How to Run Microsoft Graph PowerShell Scripts With Azure Automation

Azure Automation Accounts enable you to perform un-attended and re-occurring tasks through the use of scripts, such as regular reporting, automatic event remediation and automation of administrative tasks. The integration between Azure Automation and Microsoft Graph PowerShell enables endless possibilities for the management and maintenance of your environment using Graph API. 

In this tutorial, I am going to show you how to can create an Azure Automation account and integrate your Microsoft Graph PowerShell script to perform regular automated tasks with no user interaction.

Pre-requites

To complete the steps outlined in this tutorial, you must ensure you have the following:

  • An Azure Subscription
  • An account with global administrator access

As Automation Accounts are a service located in Azure, they need to be linked to a subscription for billing purposes. As well as this, to consent to the necessary permissions to allow your script to run unattended, you must do so with a global administrator account.

Create an Azure AD Application and Assign Permission

To run your Microsoft Graph PowerShell script without any user interaction or authentication, you will need to create a new application in Azure Active Directory with the necessary permissions to perform the actions in the script. Start by logging into the Microsoft Entra admin center and follow the below steps:

1. Select Applications > App registrations.

App registrations
App registrations

2. At the top of the page, select New registration.

New registration
New registration

3. Define a meaningful name for the app, select Accounts in this organizational directory only and then click Register.

Define the name and account type
Define the name and account type

4. You now need to assign your apps the relevant permissions. Select API permissions.

Select API Permissions
Select API Permissions

5. Select Add a permission, then select Microsoft Graph from the new pop-out window.

Select Add a permission
Select Add a permission

6. For the permission type, select Application permissions.

Application permissions
Application permissions

7. Search for and select each permission from the list, then once all your permissions are selected, click Add permissions.

Select each permission
Select each permission

8. You now need to grant admin consent for your application to use the requested permissions. Click Grant admin consent for Default Directory.

Grant admin consent for default directory
Grant admin consent for default directory

9. Once admin consent has been granted, the status column will show green ticks.

Admin consent granted
Admin consent granted

10. The final step is to configure the method that our script will authenticate to the application. For this, we are going to use a client secret, which is available in version 2 of Microsoft Graph PowerShell. On your application settings page, select Certificates & secrets.

Select Certificates and Secrets
Select Certificates and Secrets

11. Select Client secrets > New client secret.

New client secret
New client secret

12. Define the description for the secret and the expiry date (the maximum lifetime is 2 years or 730 days).

Client secret settings
Client secret settings

13. Save the Value for the secret key for use within your script.

As the purpose of this guide is to demonstrate how to use Microsoft Graph PowerShell with Azure Automation, follow my other tutorial to learn how to use application permissions with a client secret in your scripts: How to Connect To Microsoft Graph PowerShell With a Client Secret.

Create an Azure Automation Account

As PowerShell run-books make up part of the ‘Process Automation’ features of Azure Automation Accounts, the next thing we must do is create a new automation account. To create an Automation Account, follow the below steps:

1. Start by logging into http://portal.azure.com and then search for Automation Accounts.
Search Automation Accounts
Search Automation Accounts

2. On the Automation Accounts page, select Create to launch the new Automation Account wizard.

Create an Automation Account for your Microsoft Graph PowerShell Script
Create an Automation Account for your Microsoft Graph PowerShell Script

3. On the first page of the wizard, select the subscription that this resource will belong to (this is the subscription that will be billed). Then define the resource account nameAutomation account name and the region where this resource will be geographically stored.

Complete the Automation Account options
Complete the Automation Account options

Finally, click Review & Create, then Create and wait until the deployment is complete.

Automation Account deployment complete
Automation Account deployment complete

Import Microsoft Graph PowerShell modules

By default, Azure Automation includes a number of PowerShell modules to help you manage Azure resources. To view a list of default modules, check out the Microsoft docs page for a full list. Importantly, the Microsoft Graph PowerShell modules need to be manually imported. The process is also slightly different if you need to import the preview versions of the modules. Follow the steps below to import the current and preview versions of Microsoft Graph PowerShell into your Azure Automation Account.

