Azure Automation Account access- AD & WVD Hostpool (add/remove) Operations

Question

I have a automation account with run as account through which i'm running a powershell runbook. It usually does add/remove a member to a AD group in azure and add/remove user to a WVD hostpool. My issue is run as account doesn't have sufficient permission to do the operations.

What level of access (on my account as well as run as account) required to do these activities?

Answer 1

To perform operations like adding/removing a user from Azure Ad group via PowerShell runbook, your Automation account should have owner/contributor role assigned.

The Owner role allows access to all resources and actions within an Automation account including providing access to other users, groups, and applications to manage the Automation account.

The Contributor role allows you to manage everything except modifying other user’s access permissions to an Automation account.

Based on your requirement you can assign roles as provided in the below MsDoc:

https://docs.microsoft.com/en-us/azure/automation/automation-role-based-access-control#roles-in-automation-accounts

• To assign roles to your Azure Automation Account via Azure Portal,

Go to Azure Portal -> Automation Accounts -> Your Account -> Access Control (IAM) -> Add Role

• Make sure to give Directory Readers role like below:

Go to Azure portal -> Azure AD -> Roles and Administrator ->Directory Readers role -> Assign this role to the runbook account name

For more in detail, please refer below links:

Trying to connect with Azure AD from Automation runbook account but getting Code: Authorization_RequestDenied - Stack Overflow

https://www.buchatech.com/2018/07/the-argument-is-null-or-empty-error-in-azure-automation-runbook/

https://docs.microsoft.com/en-us/azure/virtual-desktop/delete-host-pool?tabs=azure-portal