Managed Identity Authentication: Azure Automation on SharePoint/Microsoft Graph
Image Source:
Microsoft Graph
Sep 30, 2023 7:28 AM

Managed Identity Authentication: Azure Automation on SharePoint/Microsoft Graph

by HubSite 365 about Markus Moeller [MVP]

Microsoft MVP and #Microsoft365dev architect / manager / technologist

Citizen DeveloperMicrosoft GraphSecurityLearning Selection

Explore Managed Identity in Azure Automation for SharePoint & Microsoft Graph - streamline authentication for seamless system performance.

The blog post by Markus Moeller[MVP], focuses on the concept of Authentication in Azure Automation, using Managed Identity on SharePoint and the Microsoft Graph. The post delves into the evolution of modern authentication, comparing it to the now deprecated legacy authentication.

Currently, Azure Automation Accounts utilize managed identities, an upgrade that has since left preview status. This method substitutes the previous run-as accounts that will be phased out soon. This post specifically introduces a technique of using Managed Identity to authenticate Azure Automation runbooks, utilizing PnP.Powershell. These runbooks can then access SharePoint and the Graph interface.

The author provides a step-by-step tutorial on implementing this type of authentication. Initially, the Azure Automation account needs to enable managed identities, a feature that should come by default with new accounts. The relevant PnP.Powershell version and module is also important, particularly needing PowerShell version 7.2 as runtime.

Following this, the managed identity should be granted correct permissions. This process involves granting permissions for all sites in your tenant, due to the current support for application permissions only by system assigned managed identities. Despite the lack of interface support for permissions in Azure AD portal, PnP.PowerShell cmdlet simplifies this process.

Once the necessary permissions have been granted, the next step is to create the runbook. This process involves choosing PS runtime version 7.2, required to support a recent PnP.Powershell version that helps with authentication with managed identity. The runbook code is created subsequently.

In the code, the Connect-PnPOnline function uses ManagedIdentity and $siteUrl given as parameter. Any SharePoint operation with matching permissions can be executed thereafter, as shown in the Get-PnPWeb function. For the Graph interface, an access token is extracted and an authorization header is constructed, followed by running Invoke-RestMethod and handling the result.

General Context

The implementation of Managed Identity in Azure Automation signifies a progressive transition from the conventional authentication techniques particularly on SharePoint and Microsoft Graph. This approach fosters more secure access control in modern cloud operations. Leveraging Managed Identity eliminates manual handling of credentials in Azure, thus reducing susceptibility to attacks due to leaked credentials. Also, as the focus on cloud-based solutions continues to grow, the relevance and importance of secured authentication techniques including managed identities will only increase.

Read the full article Authentication in Azure Automation with Managed Identity on SharePoint and Microsoft Graph

Microsoft Graph - Managed Identity Authentication: Azure Automation on SharePoint/Microsoft Graph

Learn about Authentication in Azure Automation with Managed Identity on SharePoint and Microsoft Graph

This blog post discusses Azure automation with Managed Identity for SharePoint and the technology known as Microsoft Graph. Authentication on the cloud has seen upgrades, providing more options to work with. A previous approach involved using an app registration with a certificate for modern authentication in Azure automation. Azure now supports managed identities, enhancing the security and flexibility of resources.

Alongside regular Managed Identity, the old concept of run-as accounts will soon be deprecated. The introduction of managed identity in Azure Automation runbooks has benefitted its compatibility with PnP.PowerShell, thereby facilitating access to SharePoint and the technology in view. For a thorough understanding, the blog post has been divided into the following sections: Automation Account, API permissions, Runbook code, and Summary.

Automation Account: Before the details, an Azure automation account must be set for managed identities. Your account likely has this feature auto-enabled, but it may need to be facilitated manually for older accounts. One can check the installed PnP.PowerShell version and module—the latest PnP.PowerShell requires PowerShell version 7.2 as the runtime—which can be downloaded from the gallery.

API Permissions: Next, you need to grant your managed identity the correct permissions. Note that for system-assigned managed identities, only application permissions are currently supported. This implies that permissions are granted for all sites in your tenant. Here, it must be clarified that permissions cannot be attributed directly to managed identities via the Azure AD portal's user interface. PnP.PowerShell cmdlet provides a solution in such cases.

Runbook Code: With these steps fulfilled, it's time to create the runbook, making sure to choose PS runtime version 7.2 for PnP.PowerShell version supporting managed identity authentication. The runbook code is quite straightforward—starting with the Connect-PnPOnline, using ManagedIdentity, and the given $siteUrl parameter. Here, any SharePoint operation can be executed, each having its matching permission. This would normally be followed by Microsoft Graph operations, where the access token must be extracted, and an authorization header assembled.

In Summary: The blog post depicts the process of authenticating and retrieving properties using managed identity and PnP.PowerShell. Azure Automation, PowerShell, and PnP.PowerShell simplify setting up authentication with a managed identity; however, setting permissions could still use some enhancements. Managed identities offer numerous advantages over the traditional approach, making it the preferred choice unless a scenario needs support for multi-tenant or many automation accounts with similar permissions.

For a deeper understanding of this topic, Microsoft offers a vast array of training courses on Azure Automation, Managed Identity, SharePoint; and other platforms under Microsoft 365 Development, providing an in-depth understanding of the concepts, real-world applications and best practices.

More links on about Authentication in Azure Automation with Managed Identity on SharePoint and Microsoft Graph

Authentication in Azure Automation with Managed Identity on ...
May 4, 2023 — Now the managed identity needs to be granted the correct permissions. This sample case uses SharePoint on the one hand and Microsoft Graph on ...
Using Managed Identity in Azure Automation Runbook to ...
Nov 18, 2022 — It appears to be caused by the existence of both the Graph and SharePoint Sites. ... Microsoft Graph\Group.Read.All Microsoft Graph\User.Read.All ...
Using a system-assigned managed identity for an Azure ...
Jan 6, 2023 — Sign in to the Azure portal. · In the Azure portal, navigate to your Automation account. · Under Account Settings, select Identity. · Set the ...


Azure Automation, Managed Identity, Authentication, SharePoint, Microsoft Graph, Azure Security, Microsoft Identity Management, Azure SharePoint Integration, Microsoft Graph API, Azure Automation services.