'Getting permission issue in Automation account
I am trying to get list of expiring App registrations in 7 days. In local it is working perfectly but I facing Insufficient privileges issue in automation account. I am the global administrator of the account and provided permission to service connection api below are the permissions
I literally given all the permission but don't know what i am missing. Below is the error
Get-AzureADApplication : Error occurred while executing GetApplications Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. RequestId: a83caa17-1c58-433a-b0ea-f4a3f8a43d7f DateTimeStamp: Mon, 14 Feb 2022 04:56:58 GMT HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed At line:11 char:17 + $Applications = Get-AzureADApplication -all $true + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-AzureADApplication], ApiException + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetApplication
And below is the script
#Connect-AzureAD
$Applications = Get-AzureADApplication -all $true
$Logs = @()
$Days = 7
$AlreadyExpired = "YES"
$now = get-date
foreach ($app in $Applications) {
$AppName = $app.DisplayName
$AppID = $app.objectid
$ApplID = $app.AppId
$AppCreds = Get-AzureADApplication -ObjectId $AppID | select PasswordCredentials, KeyCredentials
$secret = $AppCreds.PasswordCredentials
$cert = $AppCreds.KeyCredentials
foreach ($s in $secret) {
$StartDate = $s.StartDate
$EndDate = $s.EndDate
$operation = $EndDate - $now
$ODays = $operation.Days
if ($AlreadyExpired -eq "No") {
if ($ODays -le $Days -and $ODays -ge 0) {
$Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
$Username = $Owner.UserPrincipalName -join ";"
$OwnerID = $Owner.ObjectID -join ";"
if ($owner.UserPrincipalName -eq $Null) {
$Username = $Owner.DisplayName + " **<This is an Application>**"
}
if ($Owner.DisplayName -eq $null) {
$Username = "<<No Owner>>"
}
$Log = New-Object System.Object
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
$Log | Add-Member -MemberType NoteProperty -Name "Secret Start Date" -Value $StartDate
$Log | Add-Member -MemberType NoteProperty -Name "Secret End Date" -value $EndDate
$Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $Null
$Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $Null
$Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
$Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID
$Logs += $Log
}
}
elseif ($AlreadyExpired -eq "Yes") {
if ($ODays -le $Days) {
$Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
$Username = $Owner.UserPrincipalName -join ";"
$OwnerID = $Owner.ObjectID -join ";"
if ($owner.UserPrincipalName -eq $Null) {
$Username = $Owner.DisplayName + " **<This is an Application>**"
}
if ($Owner.DisplayName -eq $null) {
$Username = "<<No Owner>>"
}
$Log = New-Object System.Object
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
$Log | Add-Member -MemberType NoteProperty -Name "Secret Start Date" -Value $StartDate
$Log | Add-Member -MemberType NoteProperty -Name "Secret End Date" -value $EndDate
$Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $Null
$Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $Null
$Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
$Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID
$Logs += $Log
}
}
}
foreach ($c in $cert) {
$CStartDate = $c.StartDate
$CEndDate = $c.EndDate
$COperation = $CEndDate - $now
$CODays = $COperation.Days
if ($AlreadyExpired -eq "No") {
if ($CODays -le $Days -and $CODays -ge 0) {
$Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
$Username = $Owner.UserPrincipalName -join ";"
$OwnerID = $Owner.ObjectID -join ";"
if ($owner.UserPrincipalName -eq $Null) {
$Username = $Owner.DisplayName + " **<This is an Application>**"
}
if ($Owner.DisplayName -eq $null) {
$Username = "<<No Owner>>"
}
$Log = New-Object System.Object
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
$Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $CStartDate
$Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $CEndDate
$Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
$Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID
$Logs += $Log
}
}
elseif ($AlreadyExpired -eq "Yes") {
if ($CODays -le $Days) {
$Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
$Username = $Owner.UserPrincipalName -join ";"
$OwnerID = $Owner.ObjectID -join ";"
if ($owner.UserPrincipalName -eq $Null) {
$Username = $Owner.DisplayName + " **<This is an Application>**"
}
if ($Owner.DisplayName -eq $null) {
$Username = "<<No Owner>>"
}
$Log = New-Object System.Object
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
$Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
$Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $CStartDate
$Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $CEndDate
$Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
$Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID
$Logs += $Log
}
}
}
}
$p = Write-Output $Logs | Format-Table -Property "ApplicationName","Secret End Date","Certificate End Date","Owner" | Out-String
Write-host $p
#Write-host "Add the Path you'd like us to export the CSV file to, in the format of <C:\Users\<USER>\Desktop\Users.csv>" -ForegroundColor Green
#$Path = Read-Host
#$Logs | Export-CSV $Path -NoTypeInformation -Encoding UTF8
Install-Module -Name PSSendGrid
Import-Module -Name PSSendGrid
$Parameters = @{
FromAddress = "kk****@abc.com"
ToAddress = "k********[email protected]", "[email protected]", "[email protected]"
Subject = "List of Expiring/Expired App registration keys/secrets Report - Ariqt & Ariqt-Dev/Test"
Body = "Below is list of Expiring/Expired App registration keys/secrets in 7 days $p"
Token = "SG.m1z9e*******************324w9hlTMb779xEvqIUjv0"
#FromName = "Barbara"
#ToName = "Barbara"
}
Send-PSSendGridMail @Parameters
Please help me what I am missing.
Solution 1:[1]
You have incorrect permissions. The ones you have are for PIM (Privileged Identity Management). To read data about App Regs you need one of these e.g.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | maras2002 |