As an IT professional you probably must find a solution for regular update or processing of Office 365 objects. But such automation is not included out of box with Office 365. For example, you might want to apply custom set of permissions on users’ calendar folders within the mailbox, or maybe amend the default settings on distribution groups based on specific logic. In the past, you had to build a dedicated management server which holds required automation scripts with defined execution schedules or rely on external (non-Microsoft) services. Thankfully, nowadays we can do it with Azure alone in many different ways.
Azure Automation is one good option, and it can help in this situation by delivering cloud-based automation, operating system updates and configuration service that supports consistent management across Azure and non-Azure cloud environments. Historycally the service supported Run As Account but on September 30, 2023 this feature is replaced with Managed Identities permanently.
In this guide we configure Azure Automation account to connect to Exchange Online with System or User managed identity and execute a basic script for Exchange as a demo.
One of the first questions we ask ourselves is “What identity to use: System Managed or User Managed, and what is the difference between the two?” Well, I would say, both will do the job when it comes to Office 365 automation. However, the answer depends on the specific environment and requirements and should be aligned with the overall customer identity management strategy. But on a high level it is important to remember that:
System Managed Identity – could be used only by one Automation account.
User Managed Identity – could be used by multiple Automation accounts.
More information about the comparison between both identity types could be found here: Managed identities for Azure resources.
Before we start you'll need the following:
Global Administrator role (could be limited based on Office 365 automation requirements)
Implementation Steps
1. Resource Group creation. Using the preferred Azure subscription and region create a Resource Group with desired name:
2. Automation account creation. Using the previously created resource group create an Automation account with desired name:
3. Exchange Online Management module. Open the newly created Automation account and browse the gallery within the Shared Resources section:
Search for Exchange Online Management and install it:
Select Runtime version 5.1 and import the module:
4. Managed Identity ID.
Option A: If you want to use System Managed Identity follow the below steps. For User Managed Identity skip to option B.
In Automation account navigate to Identity under Account Settings section and take a note of the Object (principal) ID:
Once done skip to step 5.
Option B: If you want to use User Managed Identity in Marketplace search and create Managed Identity:
Go to Overview of the created Managed Identity and take a note of the Object (principal) ID:
In Automation account navigate to Identity under Account Settings section and turn Off the System assigned identity:
Switch to User assigned tab and add the already created user managed identity:
5. API Permissions. Grant Exchange.ManageAsApp API permission to the managed identity to be able to call Exchange Online functions:
Connect-MgGraph -TenantId your_orgname.onmicrosoft.com -Scopes AppRoleAssignment.ReadWrite.All,Application.Read.All
$SPID = “c4d6f4b0-588c-4bd2-a15e-17ce378d26df”
$params = @{
ServicePrincipalId = $SPID #managed identity object id
PrincipalId = $SPID
ResourceId = (Get-MgServicePrincipal -Filter "AppId -eq '00000002-0000-0ff1-ce00-000000000000'").id #Exchange Online id
AppRoleId = "dc50a0fb-09a3-484d-be87-e023b12c6440" #Exchange.ManageAsApp
}
New-MgServicePrincipalAppRoleAssignedTo @params6. Exchange permissions. Assign Exchange permissions to the Managed Identity object. Navigate to Azure AD and select Roles and administrators under Manage section. Then search and select Exchange Administrator:
Select Add assignments and add the automation account:
Note: You could confirm that the right name is selected by comparing the AppID values with:
Get-MgServicePrincipal -ServicePrincipalId $SPID
7. Create a Runbook. Navigate to Runbooks under Process Automation section in the Automation Account. Select Create runbook:
Provide required data where Type is PowerShell and Runtime version is 5.1, then select create:
Then the PowerShell script can be pasted. To connect to the Exchange organisation the script should start with one of the two cmdlets depending on chosen managed identity:
To connect to Exchange with system managed identity:
Connect-ExchangeOnline -ManagedIdentity -Organization your_orgname.onmicrosoft.comTo connect Exchange with user managed identity:
Connect-ExchangeOnline -ManagedIdentity -Organization your_orgname.onmicrosoft.com -ManagedIdentityAccountId account_guidThe below PowerShell script is a simple example and lists accepted domains in Exchange Online. Depending on the need you can create your own scripts.
By selecting the Test pane, the script can be manually executed and validated:
Once validated it can be published from Edit PowerShell Runbook pane.
8. Schedule the automation. Under Shared Resources section in Automation account select Add a schedule:
Provide required details and save it:
Navigate and open the runbook under Runbooks and select Link to schedule:
Select Link a schedule to your runbook and choose the created schedule:
Azure Automation with Managed Identity
Summary
The step-by-step guide outlined above allow us to start from scratch with Azure Automation. It also provides specific details about using managed identities with Office 365 and particularly Exchange Online. If your Azure Automation is using Run As accounts, you must transition to a managed identity until end of September, 2023. Let us know If you need help with automating your tasks via Azure Automation or Power Automate by contacting us today.