Use Pnp.PowerShell with user assigned managed identity in Azure automation accounts

[carsten-blanke]

Maybe there is an article or tutorial like this, I didn't find it, so I decided to post it here.

My goal was to use the PnP:PowerShell module in a runbook in an automation account. I want to change lockstates in personal sharepoint sites (OneDrive for business). Because I hate to change outdated secrets and/or certificates, I wanted to run it with a managed identity. For reasons of company guidelines I had to use user assigned managed identity.

To show how I managed it, I'll show you first the end of my implementation: The Login in the runbook:
Connect-PnPOnline -ManagedIdentity -UserAssignedManagedIdentityClientId "<app id of mi>" -Url "https://tenant-admin.sharepoint.com"

To achieve this, I used the following steps:
Step 1: Create an user assigned managed identity and assign it to the runbook

Step 2: Each managed identity is represented by an enterprise application in the azure active directory. Usually you can give only app registrations permissions. To give an enterprise app permissions, you have to use PowerShell. The work to do is, to give the MI the Graph permission "Sites.FullControl.All" and the Sharepoint permission "Sites.FullControl.All". You can use this script if you want.

Connect-AzureAD

#Managed Identity
$MI_DisplayName = "Name-Of-MI"
$MI_Object = Get-AzureADServicePrincipal -Filter "displayName eq '$MI_DisplayName'"

#ServicePrincipal of permission owner
$ServicePrincipalIdGraph = "00000003-0000-0000-c000-000000000000" #Graph
$ServicePrincipalIdSPO = "00000003-0000-0ff1-ce00-000000000000" #Sharepoint Online btw. exactly my kind of humor to put 0ffi-ce into the GUID :D

$ServicePrincipalGraph = Get-AzureADServicePrincipal -Filter "appId eq '$ServicePrincipalIdGraph'"
$ServicePrincipalSPO = Get-AzureADServicePrincipal -Filter "appId eq '$ServicePrincipalIdSPO'"

#Search Permission Object
$Permission_Name = "Sites.FullControl.All"
$Permission_ObjectGraph = $ServicePrincipalGraph.AppRoles | ?{$_.Value -eq $Permission_Name -and $_.AllowedMemberTypes -contains "Application"}
$Permission_ObjectSPO = $ServicePrincipalSPO.AppRoles | ?{$_.Value -eq $Permission_Name -and $_.AllowedMemberTypes -contains "Application"}


#Assign Permission
New-AzureAdServiceAppRoleAssignment -ObjectId $MI_Object.ObjectId `
                                    -PrincipalId $MI_Object.ObjectId `
                                    -ResourceId $ServicePrincipalGraph.ObjectId `
                                    -Id $Permission_ObjectGraph.Id

New-AzureAdServiceAppRoleAssignment -ObjectId $MI_Object.ObjectId `
                                    -PrincipalId $MI_Object.ObjectId `
                                    -ResourceId $ServicePrincipalSPO.ObjectId `
                                    -Id $Permission_ObjectSPO.Id

Be aware that you have to be global admin to use this script.

Step 3: You have to invite the MI in the sharepoint tenant and give FullControl to it.
Open the site https://tenant-admin.sharepoint.com/_layouts/15/appinv.aspx
On the site post the Appid of the MI into the textbox and click "Lookup"
Some fields will get values. Do not change them! Paste this XML unchanged into the permission field

<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

Click "create" and then "trust".

Step 4: Step back and enjoy. You can now use the MI in runbooks an login like above.