Use multi tenant managed identity in Azure Automation

With the introduction of multi tenant support for managed identities it is time to take a look at how to use them in Azure Automation. This post will take you through all the steps needed to get this working.

Create automation account

First thing you need to do is to create an automation account. This can be done in the Azure portal

1. Click on the Create a resource button
2. Search for Automation Account
3. Click on the Create button and fill in the required fields
4. Navigate to the resource and click Account settings and then Identity
5. Enable the system assigned managed identity
6. Copy the Object ID of the identity, you will need this later (eg. 0ad30d3a-6c55-481b-b24e-6ab49366ad0e)
7. Click Shared resources and then Modules
8. Click on Browse gallery and search for TokenMagician
9. Click the module and then click Select, select the Runtime version 7.2 and click Import
10. Install these modules the same way:
    • Microsoft.Graph.Authentication
    • Microsoft.Graph.Users

TokenMagician module

The TokenMagician module is created by me to simplify the process of getting the token using the managed identity. It is a wrapper around the Azure.Identity c# library and provides a simple way to get the token.

Create app registration

1. Go to Entra portal - App Registrations
2. Click New registration
3. Pick a name and select Accounts in any organizational directory
4. Leave the redirect URI empty
5. Click Register
6. Go to API permissions and click Add a permission
7. Select whatever Application permission you need. For this example I will use Microsoft Graph and User.Read.All (Application permission) as it is somewhat harmless in that it cannot change anything
8. Copy the Application (client) ID and the Directory (tenant) ID from the overview page

Add federated credentials

1. In the app registration, Go to Certificates & secrets and click Federation credentials
2. Click Add a credential
3. Select Customer Managed Keys (wizard style)
4. Enter the following details
   • Issuer - https://login.microsoftonline.com/{tenantId}/v2.0 (auto filled)
   • Click Select a managed identity and select your managed identity
   • Subject identifier - 0ad30d3a-6c55-481b-b24e-6ab49366ad0e (this is the object ID of the managed identity)
   • Name Pick a name for the credential (eg. msi-{nameResource})
   • Description - Describe the credential Credential for {nameResource} in {resourceGroup} ({subscription})
   • Audience - api://AzureADTokenExchange (auto filled - leave this as is)
5. Click Add

Grant admin consent

Have the tenant admin of the target tenant grant admin consent to the permissions you selected in the app registration.

Consent url: https://login.microsoftonline.com/{tenantId}/adminconsent?client_id={clientId} (replace {tenantId} with their tenant id (or one of their registered domains) and {clientId} with the value from the app registration)

Create automation runbook

1. Go to the automation account and click Runbooks
2. Click Create a runbook
3. Pick a name and select PowerShell as the type
4. Pick 7.2 as the runtime version (or higher if available)
5. Click Review + Create

Add code

Edit the just created runbook and add the following code. You’ll need these details:

• tenantId - The tenant id of the target tenant 5b44092e-7cfa-456a-b061-becf296eec19
• clientId - The client id of the app registration 3fa0a55f-2092-4174-8390-2abd14e462d6

Import-Module TokenMagician

Write-Host "Getting token using system assigned managed identity"
$token = Get-TmMsiToken -TenantId "5b44092e-7cfa-456a-b061-becf296eec19" -ClientId "3fa0a55f-2092-4174-8390-2abd14e462d6" -Scope "https://graph.microsoft.com/.default"

# Convert the token to a secure string
$secureToken = ConvertTo-SecureString -String $token -AsPlainText

# Import the required modules
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Users

# Connect to the graph using the token
Connect-MgGraph -AccessToken $secureToken

# Do what you want to do with the graph module
Get-MgUser -Top 2 | Select Id, DisplayName | Format-Table

Be super happy with the result

That’s it, you now have a runbook that can use a managed identity to get a token and use that token to connect to the Microsoft Graph. This is a huge step forward in security and makes it a lot easier to build multi tenant applications.

Series: Federated Credentials

• Federated credentials, wait what?
• Using a managed identity as a client credential
• Proof of concept: Multi tenant managed identity
• How do Federated credentials in GitHub Actions actually work
• Multi tenant managed identity is finally here
• Use multi tenant managed identity in Azure Automation

Conclusion

Using a managed identity instead of a secret or certificate is super useful in multi tenant scenarios. They never expire, and Microsoft stored them securely for you. This post shows how that works in Azure Automation, but the same principle can be applied to any other service that supports managed identities. More on that later.

Can we start abbreviating a multi tenant managed identity as MTMI? 🤔