I want to start to automate tasks that has previously been running on-premise. Usually you run scripts On-Premise using PowerShell and scheduled tasks. The task can be mundane, but can also be complex. You can have licensing, maintenance or reporting scripts that run on a schedule. What happens if you don’t have an on-premise environment but there are still some tasks thar you need to run, or you want to move all your tasks to the cloud? You can use Azure Automation to run scripts from a runbook. In part 1 we are going to look at connecting to Exchange Online, in part two we are taking a deeper dive into runbooks, exchange tasks and we might even touch a little source control.
I’m not going into detail about creating the Azure Automation Account, Microsoft has a good documentation on how to do this here.
What task are viable to use with Azure Automation? There are some tasks that are preconfigured;
- Start and stop VM’s
- Connect and do tasks in Exchange Online
- Connect and do tasks in Teams
- and more
I’m going to focus on the Exchange Online part, as there might be tasks that you ran on-premise that you can now do in azure automation and with MFA. I want to schedule the following task;
- A group should have PublishingAuthor user rights on all mailboxes in the company.
Ususally this would users that can manage your calendar with new tasks/projects or if you are away. - Create a HIB (Hierarchical Address Book), with “dynamic groups”. The structure can be defined acording to the business need.
App registration
New you need to add the application to Azure AD in order to facilitate MFA and to get access to the APIs using a certificate. We are going to use application delegation for this application. The procedure is documentetn with Microsoft here: App-only authentication | Microsoft Docs
Add certificate using Powershell on you computer.
I used MMC and exported the certificate using the export function, but you can also use powershell for this.
|
1 2 3 4 5 6 |
## Create certificate $cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname azure.stellarlab.net ## Export certificate $path = βcert:\localMachine\my\β + $cert.thumbprint Export-Certificate -cert $path -FilePath c:\temp\mycertificate.cer |
Upload your certificate to the App under Certificates & secrets in the App registration.
Add API permissions
You need to add API permissions to the App. Microsoft used to have an Exchange API, this has now been deprecated and you need to do some manual tinkering when creating the app. Microsoft has listed that here: App-only authentication | Microsoft Docs
Next you need to configure the manifest to add the correct permissions. Since this is an automation app we are going to use app-only authentication. If you were creating an app users was interacting with delegated authentication is the way to go.
Go to Manifest in the app (left hand menu), locate the requiredResourceAccess and add the following between the brackets []
|
1 2 3 4 5 6 7 8 9 10 11 12 |
"requiredResourceAccess": [ { "resourceAppId": "00000002-0000-0ff1-ce00-000000000000", "resourceAccess": [ { "id": "dc50a0fb-09a3-484d-be87-e023b12c6440", "type": "Role" } ] } ], |
Go to API and Check that the Office 365 Exchange Online – Exchange.ManageAsApp has been added as permision. If it is okay you can grant access to the app.
Next we need to add the App to the needed role, in this case we use Exchange Administrator in Azure.
Open Azure Active Directory and navigate to Roles and adminisrators, locate Exchange Administrator and add the application to the role. You will see that it is listed as a Service Principal.
Connecting to Exchange
Before we can connect to Exchange we need to add the exchange module in Automation account. Open Modules Library in the left menu. Find and Import the ExchangeOnlineManagement module. And we also need to import the Certificate we are going to use for authentication. Open Certificates under the Shared resource section on the left menu and Add the self signed private certificate. You will need the password for this Certificate. The name does not need to match the certificate, it should be descriptive or follow your naming convention.
Now we can start to connect to Exchange and do some tasks. The first step is to create the runbook to connect to Exchange. Be sue to follow a naming convention so that you can easy understand what the different runbooks are doing.
Using the Certificate we used earlier we can now connect using the following script:
|
1 2 3 4 5 6 7 |
## Get Certificate $cert = Get-AutomationCertificate -Name 'EXTask' ## Connect to Exchange Online using MFA and App delegation. Connect-ExchangeOnline ` -AppId "28d35948-9d0d-421b-8e79-f94a6d60393c" ` -CertificateThumbPrint $cert.Thumbprint ` -Organization "stellarlab.onmicrosoft.com" |
Now we can use this runbook with other scripts or we can continue to edit on this to complete the task we need to do. I’ve created two more scripts based on the tasks, and I call this one in each of the other scripts. In part 2 we look at some of the tasks we can do.
Thank you so much I was having trouble connecting to exchange online and looked at so many article your article helped me and got successful connection. One point updating manifesto. it is not available anymore but I used other article to get that role assigned.
Looks at this article and he has powershell command and I used this.
https://alexholmeset.blog/2020/10/06/authenticate-against-exchange-online-in-azure-automation-securely-and-easy-with-a-certificate/
Thanks. Was very helpful.
Thanks. One thing that is not clear to me. Are the automation account and the azure app two separate objects or the same object (the API permissions and the admin role are added in the automation account app)?
Super slow response from me π²
Yes. These are to different objects. You can for instance use the Azure App in a different automation account or to access the API from a different source entirely.