnersutomation account, azure

Id: HmpweJY0etA

Channel Id: undefined

Length: 6min 49sec (409 seconds)

Published: Sat Jun 15 2024