Certificate authentication to Graph API in Azure Automation Account
I'm trying to authenticate to the Graph API through Powershell (5.1) using a certificate in an automation account runbook.
I've created a private key and certificate into a password protected PFX. It's uploaded to the 'Certificate' section in my automation account. I've tested to upload it manually in the portal and using New-AzAutomationCertificate, exportable and non-exportable.
I have tested:
Import-Module Microsoft.Graph.Users
$AppId = '<app id>'
$TenantId = '<tenant id>'
$cert = Get-AzAutomationCertificate -ResourceGroupName "automation" -AutomationAccountName "aa-automation-common" -Name "cert-auth-prod-exportable"
Connect-MgGraph -Certificate $cert -TenantId $TenantId -ClientId $AppId
Get-MgUser -UserId "<user id>"
And
Import-Module Microsoft.Graph.Users
$AppId = '<app id>'
$TenantId = '<tenant id>'
$cert = (Get-AzAutomationCertificate -ResourceGroupName "automation" -AutomationAccountName "aa-automation-common" -Name "cert-auth-prod-exportable").Thumbprint
Connect-MgGraph -CertificateThumbprint $cert -TenantId $TenantId -ClientId $AppId
Get-MgUser -UserId "<user id>"
Both results in an error when running in the runbook in Azure.
Get-AzAutomationCertificate : Object reference not set to an instance of an object. At line:6 char:10 + $cert = (Get-AzAutomationCertificate -ResourceGroupName "automation" ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Get-AzAutomationCertificate], NullReferenceException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Automation.Cmdlet.GetAzureAutomationCertificate
When I test it locally in VS Code by first signing in using Connect-AzAccount both works fine. I get the certificate info, can connect using Connect-MgGraph and fetch the user info.
Any clues?
I created a password protected PFX and uploaded it to the 'Certificates' section in my automation account:
When I ran your code in my environment, I too got same error as below:
Import-Module Microsoft.Graph.Users
$AppId = 'appId'
$TenantId = 'tenantId'
$cert = (Get-AzAutomationCertificate -ResourceGroupName "Sri" -AutomationAccountName "testautomation" -Name "GraphCert").Thumbprint
Connect-MgGraph -CertificateThumbprint $cert -TenantId $TenantId -ClientId $AppId
Get-MgUser -UserId "xxxxxxxx"
Response:
Note that, the error occurred as you missed calling Connect-AzAccount that is necessary for
Get-AzAutomationCertificatecommand to work.
To resolve the error, I turned on system-managed identity of automation account and added Contributor (a Reader role would be enough) role to it like below:
When I ran below modified script by connecting to Azure via system-managed identity, I got the response with user details successfully like below:
# Ensures you do not inherit an AzContext in your runbook
Disable-AzContextAutosave -Scope Process
$AzureContext = (Connect-AzAccount -Identity).context
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext
Import-Module Microsoft.Graph.Users
$AppId = 'appId'
$TenantId = 'tenantId'
$cert = (Get-AzAutomationCertificate -ResourceGroupName "Sri" -AutomationAccountName "testautomation" -Name "GraphCert").Thumbprint
Connect-MgGraph -CertificateThumbprint $cert -TenantId $TenantId -ClientId $AppId
Get-MgUser -UserId "xxxxxxxx"
Response:
In your case, make sure to call Connect-AzAccount before running Get-AzAutomationCertificate command.
Reference: Using a system-assigned managed identity for an Azure Automation account | Microsoft
- WinSCP Disable ResumeSupport in PowerShell
- ConvertFrom-Json : Cannot convert the JSON string because a dictionary that was converted from the string contains the duplicated keys
- How to pull the model name of a Lenovo ThinkCenter M75q Gen 2
- How to do a topological sort in PowerShell
- Error: "The operation was rejected by your operating system" when trying to create new angular project using windows powershell
- powerShell Set-acl strange error : there is not enough space on the disk
- How to append XML elements with Attributes using Powershell
- Automation Account Importing PowerShell Module Issue
- Trying to get Codesys to run a batch file from the HMI
- Is it possible to save the output from a write command in a file? (API and Powershell)
- PowerShell script to monitor IIS logs for 500 errors every 10 minutes
- Where to find documentation about add_<eventname>(<scriptblock>) like add_click, add_shown using powershell?
- How do you get the icons out of shell32.dll?
- How do I extract fields from the tabular text output of the Cloud Foundry CLI?
- Shortcut to pull up all file explorer windows that are open
- PowerShell LDAPFilter multiple conditions
- Create new System.Collections.Generic.Dictionary object fails in PowerShell
- How to calculate the CRC32 of a string in Powershell?
- How do you do a ‘Pause’ with PowerShell 2.0?
- Writing program version to INI file in Inno Setup at compile time
- Extract email:password
- HTTP request to update Service Principal Entra
- How to show the diff in all files having leftover conflict marker?
- How to get ALL AD user groups (recursively) with Powershell or other tools?
- Which version of XPath is installed
- Using powershell, how can I extract the OU path for a computer currently in AD?
- MSGraph Query Not returning group info
- PowerShell - Overwriting line written with Write-Host
- How do I get a certificate (public and private key) into a windows container in AKS?
- script to remove unused drivers - pnputil