I need to write an Azure Automation Runbook that sets the password for all Group Members.
The group and the users are a part of an Administrative Unit and the Service Principal is part of a group assigned as Users Administrator for the AU.
When I run Get-AzureADGroupMember I get Authorization_RequestDenied.
I don't want the service principal to be a Users Administrator for the entire AD. What permissions do I need for the service principal to be able to both list the users in the group and set their password? How do I set it?
Even though I think this feature should be reasonable, but actually it does not work per my test.
I gave the
Users Administratorto the service principal at the AU scope, but it cannot reset the user's password in the group belongs to the AU, even cannot reset the direct user's password(the user was directly added in theUsers (Preview)in the portal).But if I test with a work account(
[email protected]) with the sameUsers Administratorat the AU scope, it can reset the direct user's password, but still cannot reset the user's password in the group, looks the permission cannot be inherited.So in conclusion, if you want to reset the password of the users in the groups belongs to the AU, you need to add these users directly to the
Users (Preview), then use a user account e.g. work account with theUsers Administratorrole to do that.To do this in runbook, you can store your user name and password in the
Credentialsof the automation account, then use the code in the runbook to login your account and get group members and reset passwords.