In the ever-evolving landscape of Office 365 administration, automation has become a critical component to efficiently manage services like Exchange Online and leverage the power of Microsoft Graph API. Azure Automation, combined with Managed Identities, offers a seamless way to move your unattended PowerShell scripts to the cloud, enhancing reliability, security, and scalability. In this blog post, we will guide you through the process of setting up Azure Automation to run Exchange Online and Microsoft Graph API PowerShell scripts, all while harnessing the benefits of Managed Identities.
Azure Automation YouTube Video
If you want to watch a video instead, here is a video that has the whole process start to finish.
This video includes converting interactive scripts to unattended scripts with setting up an App Registration and then moving it to Azure Automation.
Exchange Online, Microsoft Graph API, scripting, App Registration, and Azure Automation Resources
All of the PowerShell scripts used in this process are available in my Git Hub Repo.
Part 1 of this series where we convert interactive scripts into unattended scripts are available here!
If you want to review options for this solution, here is all of Microsoft’s documentation on this topic.
- Connect to Exchange Online PowerShell
- App-only authentication for unattended scripts in Exchange Online PowerShell
- Use Azure managed identities to connect to Exchange Online PowerShell
- Install Azure PowerShell on Windows
Step By Step Process
Step 1: Prepare Your PowerShell Scripts for Azure Automation:
Before migrating your scripts to Azure Automation, ensure that your PowerShell scripts are well-organized, tested, and customized to your specific needs. Consider parameterizing your scripts to make them more versatile and easier to manage.
Step 2: Create an Azure Automation Account:
- Log in to your Azure portal and navigate to the “Create a resource” section.
- Search for “Automation” and choose “Automation.”
- Click “Create” and fill in the required information, such as the subscription, resource group, and account name.
- Choose the appropriate region and enable “Create Azure Run As account” to automatically create a Run As account that will serve as a Managed Identity.
Step 3: Import and Configure Your Scripts:
- Once your Automation account is created, go to the account’s overview in the Azure portal.
- Under the “Shared Resources” section, select “Modules” and import the necessary modules required for your scripts (e.g., ExchangeOnlineManagement, MSOnline).
- In the Automation account’s navigation pane, click on “Runbooks” and create a new runbook.
- Select the type as “PowerShell” and paste your script into the editor.
- Configure the input and output parameters as needed.
Step 4: Utilize Managed Identities for Exchange Online:
- In your Automation account, go to the “Run As accounts” section.
- Locate the automatically created Run As account and click on it.
- Under “Assign access to,” find “Role assignments” and click on “+ Add role assignment.”
- Search for “Exchange Online Administrator” and assign the appropriate role to the Run As account.
- This ensures that your scripts executed within Azure Automation have the necessary permissions to interact with Exchange Online.
Step 5: Link Azure Automation to Exchange Online:
- In your PowerShell script, replace any hard-coded credentials with references to the Automation account’s Run As account. You can do this using the following code snippet:bashCopy code
$connection = Get-AutomationConnection -Name 'AzureRunAsConnection' Connect-ExchangeOnline -UserPrincipalName $connection.UserName -AccessToken $connection.Token -ShowProgress $true
- Schedule your runbook to run at specific intervals by creating a schedule in the runbook settings.
Step 6: Utilizing Microsoft Graph API:
- If your scripts involve interactions with Microsoft Graph API, ensure you grant necessary permissions to your Run As account through the Azure AD App Registration.
- In your runbook, use the Managed Identity’s token to authenticate against Microsoft Graph API, similarly to the Exchange Online connection.
Step 7: Testing and Monitoring:
- Test your runbooks thoroughly in a controlled environment to ensure they function as expected within Azure Automation.
- Monitor the runbooks and set up alerts to detect any issues promptly.
By migrating your unattended PowerShell scripts to Azure Automation and using Managed Identities for Exchange Online and Microsoft Graph API interactions, you’re elevating your Office 365 administration to a more secure, scalable, and efficient level. This setup ensures that your automation tasks can run reliably without the need for manual intervention, allowing you to focus on higher-value tasks while Azure takes care of the heavy lifting. Embrace the power of the cloud to streamline your Exchange Online management and stay ahead in the world of Office 365 administration.
If you need to take a step back and convert interactive scripts to unattended scripts. Click here to go to Part 1.