0

I need to write an Azure Automation Runbook that sets the password for all Group Members.

The group and the users are a part of an Administrative Unit and the Service Principal is part of a group assigned as Users Administrator for the AU.

When I run Get-AzureADGroupMember I get Authorization_RequestDenied.

I don't want the service principal to be a Users Administrator for the entire AD. What permissions do I need for the service principal to be able to both list the users in the group and set their password? How do I set it?

Improve this question
2
  • The Service Account here you mean the service principal? Commented Oct 20, 2020 at 1:41
  • Yes, I just changed it Commented Oct 20, 2020 at 6:44

1 Answer 1

Reset to default
1

Even though I think this feature should be reasonable, but actually it does not work per my test.

I gave the Users Administrator to the service principal at the AU scope, but it cannot reset the user's password in the group belongs to the AU, even cannot reset the direct user's password(the user was directly added in the Users (Preview) in the portal).

But if I test with a work account([email protected]) with the same Users Administrator at the AU scope, it can reset the direct user's password, but still cannot reset the user's password in the group, looks the permission cannot be inherited.

So in conclusion, if you want to reset the password of the users in the groups belongs to the AU, you need to add these users directly to the Users (Preview), then use a user account e.g. work account with the Users Administrator role to do that.

To do this in runbook, you can store your user name and password in the Credentials of the automation account, then use the code in the runbook to login your account and get group members and reset passwords.

$myCred = Get-AutomationPSCredential -Name '<credential-name>' $userName = $myCred.UserName $securePassword = $myCred.Password $myPsCred = New-Object System.Management.Automation.PSCredential($userName,$securePassword) Connect-AzureAD -Credential $myPsCred Get-AzureADGroupMember $password = ConvertTo-SecureString "xxxxx" -AsPlainText -Force Set-AzureADUserPassword -ObjectId xxxx -Password $password
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I can't run Connect-AzureAD with any Work Account because they require MFA,. That's why I'm trying to do so with a Service Principal. It seems like Administrative Unit Role Assignment is ignored for Service Principals but does work when applied for the entire AAD.
@thecohenoam Yes, the service principal with admin role works fine when the scope is the entire AAD instead of the AU, so in this case, you just have two options, 1. Create a work account without MFA-enabled then use it. 2. Give the admin role to the service principal at the entire AAD scope.
@thecohenoam Actually, if your requirement is something else without resetting passwords, you can directly give the Application Graph API permission for the AD App, but the operation to reset password is special, it needs the Delegated permission which is not available in Application permission, it does not apply to the case logged with service principal.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.