Creating Azure Runbook using a System assigned identity to make a GRAPH Request

Question

Currently I am authenticating the system management identity using the resources found here Runbook Authentication Tutorial

In the tutorial I am using this workflow to connect to my System management identity

# Resources
# https://learn.microsoft.com/en-us/azure/automation/learn/automation-tutorial-runbook-textual
# https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Cpowershell

param(
    [String] $resourceGroup = "ResourceGroupName", # Resource Group
    [String] $subscription = "SubscriptionName", # Subscription name
    [String] $SAMI = "Default tenant ID" # System Access Management Identity (Tenant ID)
)

    $automationAccount = "myAutomationAccountName"
    Disable-AzContextAutosave -Scope Process | out-null

    try {

        $AzureContext = (Connect-AzAccount -Identity).context
        $azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
        $profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($azProfile)
        $token = $profileClient.AcquireAccessToken($AzureContext.Subscription.TenantId)

        if(-not ($token.AccessToken)){
            throw
        }

        $authHeader = @{
            'Content-Type'='application/json'
            'Authorization'='Bearer ' + $token.AccessToken
            'ExpiresOn' = $token.ExpiresOn
            'X-IDENTITY-HEADER'= $env:IDENTITY_HEADER
        }
        # Output the generated access token
        Write-Output $token.AccessToken
        
        # I want to make a graph request getting a list of devices and then use that to set the last logged-on user as the primary user. I can't even make a request though...
        $uri = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices"
        Invoke-RestMethod -Uri $uri -Headers $authHeader -Method Get

    } catch{
        write-output $_.Exception.Message
    }

    $AzureContext = Set-AzContext -SubscriptionName $subscription -DefaultProfile $AzureContext

When I start the runbook in the Testpane it outputs the JWT. Then, when trying to make the request it throws an error

The remote server returned an error: (401) Unauthorized.

I then open PostMan and enter the URL (endpoint) where I know a valid JWT created from my user account would work, I place this generated token in the Authorization Bearer token and receive this JSON error

{
    "error": {
        "code": "InvalidAuthenticationToken",
        "message": "Access token validation failure. Invalid audience.",
        "innerError": {
            "date": "2022-08-22T19:14:43",
            "request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
            "client-request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
        }
    }
}

I go to https://jwt.io/ and get the encoded JWT, and notice that the expiration date is exactly when it was created. Is this a possible problem? If so how can I extend the expiration date within this runbook? or else, is it a role-based issue with GRAPH API rejecting the token? Please help...

Answer 1

I have followed MSDOC I can be able to view the Graph request in a write-output.

• Make sure specific Read access Role assigned to the specific user.

Workaround

I have made a request in an Azure Runbook to catch the response of a Graph request.

Result