Connect to SharePoint Online in Azure Automation app credentials
In this post, I want to take you with me how you can use app credentials in an Azure Automation script to connect to SharePoint Online. Many PowerShell scripts use a username and password, but these are less secure than using an app credential and can also be used to login to SharePoint Online in the browser. By default, connecting to SharePoint uses basic authentication and many companies are on route to disable this to make use of conditional Access and MFA.
Setting up Azure Automation
The first thing we need to do is set up Azure Automation to use app credentials. There are two ways to do this. Make a new app yourself and place the certificate in your Azure Automation account or create a new Azure Automation Account with the option enabled “Create Azure Run As account”. The last one is the easiest because this will create everything for you.
Creating a new Azure Automation account
Microsoft has a documented this: https://docs.microsoft.com/en-us/azure/automation/automation-quickstart-create-account#create-automation-account and https://docs.microsoft.com/en-us/azure/automation/automation-create-standalone-account
Creating a new Azure Run As account
When you already have an Azure Automation account and do not want to start over you need to do a few more steps. Microsoft has documented that as well https://docs.microsoft.com/en-us/azure/automation/automation-create-runas-account. Here you have two options, the first one is within the portal and the second one is with PowerShell. The Portal is the easiest and just a few clicks
Updating the Azure Run As account
Now that we have a Run As account we need to update this. By default, this Azure AD application only has an application ID and certificate. But when we want to connect to SharePoint Online we need an application ID and secret. So, the next step is to go to the Azure AD blade and then “App registrations”. Here you will find the Run As application with the same name as the Azure Automation account. In this application, you can create a new key and the lifetime of this key. When you press “Save” the key will be generated and will only be displayed once, so you need to copy this.
Create a new variable in Azure Automation
Now that you have a key it is best to save this in a variable in Azure Automation, so you can use it in your script. For this go back to your Azure Automation account and select variables. Add the variable with a name of your choosing and make sure “encrypted” is set to yes.
Assigning rights
The basics are done now. You have a Run As account and a key to connect to SharePoint Online. But with this alone you have no access. To get access you need to give the application permissions in SharePoint. This is the same as assigning an add-in permission. Go to the SharePoint site where this application needs access or to the tenant admin if it needs tenant rights. Behind the URL type “_layouts/15/AppInv.aspx”, enter the application ID and click on “Lookup”. In the text area, you can paste the XML for granting access that you need. See the example below will give manage permissions on the whole tenant. Notice the “AllowAppOnlyPolicy” that is set to “True”.
See this page for all the options you have for permissions https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint
Using this in your scripts
All the plumping is done, now we can use it in our scripts. See the example below for the three lines that are needed.
Other options
You can use this Azure Automation Run As account also for connecting to Azure resources like storage accounts and Azure Active Directory. In that case you need to add the application to the resource with role-based access control or in the Azure AD application. Here you can add API permissions.