Permission to run Get-AzADApplication within a Runbook

%3CLINGO-SUB%20id%3D%22lingo-sub-2966880%22%20slang%3D%22en-US%22%3EPermission%20to%20run%20Get-AzADApplication%20within%20a%20Runbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2966880%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20have%20a%20project%20that%20i%20want%20to%20monitor%20the%20expiry%20date%20for%20some%20service%20principals%20in%20Azure.My%20company%20uses%20only%20one%20tenant%20and%20this%20tenant%20has%20more%20than%201000%20service%20prinicpals%2Cmy%20goal%20is%20to%20monitor%20only%20some%20of%20them%2Cwhich%20belong%20to%20my%20department.So%20i%20wrote%20a%20PS%20script%20which%20lists%20all%20service%20prinicpals%20and%20then%20filters%20only%20them%20that%20matchs%20my%20requiment.I%20used%20the%20cmdlet%20'Get-AzADApplication'.My%20problem%20is%20that%20if%20i%20run%20this%20cmdlet%20in%20cloud%20PS(in%20Azure)%20it%20works%2Cbut%20if%20i%20run%20it%20within%20a%20Runbook%20in%20Azure%20i%20get%20the%20error%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-basic%22%3E%3CCODE%3E%2030%20%7C%20%20Get-AzADApplication%0A%20%20%20%20%20%7C%20%20~~~~~~~~~~~~~~~~~~~%0A%20%20%20%20%20%7C%20Insufficient%20privileges%20to%20complete%20the%20operation.%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%20how%20to%20handle%20it%3FSome%20google%20search%20have%20shown%20that%20i%20need%20%22application%20directory.read.all%22%20permission%20in%20AAD%20but%20since%20i%20am%20from%20devops%20team%20i%20dont%20think%20i%20will%20get%20this%20permission%20from%20sysadmin%20team.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBelow%20a%20snippet%20of%20script%20to%20get%20an%20idea%20what%20i%20am%20doing%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%23List%20all%20subscriptions%0A%24subID%20%3D%20get-AzSubscription%0A%0A%23List%20all%20terraform%20users%0A%24applications%3D%40(foreach%20(%24name%20in%20%24subID.Id)%0A%7B%0A%20%20%20Get-AzADApplication%20-DisplayNameStartWith%20%20terraform-%24name%0A%7D)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Visitor

Dear all,

 

i have a project that i want to monitor the expiry date for some service principals in Azure.My company uses only one tenant and this tenant has more than 1000 service prinicpals,my goal is to monitor only some of them,which belong to my department.So i wrote a PS script which lists all service prinicpals and then filters only them that matchs my requiment.I used the cmdlet 'Get-AzADApplication'.My problem is that if i run this cmdlet in cloud PS(in Azure) it works,but if i run it within a Runbook in Azure i get the error:

 30 |  Get-AzADApplication
     |  ~~~~~~~~~~~~~~~~~~~
     | Insufficient privileges to complete the operation.

 

Any idea how to handle it?Some google search have shown that i need "application directory.read.all" permission in AAD but since i am from devops team i dont think i will get this permission from sysadmin team.

 

Below a snippet of script to get an idea what i am doing

#List all subscriptions
$subID = get-AzSubscription

#List all terraform users
$applications=@(foreach ($name in $subID.Id)
{
   Get-AzADApplication -DisplayNameStartWith  terraform-$name
})

 

0 Replies