An Azure Automation account can be used to automate many tasks across the Microsoft cloud platforms. You can use one of these accounts to automate or script many tasks within M365, specifically, things like creating shared mailboxes in Exchange, creating Teams, or creating SharePoint sites.
Runbooks can be created for your help desk with parameters that must be provided at execution so that the creation of M365 resources can be done at a help desk level instead of at an engineering level.
These runbooks execute as the automation account rather than an individual user so that privileged access doesn’t need to be assigned to more accounts.
The first step to implementing Azure Automation runbooks is to setup the managed identity for the automation account. This blog will walk you through the process of doing this.
How to Verify if a Managed Identity Exists in Your Azure Tenant
If you have recently created an automation account or are creating one for this purpose, you may already have the managed identity.
To check, follow these steps.
- Browse to https://entra.microsoft.com and sign in with an account that has administrative access to Entra ID.
- Expand Applications and click Enterprise applications.
- Change the Application type filter to Managed Identities.
- Check to see if an application exists with the same name as your Automation account. If an application exists, skip to step <> in the next section.
Step-by-Step Guide to Setting Up Managed Identity
Setting up the managed identity is straightforward. Follow these steps.
- Open the Automation Account from the Azure portal (https://portal.azure.com)
- Expand Account Settings in the left pane and select Identity.
- Under System assigned, change the Status to On and click Save.
- Repeat the steps under the Check Tenant for Managed Identity to confirm that the managed identity was created.
How to Assign Permissions to Your Azure Managed Identity for M365 Automation
Now that the managed identity has been set up, access needs to be assigned to it. This can be done by either assigning API permissions to it or by granting the service principal an admin role within Entra ID.
To grant API access:
- Identify the API permission that you want to grant. This could be something like Directory.ReadWrite.All.
- Run the following PowerShell script. You should connect to Azure AD using a global admin account. Replace $api_permission with the permission from step 1. Replace $MI_name with the name of the managed identity.
$api_permission = "Directory.ReadWrite.All"
$MI_name = "managed-identity-setup"
Connect-AzureAD
$MI = Get-AzureADServicePrincipal -Filter "displayName eq '$MI_name'"
$graph_sp = Get-AzureADServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
$roles = $graph_sp.AppRoles | Where-Object {$_.Value -eq $api_permission}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId -ResourceId $graph_sp.ObjectId -Id $roles.Id
- Do this for each permission you want to assign to the managed identity.
To assign an admin role within Entra ID:
- Browse to https://entra.microsoft.com and sign-in with an account that has administrative access to Entra ID.
- In the left pane, expand Roles & admins and click Roles & admins.
- Find the role that you want to grant, such as Exchange Administrator or SharePoint Administrator.
- Under the Active assignments tab, click Add assignments.
- Click No member selected under Select members.
- Search for the name of your automation account and add it.
- Complete the wizard to assign the role.
Connecting to Microsoft Services Using Managed Identity in Azure Automation
Create a new runbook in your automation account. It should be PowerShell runbook in any runtime version.
To connect to Azure infrastructure, add these lines to your runbook:
Connect-AzAccount -Identity Set-AzContext -Subscription "<subscription ID>"
To connect to Exchange online, add this line to your runbook:
Connect-ExchangeOnline -ManagedIdentity -Organization
To connect to PnP PowerShell (for SharePoint management), add this line to your runbook:
Connect-PnPOnline -ManagedIdentity To connect to Microsoft Graph, add this line to your runbook:
Connect-MgGraph -Identity Key Takeaways
An Azure Automation account can be a powerful tool for scripting common operations in your Azure or M365 environment. Hopefully, this blog post can help you transition some workloads to an automation account. If you need assistance, please contact WME and reference this blog post.
Disclaimer
All content provided on this blog is for information purposes only. Windows Management Experts, Inc. (WME) cannot cannot guarantee that it is error-free or fully up-to-date at the time of reading. We will not be liable for any errors or omissions in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.
Windows Management Experts
Now A Microsoft Solutions Partner for:
✓ Data & AI
✓ Digital and App Innovation
✓ Infrastructure
✓ Security
The Solutions Partner badge highlights WME’s excellence and commitment. Microsoft’s thorough evaluation ensures we’re skilled, deliver successful projects, and prioritize security over everything. This positions WME in a global tech community, ready to innovate on the cloud for your evolving business needs.
Contact us: sales@winmgmtexperts.com
