Azure Automation RunAs account access to Active Directory resource

Question

I am trying to create a Runbook which does some maintenance in Active Directory. On creation of an Automation Account an "RunAs" account was created. In the runbook I connect to AD using the below command.

$connectionName = "AzureRunAsConnection"

# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName         

"Logging in to AzureAD..."
Connect-AzureAD `
 -TenantId $servicePrincipalConnection.TenantId `
 -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint `
 -ApplicationId $servicePrincipalConnection.ApplicationId `
 -LogLevel Info

This command runs fine, however the subsequent use of AD CMDLETS gives the following error,

$Users = Get-AzureADUser

Get-AzureADUser : Error occurred while executing GetUsers Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. 
HttpStatusCode: Forbidden 
HttpStatusDescription: Forbidden 
HttpResponseStatus: Completed

The same is true for other CMDLETS in the AD module, not just this I have tried adding API permission through the registered application (relating to the Automation Account connection resource) in Active Directory but I am still facing the above privileges issue.

Answer 1

According to some test, you need to add the permissions of Azure AD but not Micorsoft Graph. It seems the Get-AzureADUser command use Azure AD graph in the backend. So we need to do the operations as below:

After that we can use the command Get-AzureADUser successfully( if you test the command in powershell, when you add the Azure AD permission, please close the powershell and reopen it and re-connect )