Azure Runbooks and Service Managed Identity

%3CLINGO-SUB%20id%3D%22lingo-sub-3010258%22%20slang%3D%22en-US%22%3EAzure%20Runbooks%20and%20Service%20Managed%20Identity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3010258%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20Community%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20use%20Connect-AzAccount%20-Identity%20with%20my%20service%20managed%20identity%20to%20authenticate%2C%20but%20I%20have%20an%20issue%20executing%20Get-AzADApplication%20command%20in%20my%20runbook.%20I%20get%3A%26nbsp%3B%3C%2FP%3E%3CPRE%3E%3CEM%3EBody%3A%0A%7B%0A%20%20%22odata.error%22%3A%20%7B%0A%20%20%20%20%22code%22%3A%20%22Authorization_RequestDenied%22%2C%0A%20%20%20%20%22message%22%3A%20%7B%0A%20%20%20%20%20%20%22lang%22%3A%20%22en%22%2C%0A%20%20%20%20%20%20%22value%22%3A%20%22Insufficient%20privileges%20to%20complete%20the%20operation.%22%0A%20%20%20%20%7D%2C%0A%20%20%20%20%22requestId%22%3A%20%22f5e5cb9d-f6ae-477e-aeb0-0438253deb26%22%2C%0A%20%20%20%20%22date%22%3A%20%222021-11-27T12%3A36%3A04%22%0A%20%20%7D%0A%7D%0A%0ACaught%20exception%2C%20type%3A%20Microsoft.Azure.Graph.RBAC.Models.GraphErrorException%3CBR%20%2F%3E%3C%2FEM%3E%3CSTRONG%3EA%20command%20that%20prompts%20the%20user%20failed%20because%20the%20host%20program%20or%20the%20command%20type%20does%20not%20support%20user%20interaction.%20The%20host%20was%20attempting%20to%20request%20confirmation%20with%20the%20following%20message%3A%20A%20command%20that%20prompts%20the%20user%20failed%20because%20the%20host%20program%20or%20the%20command%20type%20does%20not%20support%20user%20interaction.%20The%20host%20was%20attempting%20to%20request%20confirmation%20with%20the%20following%20message%3A%20Insufficient%20privileges%20to%20complete%20the%20operation.%3C%2FSTRONG%3E%3C%2FPRE%3E%3CP%3E%3CSPAN%3EThe%20role%20assignment%20for%20my%20system-assigned%20identity%20is%20%22Owner%22%20and%20the%20Scope%20is%20%22Subscription%22.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20went%20to%20Active%20Directory%20-%26gt%3B%20Enterprise%20Apps%20-%26gt%3B%20All%20Applications%2C%20found%20my%20identity%20and%20gave%20it%20the%20following%20permissions%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MarkW130_0-1638016808738.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F329782i43183CAB17CC0626%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22MarkW130_0-1638016808738.png%22%20alt%3D%22MarkW130_0-1638016808738.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20someone%20have%20any%20advice%20on%20why%20I%20am%20unable%26nbsp%3B%3CSPAN%3Eto%20list%20all%20the%20applications%20under%20my%20tenant%20using%20a%20runbook%3F%20What%20have%20I%20missed%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3010258%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3022119%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Runbooks%20and%20Service%20Managed%20Identity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3022119%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1231071%22%20target%3D%22_blank%22%3E%40MarkW130%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20should%20assign%20your%20Application%20the%20Global%20Reader%20role%20in%20Azure%20AD.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22hspinto_0-1638356193004.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F330856iA55F318C360FD8D7%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22hspinto_0-1638356193004.png%22%20alt%3D%22hspinto_0-1638356193004.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Dear Community, 

 

I use Connect-AzAccount -Identity with my service managed identity to authenticate, but I have an issue executing Get-AzADApplication command in my runbook. I get: 

Body:
{
  "odata.error": {
    "code": "Authorization_RequestDenied",
    "message": {
      "lang": "en",
      "value": "Insufficient privileges to complete the operation."
    },
    "requestId": "f5e5cb9d-f6ae-477e-aeb0-0438253deb26",
    "date": "2021-11-27T12:36:04"
  }
}

Caught exception, type: Microsoft.Azure.Graph.RBAC.Models.GraphErrorException
A command that prompts the user failed because the host program or the command type does not support user interaction. The host was attempting to request confirmation with the following message: A command that prompts the user failed because the host program or the command type does not support user interaction. The host was attempting to request confirmation with the following message: Insufficient privileges to complete the operation.

The role assignment for my system-assigned identity is "Owner" and the Scope is "Subscription".

 

I also went to Active Directory -> Enterprise Apps -> All Applications, found my identity and gave it the following permissions:

MarkW130_0-1638016808738.png

 

Would someone have any advice on why I am unable to list all the applications under my tenant using a runbook? What have I missed?

1 Reply

@MarkW130 

 

You should assign your Application the Global Reader role in Azure AD.

 

hspinto_0-1638356193004.png