Search code examples
azure-active-directoryazure-ad-graph-apiazure-runbook

Azure Runbook Authorization_RequestDenied AzureAD module

I'm trying to create a runbook in Azure to perform AzureAD commands. I'm receiving an error at the very beginning (skipping the parameters setup):

$connection = Connect-AzureAD -TenantId $ServicePrincipalConnection.TenantId -ApplicationId $ServicePrincipalConnection.ApplicationId -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint
Write-Output "Connection established: "
$connection

Get-AzureADUSer

This is the output I get:

Connection established: 

Account      : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Environment  : AzureCloud
Tenant       : yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
TenantId     : yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
TenantDomain : 
Error occurred while executing GetUsers 
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
DateTimeStamp: Fri, 18 Feb 2022 17:49:37 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed

So the connection seems to be working fine but the Get-AzureADUser call fails. I guess the App is missing some API permission, but I can't tell what that would be. For now I've granted:

  • Directory.ReadWrite.All
  • Group.ReadWrite.All
  • User.ReadWrite.All

Is anybody able to assist? Many thanks in advance. Regards.

ps: runbook and AzureAD module version 5.1. Version 7.1 was throwing error: https://github.com/PowerShell/PowerShell/issues/10473

Solution

  • This error occurs when the user account that is being used to run the Azure PowerShell cmdlets does not have the correct administrator role .

    Get-AzureADUser command uses Azure AD graph in the backend. You may need to add the Application permissions ,Directory.Read.All of AAD graph (Azure Active Directory Graph) and make sure to grant admin consent for the same.

    Check support-for-azure-ad-graph-permission

    enter image description here (or)

    Go to Azure portal > Azure AD > Roles and Administrators > Select Directory Readers role and assign this role to the runbook required.

    Reference: Authorization_RequestDenied error

    edit:

    enter image description here