Azure Automation for Microsoft 365 – How to Set Up Managed Identity

An Azure Automation account can be used to automate many tasks across the Microsoft cloud platforms. You can use one of these accounts to automate or script many tasks within M365, specifically, things like creating shared mailboxes in Exchange, creating Teams, or creating SharePoint sites.

Runbooks can be created for your help desk with parameters that must be provided at execution so that the creation of M365 resources can be done at a help desk level instead of at an engineering level.

These runbooks execute as the automation account rather than an individual user so that privileged access doesn’t need to be assigned to more accounts.

The first step to implementing Azure Automation runbooks is to setup the managed identity for the automation account. This blog will walk you through the process of doing this.

Contact Our Azure & Microsoft 365 Experts

How to Verify if a Managed Identity Exists in Your Azure Tenant??

If you have recently created an automation account or are creating one for this purpose, you may already have the managed identity.

To check, follow these steps.

1. Browse to https://entra.microsoft.com and sign in with an account that has administrative access to Entra ID.
2. Expand Applications and click Enterprise applications.
3. Change the Application type filter to Managed Identities.

4. Check to see if an application exists with the same name as your Automation account. If an application exists, skip to step <> in the next section.

Step-by-Step Guide to Setting Up Managed Identity?

Setting up the managed identity is straightforward. Follow these steps.

1. Open the Automation Account from the Azure portal (https://portal.azure.com)
2. Expand Account Settings in the left pane and select Identity.
3. Under System assigned, change the Status to On and click Save.

4. Repeat the steps under the Check Tenant for Managed Identity to confirm that the managed identity was created.

Why Microsoft Defender is the Better Cybersecurity Option

How to Assign Permissions to Your Azure Managed Identity for M365 Automation

Now that the managed identity has been set up, access needs to be assigned to it. This can be done by either assigning API permissions to it or by granting the service principal an admin role within Entra ID.

To grant API access:?

1. Identify the API permission that you want to grant. This could be something like Directory.ReadWrite.All.
2. Run the following PowerShell script. You should connect to Azure AD using a global admin account. Replace $api_permission with the permission from step 1. Replace $MI_name with the name of the managed identity.

$api_permission = "Directory.ReadWrite.All"
$MI_name = "managed-identity-setup"

Connect-AzureAD

$MI = Get-AzureADServicePrincipal -Filter "displayName eq '$MI_name'"
$graph_sp = Get-AzureADServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
$roles = $graph_sp.AppRoles | Where-Object {$_.Value -eq $api_permission}

New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId -ResourceId $graph_sp.ObjectId -Id $roles.Id
        

3. Do this for each permission you want to assign to the managed identity.?

To assign an admin role within Entra ID:

1. Browse to https://entra.microsoft.com and sign-in with an account that has administrative access to Entra ID.
2. In the left pane, expand Roles & admins and click Roles & admins.
3. Find the role that you want to grant, such as Exchange Administrator or SharePoint Administrator.
4. Under the Active assignments tab, click Add assignments.

5. Click No member selected under Select members.?

6. Search for the name of your automation account and add it.?

7. Complete the wizard to assign the role.?

Click here to read more