Import current versions of Microsoft Graph PowerShell

1. Select your new Automation Account from the Automation Accounts page.

2. Under the Shared resources heading, select Modules.

Select Modules
Select Modules

3. Select Add a module to launch the new module wizard.

Add a module
Add a module

4. Select Browse from gallery then the Click here to browse from gallery button.

Click here to browse from gallery
Click here to browse from gallery

5. Start by searching for the Microsoft.Graph.Authentication module, select it from the results list, then on the next page, click Select.

Microsoft Graph Authentication module
Microsoft Graph Authentication module

6. Repeat steps 3 – 5 for each additional module you require.

Import preview versions of Microsoft Graph PowerShell

The module gallery page does not include preview modules for you to deploy within your Automation Account. The most convenient way to deploy a preview module is to do so directly from the PowerShell Gallary website. To install a preview module to your Azure Automation account, follow the below steps:

1. Go to https://www.powershellgallery.com/packages/Microsoft.Graph/ and select the preview version you wish to deploy from the Version History section. In this example, I am choosing version 2.0.09-rc3. 

Version 2.0.0 rc3
Version 2.0.0 rc3

2. As you can only deploy specific modules via Azure Automation and not the whole SDK, expand the Package Details section and click on the module you want to deploy.

Microsoft Graph Authentication
Microsoft Graph Authentication

You may notice the URL will change on your browser to match the module you selected, you can also modify this manually.

Microsoft Graph Authentication module URL
Microsoft Graph Authentication module URL

3. The Azure Automation tab will now appear under the Installation Options session. Open this tab and click Deploy to Azure Automation.

Deploy to Azure Automation
Deploy to Azure Automation

4. A new window will open in your browser for the Azure Automation module import wizard. Authenticate if required and select your Automation Account from the list.

Select your Azure Automation Account
Select your Azure Automation Account

5. On the next page click OK and wait for your deployment to complete. You will see this from the notification icon in the Azure Portal.

Deployment Succeeded
Deployment Succeeded

6. Complete the steps 1-5 for each module you need to import.

Implement automation script with a Runbook

Runbooks make up the automation component of your Azure Automation account. Runbooks are based on Windows PowerShell and the version is determined by the Runtime version that is specified when creating the Runbook, the available runtime versions include:

  • Version 5.1
  • Version 7.1
  • Version 7.2

Follow the below steps to create your Runbook and add your PowerShell script:

1. Open your Automation Account and under the Process Automation heading, select Runbooks.
Runbooks

2. Select Create a runbook.

Select create a Runbook

3. On the Create a runbook page, define the name of your runbook, select the Runbook type as PowerShell and Runtime version as 5.1, then click Create.

Runbook settings

4. Once created the Edit PowerShell window will open. If it does not open, return to the Runbook page within your Automation account, select the new Runbook and click Edit.

Edit Runbook
Edit Runbook

5. From the Edit PowerShell window, add your script in the code area and then click Save > Publish.

Save and Publish
Save and Publish

6. You should now test your Runbook to ensure it runs as expected. From your Runbook overview page, select Start.

Test your runbook
Test your runbook

7. You can verify if the job completes with or without errors by selecting the job from the Recent Jobs list at the bottom of the Overview page.

Recent jobs list
Recent jobs list

8. Select through each tab to view any warnings or errors which should help you resolve any problems if the script fails to complete successfully.

Error tab
Error tab

Configure the automation run schedule

The schedule defines the time in which the runbook runs on a re-occurring schedule, this is convenient if you need your script to run on a daily, weekly or even monthly basis. For this tutorial, I am going to create a schedule to run my script on a daily basis. Follow the below steps to define the schedule for your runbook:

1. Open your Automation Account and select Schedules under the Shared Resources heading.

Schedules
Schedules

2. From the Schedules page, select Add a schedule.

Add a schedule
Add a schedule

3. On the pop-out windows, define your schedule settings and then click Create.

  • Name: Enter a meaningful name.
  • Starts: Add your desired start date and time.
  • Time Zone: Specify your time zone.
  • Recurrence: Specify how often the runbook runs on a schedule.
  • Set expiration: Specify when the runbook schedule stops.
Schedule settings
Schedule settings

Summary

You now have a Microsoft Graph PowerShell script that will run unattended on a schedule using Azure Automation! In this tutorial, you learnt how to:

  • Create an Azure Application to support your script to run with application permissions
  • Create an Azure Automation Account
  • Import modules into your Azure Automation Account
  • Implement your script using a Runbook
  • Define a schedule for your Runbook

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply