Using Managed Identity in Azure Automation Runbook to connect to SharePoint Online

[joostvdlinden]

Hi folks,

I am trying to connect to SharePoint Online from within an Azure Automation Runbook using a system assigned managed identity.
I noticed that 6 days ago a new release of pnp has been published, which includes the remark "Added system assigned Managed Identity support for SharePoint Online cmdlets. #2354"

Well I have been trying to use this feature for a couple of days now, but somehow I am not able to make it work.
I have enabled the system assigned identity on the 'Identity' tab of the Automation Account. Next, I have assigned permissions to the Enterprise application which had been created automatically by enabling the managed identity. Currently I have assigned the following permissions:

• Microsoft Graph - Group.Read.All | Application type
• Microsoft Graph - User.Read.All | Application type
• Microsoft Graph - Sites.FullControl.All | Application type
• Office 365 SharePoint Online - Sites.FullControl.All | Application type

Eventually I want to limit it down to the least permissive permission level.

So what I want to achieve is that I can connect to any random SharePoint site collection and perform the Rename-PnPTenantSite cmdlet.

When I try the script below (just for testing purposes), I get the error: Unable to connect to the SharePoint Online Admin Center at 'https://orgname-admin.sharepoint.com' to run this cmdlet. Please ensure you pass in the correct Admin Center URL using Connect-PnPOnline -TenantAdminUrl and you have access to it. Error message: The remote server returned an error: (401) Unauthorized..

Connect-PnPOnline -Url orgname.sharepoint.com -ManagedIdentity

Get-PnPTenantSite -Identity "https://orgname.sharepoint.com/sites/TestSite"

Disconnect-PnPOnline

When I try the script below (just for testing purposes), I get the error: Suspended
The runbook job was attempted 3 times, but it failed each time. Common reasons that runbook jobs fail can be found here: https://docs.microsoft.com/en-us/azure/automation/automation-troubleshooting-automation-errors

Connect-PnPOnline -Url "https://orgname.sharepoint.com/sites/TestSite" -ManagedIdentity

Get-PnPSite

Disconnect-PnPOnline

Can someone help me figure out what I'm doing wrong here?

Thanks for all help provided!

[nowireskiwi]

I am experiencing something similar using Azure Runbooks with managed identity - 401 unauthorized when attempting any commands although there were no errors with the connection.

I have slightly different permissions - basically using sites.selected and then assigning the permissions for the site via Grant-PnPAzureADAppSitePermission as I don't want the managed identity to have full site access to all of SharePoint - the only issue we have found to date with sites.selected is the inability to create a new library in the site. This needs full sites permissions.

I have two simple runbooks one using powershell 5.1 - this fails with 401 unauthorized.
the other one is identical using powershell 7.1 (preview) it works!

The only issue is that I need mggraph and that doesn't work with a managed account using an access token in 7.1 (json dependency error) but does work in 5.1.

I'm not sure if Connect-PNPOnline -managedidentity is supposed to work in 5.1 but a simple test between 5.1 and 7.1 shows it doesn't in my case.

I would redo your test with powershell 7.1 and see if it works.

[nicole-ge]

Hi @nowireskiwi

I have done the same Set up as you. I try to run my runbook with powershell 7.1 but I got the information 7.1 will be deprecated and the pnp Module from the gallery can't be installed.

I always got the error 401 in runbook using runbook with powershell 5 or 7.1 or 7.2

Can you share your powershell script in runbook?

Have a nice day