Problems with connecting to Exchange Online from azure automation using managed identity.

Question

Hello,

I would like to run from Azure Automation Get-UnifiedGroup.
To do this I use code:

Connect-ExchangeOnline -ManagedIdentity -Organization atlastechnicalab.onmicrosoft.com  
Get-UnifiedGroup  

Unfortunately Connect-ExchangeOnline crashes with error ‘UnAuthorized’.

To grant access to managed identity used by my Azure Automation I used code:

Connect-MgGraph -Scopes RoleManagement.ReadWrite.Directory  
$RoleID = (Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq 'Exchange Administrator'").Id  
#$PrincipalId I take from my automation > identity > system assigned > object (principal) ID   
New-MgRoleManagementDirectoryRoleAssignment -PrincipalId $PrincipalId -RoleDefinitionId $RoleID -DirectoryScopeId "/"  

I followed this guide to grant permissions and this guide to connect to Exchange Online.

My runbook based on PS runtime v7.1 and use module ‘ExchangeOnlineManagement‘ 3.0.0 for runtime 7.1.

Also, would be very thankful if someone can help to figure out minimal permissions, I need to grant to my Azure Automation to connect to Exchange Online and run command Get-UnifiedGroup.

Answer 1

Did you add the Exchange.ManageAsApp permission in addition to the Azure AD role? Without it, you will get the UnAuthorized error.

Btw, there is a known issue with the *-UnifiedGroup cmdlets, you will not be able to run those via this method. So if all you want to do is manage M365 groups, best use the Graph API instead.

Answer 2

Make sure to use the object (principal) id and not the clientID of the managed identity