Managed Identity support?

[jpsebasti]

I'm really struggling here. I use Azure Automation. They are phasing out RunAs accounts and replacing them with Managed Identities. I have been able to convert numerous powershell run books to use the User Defined Managed Identity with no problem. But I have one run book that needs to deal with Azure AD users. This runbook uses the AzureAD module which is also being phased out and replaced with Microsoft Graph.

I don't see the ability to connect to Graph using Managed Identities. Does anyone know if this is planned? It seems like one team doesn't talk to the other at Microsoft on these different powershell teams at Microsoft. With the old RunAs method runbook the RunAs account had a certificate associated with it and I was easily able to connect both to Azure and then Azure AD so this connection method worked:

$runas="AzureRunAsConnection"
$rg = 'resourcegrouphere'
$aact='automationaccountnamehere'

$conn = Get-AutomationConnection -Name $runas

Connect-AzAccount -ServicePrincipal -Tenant $Conn.TenantID -ApplicationId $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint | Out-Null
Connect-AzureAD -TenantID $Conn.TenantID -ApplicationId $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint | Out-Null

In my new runbook that uses Managed Identities, I can connect to Azure with the MI but I'm stumped as to how to connect to the Graph environment:

$subscriptionid="subscriptionidhere"
$tenantid="tenantidhere"
$managed_identity="managedidentityidhere"
connect-azaccount -Identity -AccountId $managed_identity -Subscription $subscriptionid -Tenant $tenantid

No idea here how to use the Managed Identity with the connect-mggraph which as I understand it is the replacement for connect-azuread.

Can anyone shed some light on this?

[SeniorConsulting]

To do this in the Graph SDK, you'll need to use the preview (2.x) version.
Install-Module Microsoft.Graph -AllowPrerelease

More information can be found here, but basically, all you need to do once your managed identity is set up, and you've got the prerelease module is to:

#For System Assigned Managed Identities:
Connect-MgGraph -Identity

#For User Assigned Managed Identities:
Connect-MgGraph -Identity -ClientId "User_Assigned_Managed_identity_Client_Id"

I should probably note that at this stage, I wouldn't use this in production workloads, until the 2.x version leaves preview.

@peombwa - Do you have any indications yet of when the 2.x version of the SDK is going GA?

[vandre]

@jpsebasti I just did this. @SeniorConsulting You don't need the preview SDK.
Within your runbook you can simply invoke the local endpoint to get an access token for Microsoft Graph:

$resourceURI="https://graph.microsoft.com"
$tokenAuthURI = $env:IDENTITY_ENDPOINT + "?resource=$resourceURI&api-version=2019-08-01"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"X-IDENTITY-HEADER"="$env:IDENTITY_HEADER"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token

Once you have an access token you can then simply use it with -AccessToken option of Connect-MgGraph:
Connect-MgGraph -AcccesToken $accessToken

Note:

This assumes you already granted access to Microsoft Graph to your Identity account. At this moment you can only do this from PowerShell. See this link for a sample script that simplifies things a bit. In my case I added the roles User.Read.all and GroupMember.Read.all to the identity account. Also access tokens do expire so you need to manage that accordingly. This is mostly an issue for long running scripts.