1

I have a bit of a complicated requirement and so, I'm sorry if the title sounds vague. But here's what I'm trying to do.

So I have an automation account let's say AutomationAccount_Parent in subscription_01. This has a runbook that creates a new automation account (AutomationAccount_Child) in subscription_02 and also creates the RunAs account for this child automation account. (Calling it "child" just for clarity)

Now along with the creation of this RunAs account of AutomationAccount_Child, I also want the Parent runbook to provide "Read Directory Data" AAD permission to the AAD application that gets created for AutomationAccount_Child.

Note: This permission needs to be given TO child automation account's AD application BY the parent runbook in Parent Automation Account.

Now the Questions:

  1. Is this possible?
  2. Can you please help me with the cmdlet? I'm unable to find a suitable cmdlet.
  3. What permission on the AAD does the PARENT automation account need in the first place, to be able to provide this kind of permission to the child automation accounts?
Amogh Natu
  • 781
  • 1
  • 10
  • 37
  • I think that requires basically admin privileges for the service principal of the parent. Since only admins can grant application permissions. – juunas Jun 11 '18 at 11:18
  • @juunas, Thanks. Can you also help me with specific cmdlets? I'm unable to find appropriate cmdlets for providing these permissions. – Amogh Natu Jun 11 '18 at 13:32
  • http://shawntabrizi.com/aad/adding-aad-service-principal-company-administrator-role-using-aad-powershell-module/ shows how to do it with the older MSOL cmdlets, though you can do the same thing with the newer Azure AD v2 cmdlets – juunas Jun 11 '18 at 13:47

0 Answers0