Azure Runbooks and Service Managed Identity

Copper Contributor

Dear Community, 

 

I use Connect-AzAccount -Identity with my service managed identity to authenticate, but I have an issue executing Get-AzADApplication command in my runbook. I get: 

Body:
{
  "odata.error": {
    "code": "Authorization_RequestDenied",
    "message": {
      "lang": "en",
      "value": "Insufficient privileges to complete the operation."
    },
    "requestId": "f5e5cb9d-f6ae-477e-aeb0-0438253deb26",
    "date": "2021-11-27T12:36:04"
  }
}

Caught exception, type: Microsoft.Azure.Graph.RBAC.Models.GraphErrorException
A command that prompts the user failed because the host program or the command type does not support user interaction. The host was attempting to request confirmation with the following message: A command that prompts the user failed because the host program or the command type does not support user interaction. The host was attempting to request confirmation with the following message: Insufficient privileges to complete the operation.

The role assignment for my system-assigned identity is "Owner" and the Scope is "Subscription".

 

I also went to Active Directory -> Enterprise Apps -> All Applications, found my identity and gave it the following permissions:

MarkW130_0-1638016808738.png

 

Would someone have any advice on why I am unable to list all the applications under my tenant using a runbook? What have I missed?

1 Reply

@MarkW130 

 

You should assign your Application the Global Reader role in Azure AD.

 

hspinto_0-1638356193004.png