none
Azure Automation with runbooks error: (403) Forbidden. RRS feed

  • Question

  • I’m having issues with Azure Automation runbooks we are using Oauth2 tokens.

    The error that I’m having:

    Invoke-RestMethod : The remote server returned an error: (403) Forbidden.

    I have tried giving my Automation account and runbook all needed permissions however it is not working through the script.

    If I log on to graph with my Automation account it works. And it also works for some other parameters but not with anything that falls under “deviceManagement”

    So for some reason my Automation account is not granting the application enough rights.

    Can it be that I have to adjust something in the Header?

    This is the part that I was running that is giving the error:

    PS C:\...\AutoPilot-Automation-Account> Invoke-RestMethod -Uri $uri3 -Headers $authHeader -Method Get
    Invoke-RestMethod : The remote server returned an error: (403) Forbidden.
    At line:1 char:1
    + Invoke-RestMethod -Uri $uri3 -Headers $authHeader -Method Get
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
        + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
     

    This is how I get my Oauth2 Token:

    Param (
            [Parameter (Mandatory = $true)]
            $intuneAutomationCredential 
        )
    Function Get-AuthorizationHeader {
        $AppId = Get-AutomationVariable -Name IntuneClientId
        $AppSecret = "8pG/Sy:]A11w4q[iblzj@g[2ZgmV?U-:"
        $tenant = Get-AutomationVariable -Name Tenant
        $Uri = "https://login.microsoftonline.com/$tenant/oauth2/v2.0/token"
        $Body = @{
            grant_type = 'client_credentials'
            username = $intuneAutomationCredential.UserName
            password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($intuneAutomationCredential.Password))
            client_id = $AppId
            client_secret = $AppSecret
            scope = 'https://graph.microsoft.com/.default'
            redirect_uri = 'https://localhost/'
        }
        $AuthResult = Invoke-RestMethod -Method Post -Uri $Uri -Body $Body
        $AuthResult
    }
    function Connect-AutoPilotIntune {
        if($global:authToken){
            $DateTime = (Get-Date).ToUniversalTime()
            $TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
            if($TokenExpires -le 0){
                Write-Output "Authentication Token expired" $TokenExpires "minutes ago"
                $global:authToken = Get-AuthorizationHeader
            }
        } else {
            $global:authToken = Get-AuthorizationHeader
        }
    }

    If a decode my token I'm having the following roles:

      "roles": [

        "DeviceManagementManagedDevices.Read.All",

        "Device.ReadWrite.All",

        "DeviceManagementConfiguration.Read.All",

        "DeviceManagementManagedDevices.ReadWrite.All",

        "DeviceManagementConfiguration.ReadWrite.All",

        "DeviceManagementManagedDevices.PrivilegedOperations.All"

      ],

    Also for testing of this I have granted my Test account even the "Global administrator" role to make sure this is not blocking it 


    Monday, October 7, 2019 12:29 PM

All replies