Azure Automation is a powerful and flexible tool to automate tasks, and one of my most frequent use-cases is to deploy address book policies in Exchange Online.
Using an ordinary account to connect to Exchange Online should always require MFA, which doesn’t work well in automation scripts. But we have a very nice alternative by using a system-managed identity, which is a special kind of identity in Azure and is managed automatically. So there’s no need to save passwords, fondle with MFA or remembering to replace certificates or secrets before they expire. In order to use this feature you need to set up an Azure Automation account as a managed identity and grant it permissions in Exchange Online.
Setup guide: Azure Automation account as managed identity and Exchange Online admin rights.
Here’s my guide on how to set it up. I’ve created a PowerShell script which does the following
- Log in to Azure
- Create a new Resource Group in Azure
- Create a new Automation Account in the new Resource Group
- Set the Automation Account as managed identity
- Log in to Entra using Graph module
- Assign permissions in Exchange Online to Automation Account (manage as app and Exchange Administrator)
You will need:
- PowerShell (preferably PowerShell 7.x)
- Az module (installed by the script)
- Microsoft Graph Beta module (installed by the script)
- At the moment of testing, the “Microsoft.Graph” module kept failing, but “Microsoft.Graph.Beta” worked
- An Azure subscription (Owner or Contributor)
You are free to use and modify this script as you wish as long as you respect the Disclaimer in the script synopsis.
<# .SYNOPSIS Creates an Azure Automation account as managed identity and grants permissions in Exchange Online .DESCRIPTION This script created an Azure Automation account. Configures the account as a SystemManagedIdentity Connects to Entra ID Grants the automation account access to connect to Exchange Online as Exchange administrator. .NOTES Author: Per-Torben Sørensen Date: 2024-10-09 Version: 2410.09 Requires: Microsoft.Graph.Beta and az module Tested with: PowerShell 7.4.5 .DISCLAIMER THIS CODE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL USEAGE IS AT YOUR OWN RISK. The entire risk arising out of the use or performance of this script remains with you. In no event shall the author be held liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use this script, even if the author has been advised of the possibility of such damages. The use of this script carries no support from the author, unless otherwise specified. By using this script, you agree to these terms. #> # Install modules in CurrentUser scope Install-Module az -scope CurrentUser Install-Module Microsoft.Graph.Beta -Scope CurrentUser $rgname = 'ResourceGroupAutomation' # Name of resource group to create $location = 'norwayeast' # Location to store the RG and automation account. Use "Get-AzLocation | Select-Object DisplayName, Location" if you need a list of locations $accountName = 'EXOaccount' # Name of your automation account $ModuleName = 'ExchangeOnlineManagement' $ModuleVersion = '3.5.0' $tenantid = '11111111-1aaa-1111-1a1a-aa11aaa11a1a' # Tenant ID for your Exchange Online environment # Connect to Azure Connect-AzAccount -AuthScope MicrosoftGraphEndpointResourceId # Create Resource Group New-AzResourceGroup -Name $rgname -Location $location # Create Automation Account New-AzAutomationAccount -Name $accountName -ResourceGroupName $rgname -Location $location # Import ExchangeOnlineManagement module New-AzAutomationModule -AutomationAccountName $accountName -ResourceGroupName $rgname -Name $ModuleName -ContentLinkUri "https://www.powershellgallery.com/api/v2/package/$ModuleName/$ModuleVersion" # Set up managed identity Set-AzAutomationAccount -Name $accountName -ResourceGroupName $rgname -AssignSystemIdentity $accountSPN = Get-AzADServicePrincipal -DisplayName $accountName # Connect to Microsoft Graph Connect-MgGraph -TenantId $tenantid -Scopes "Application.ReadWrite.All","Directory.ReadWrite.All","RoleManagementPolicy.ReadWrite.AzureADGroup" # Assign ManageAsApp permission $AppRoleId = "dc50a0fb-09a3-484d-be87-e023b12c6440" $params = @{ ServicePrincipalId = $accountSPN.Id PrincipalId = $accountSPN.Id ResourceId = (Get-MgbetaServicePrincipal -Filter "AppId eq '00000002-0000-0ff1-ce00-000000000000'").id AppRoleId = $AppRoleId } New-MgbetaServicePrincipalAppRoleAssignedTo @params # Assign Exchange Online Administrator New-MgbetaRoleManagementDirectoryRoleAssignment -PrincipalId $accountSPN.Id -RoleDefinitionId 29232cdf-9323-42fd-ade2-1d097af3e4de -DirectoryScopeId "/"
Verify the account and its access
I strongly recommend that you test the account before proceeding, so now I will use a runbook with a very simple script to verify that the automation account is able to log in to Exchange Online.
Create a runbook
❗as of the time I’m writing this post, the ExchangeOnlineManagement module only works in Azure Automation under PowerShell version 5.1 and is unavailable in PowerShell 7.x in Azure Automation. Runbooks must therefore be created with PowerShell version 5.1 to access Exchange Online.
You can either create a runbook through the azure portal directly, or you can use PowerShell script to create it for you. Simply add the following line to the script above if you want to add a Runbook.
New-AzAutomationRunbook -ResourceGroupName $rgname -AutomationAccountName $accountName -Type PowerShell -Name Test -Description "Testing Exchange Online access"
Testing the runbook
Now open the new runbook in the Azure Portal, select “Edit” and “Edit in portal” to open the editor.
Add the code below into the editor, remember to replace “placeholder.onmicrosoft.com” with your real tenantname. Then click on “Test pane” (this will also save any changes).
$organization = "placeholder.onmicrosoft.com" Connect-ExchangeOnline -ManagedIdentity -Organization $organization Get-AcceptedDomain | ft Disconnect-ExchangeOnline -confirm:$false
Click “Start” on the left side and you should see the script starts. The script should end with status “Completed” and should then display all domain registered in your Exchange Online organization.
As you can see on the screenshot below, the script successfully authenticated to Exchange Online and listed all domain names registered in this organization. Access is confirmed. 👍
And there you have it! A step-by-step guide to setting up Azure Automation to work seamlessly with Exchange Online using a managed identity. By following the steps above you no longer need to worry about automating tasks failing due to MFA rules or expired secrets/certificates.
Thank you for reading agderinthe.cloud
Discover more from Agder in the cloud
Subscribe to get the latest posts sent to your email.