top of page

Configure Azure Automation with Managed Identity

As an IT professional you probably must find a solution for regular update or processing of Office 365 objects. But such automation is not included out of box with Office 365. For example, you might want to apply custom set of permissions on users’ calendar folders within the mailbox, or maybe amend the default settings on distribution groups based on specific logic. In the past, you had to build a dedicated management server which holds required automation scripts with defined execution schedules or rely on external (non-Microsoft) services. Thankfully, nowadays we can do it with Azure alone in many different ways.


Azure Automation is one good option, and it can help in this situation by delivering cloud-based automation, operating system updates and configuration service that supports consistent management across Azure and non-Azure cloud environments. Historycally the service supported Run As Account but on September 30, 2023 this feature is replaced with Managed Identities permanently.


In this guide we configure Azure Automation account to connect to Exchange Online with System or User managed identity and execute a basic script for Exchange as a demo.


One of the first questions we ask ourselves is “What identity to use: System Managed or User Managed, and what is the difference between the two?” Well, I would say, both will do the job when it comes to Office 365 automation. However, the answer depends on the specific environment and requirements and should be aligned with the overall customer identity management strategy. But on a high level it is important to remember that:

  • System Managed Identity – could be used only by one Automation account.

  • User Managed Identity – could be used by multiple Automation accounts.

More information about the comparison between both identity types could be found here: Managed identities for Azure resources.


Before we start you'll need the following:

Implementation Steps

1. Resource Group creation. Using the preferred Azure subscription and region create a Resource Group with desired name:

Create a resource group in Azure screenshot

2. Automation account creation. Using the previously created resource group create an Automation account with desired name:

Create an Automation Account screenshot

3. Exchange Online Management module. Open the newly created Automation account and browse the gallery within the Shared Resources section:

Browse gallery for modules screenshot

Search for Exchange Online Management and install it:

Install Exchange Online Management module screenshot

Select Runtime version 5.1 and import the module:

Select Runtime version screenshot

4. Managed Identity ID.

Option A: If you want to use System Managed Identity follow the below steps. For User Managed Identity skip to option B.

In Automation account navigate to Identity under Account Settings section and take a note of the Object (principal) ID:

Copy object ID of managed identity screenshot

Once done skip to step 5.


Option B: If you want to use User Managed Identity in Marketplace search and create Managed Identity:

Create User Assigned Managed Identity screenshot

Go to Overview of the created Managed Identity and take a note of the Object (principal) ID:

Get object ID of user assigned managed identity screenshot

In Automation account navigate to Identity under Account Settings section and turn Off the System assigned identity:

Turn off system assigned identity screenshot

Switch to User assigned tab and add the already created user managed identity:

Add user assiged managed identity screenshot
Choose user assigned managed identity screenshot

5. API Permissions. Grant Exchange.ManageAsApp API permission to the managed identity to be able to call Exchange Online functions:

Connect-MgGraph -TenantId your_orgname.onmicrosoft.com -Scopes AppRoleAssignment.ReadWrite.All,Application.Read.All
Permissions request screenshot

$SPID = “c4d6f4b0-588c-4bd2-a15e-17ce378d26df”
$params = @{
   ServicePrincipalId = $SPID #managed identity object id
   PrincipalId = $SPID
   ResourceId = (Get-MgServicePrincipal -Filter "AppId -eq '00000002-0000-0ff1-ce00-000000000000'").id #Exchange Online id
   AppRoleId = "dc50a0fb-09a3-484d-be87-e023b12c6440" #Exchange.ManageAsApp
}
New-MgServicePrincipalAppRoleAssignedTo @params

6. Exchange permissions. Assign Exchange permissions to the Managed Identity object. Navigate to Azure AD and select Roles and administrators under Manage section. Then search and select Exchange Administrator:

Search Roles and Administrators screenshot

Select Add assignments and add the automation account:

Select automation account screenshot

Note: You could confirm that the right name is selected by comparing the AppID values with:

Get-MgServicePrincipal -ServicePrincipalId $SPID
Get-MgServicePrincipal cmdlet screenshot

7. Create a Runbook. Navigate to Runbooks under Process Automation section in the Automation Account. Select Create runbook:

Create a runbook screenshot

Provide required data where Type is PowerShell and Runtime version is 5.1, then select create:

Provide details for runbook screenshot

Then the PowerShell script can be pasted. To connect to the Exchange organisation the script should start with one of the two cmdlets depending on chosen managed identity:

  • To connect to Exchange with system managed identity:

Connect-ExchangeOnline -ManagedIdentity -Organization your_orgname.onmicrosoft.com
  • To connect Exchange with user managed identity:

Connect-ExchangeOnline -ManagedIdentity -Organization your_orgname.onmicrosoft.com -ManagedIdentityAccountId account_guid

The below PowerShell script is a simple example and lists accepted domains in Exchange Online. Depending on the need you can create your own scripts.

Edit PowerShell runbook screenshot

By selecting the Test pane, the script can be manually executed and validated:

Test a script screenshot

Once validated it can be published from Edit PowerShell Runbook pane.


8. Schedule the automation. Under Shared Resources section in Automation account select Add a schedule:

Schedule Azure Automation screenshot

Provide required details and save it:

New schedule configuration screenshot

Navigate and open the runbook under Runbooks and select Link to schedule:

Link runbook to schedule screenshot

Select Link a schedule to your runbook and choose the created schedule:

Select schedule for runbook screenshot

Azure Automation with Managed Identity

Summary

The step-by-step guide outlined above allow us to start from scratch with Azure Automation. It also provides specific details about using managed identities with Office 365 and particularly Exchange Online. If your Azure Automation is using Run As accounts, you must transition to a managed identity until end of September, 2023. Let us know If you need help with automating your tasks via Azure Automation or Power Automate by contacting us today.

98 views0 comments

Recent Posts

See All

Comments


bottom of page