Forum Discussion
Azure Automation - Hybrid Worker - Connect-Azure AD
Connect-AzureAD : CertificateNotFoundInStore At line:56 char:1 + Connect-AzureAD –TenantId $servicePrincipalConnection.TenantId –Appli ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : AuthenticationError: (:) [Connect-AzureAD], ArgumentException + FullyQualifiedErrorId : Connect-AzureAD,Microsoft.Open.Azure.AD.CommonLibrary.ConnectAzureAD
Apparently the hybrid runbook worker can't see the certificate associated with the service principal? Do we have to register the certificate too on the hybrid runbook worker?
Failing line: Connect-AzureAD –TenantId $servicePrincipalConnection.TenantId –ApplicationId $servicePrincipalConnection.ApplicationId –CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
This code works perfectly well if run within the Azure Automation side of things, but running it in the hybrid runbook worker generates that error.
https://docs.microsoft.com/en-us/azure/automation/automation-hrw-run-runbooks
Please let me know if you know of other references for it or any additional issues that could result from missing modules in the hybrid runbook worker.
Dodge-1350 - Yeah, the link to register the certificate on the hybrid runbook worker was the key, once you install the certificate, the call to Connect-AzureADPreview works as expected.
Dodge-1350 Its a bad idea to use a Run As account to automate anything. That account is granted Contributor (overreaching) permissions at the Subscription level. We do not use a Run As account whatsoever. We have created service principals with specific, granular access. Why Microsoft reccomends this is beyond me. Even their document states it will alter subscription security.
- Can you explain a scenario whereby you would see the run as account being used in Azure Automation to access those permissions exceeding the necessary authority and providing access to someone that shouldn't have it? Wouldn't they need to do that from Azure Automation, where the credential is registered?
Hi.
Receiving this error when trying to get the automation cert.
Get-AutomationCertificate : The 'Get-AutomationCertificate' command was found in the module 'Orchestrator.AssetManagement.Cmdlets', but the module could not
be loaded. For more information, run 'Import-Module Orchestrator.AssetManagement.Cmdlets'.
At line:53 char:14
+ $RunAsCert = Get-AutomationCertificate -Name "AzureRunAsCertificate"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AutomationCertificate:String) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : CouldNotAutoloadMatchingModuleAlso receiving this error when trying to import the module
Import-Module : The specified module 'Orchestrator.AssetManagement.Cmdlets' was not loaded because no valid module
file was found in any module directory.I'd appreciate any thoughts on troubleshooting this.
Ed
Hi Ed Stalcup,
From your description it isn't clear if your HRW are running on-prem or in Azure. If they do run in Azure, have you considered using Managed Identity instead? Azure Automation now supports System Assigned Managed Identities (in Preview) as a replacement for RunAs accounts.
If your HRWs are hosted outside of Azure, you could consider using Azure Arc (onboard your HRWs to Arc) and use Managed Identities in a similar fashion.
You would still need to assign correct API permissions for Microsoft Graph like you would do for Service Principal (MS graph permissions for managed identities need to be granted directly to the Service Principal.).
