locked
Azure Automation with runbooks error: (403) Forbidden. RRS feed

  • Question

  • I’m having issues with Azure Automation runbooks we are using Oauth2 tokens.

    The error that I’m having:

    Invoke-RestMethod : The remote server returned an error: (403) Forbidden.

    I have tried giving my Automation account and runbook all needed permissions however it is not working through the script.

    If I log on to graph with my Automation account it works. And it also works for some other parameters but not with anything that falls under “deviceManagement”

    So for some reason my Automation account is not granting the application enough rights.

    Can it be that I have to adjust something in the Header?

    This is the part that I was running that is giving the error:

    PS C:\...\AutoPilot-Automation-Account> Invoke-RestMethod -Uri $uri3 -Headers $authHeader -Method Get
    Invoke-RestMethod : The remote server returned an error: (403) Forbidden.
    At line:1 char:1
    + Invoke-RestMethod -Uri $uri3 -Headers $authHeader -Method Get
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
        + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
     

    This is how I get my Oauth2 Token:

    Param (
            [Parameter (Mandatory = $true)]
            $intuneAutomationCredential 
        )
    Function Get-AuthorizationHeader {
        $AppId = Get-AutomationVariable -Name IntuneClientId
        $AppSecret = "8pG/Sy:]A11w4q[iblzj@g[2ZgmV?U-:"
        $tenant = Get-AutomationVariable -Name Tenant
        $Uri = "https://login.microsoftonline.com/$tenant/oauth2/v2.0/token"
        $Body = @{
            grant_type = 'client_credentials'
            username = $intuneAutomationCredential.UserName
            password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($intuneAutomationCredential.Password))
            client_id = $AppId
            client_secret = $AppSecret
            scope = 'https://graph.microsoft.com/.default'
            redirect_uri = 'https://localhost/'
        }
        $AuthResult = Invoke-RestMethod -Method Post -Uri $Uri -Body $Body
        $AuthResult
    }
    function Connect-AutoPilotIntune {
        if($global:authToken){
            $DateTime = (Get-Date).ToUniversalTime()
            $TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
            if($TokenExpires -le 0){
                Write-Output "Authentication Token expired" $TokenExpires "minutes ago"
                $global:authToken = Get-AuthorizationHeader
            }
        } else {
            $global:authToken = Get-AuthorizationHeader
        }
    }

    If a decode my token I'm having the following roles:

      "roles": [

        "DeviceManagementManagedDevices.Read.All",

        "Device.ReadWrite.All",

        "DeviceManagementConfiguration.Read.All",

        "DeviceManagementManagedDevices.ReadWrite.All",

        "DeviceManagementConfiguration.ReadWrite.All",

        "DeviceManagementManagedDevices.PrivilegedOperations.All"

      ],

    Also for testing of this I have granted my Test account even the "Global administrator" role to make sure this is not blocking it 


    Monday, October 7, 2019 12:29 PM

All replies

  • I have found the solution.

    I was missing the following role:

    DeviceManagementServiceConfig.ReadWrite.All

    Tuesday, October 8, 2019 8:17 AM
  • Appreciate that you have resolved your issue and also thanks for sharing the solution here so that others users can go through this thread if they have similar issue.
    Monday, October 28, 2019 12:45 PM