When you build automation – in Azure especially – the kind that pokes Intune, Microsoft Graph, or anything security-sensitive—your Automation Account’s Managed Identity needs the right permissions.
If not, your runbooks won’t scream, they won’t warn you… they’ll just silently flop like a sad Jenga tower.
Here’s how to verify everything from your local PowerShell, safely, cleanly, and without leaking a single bit of tenant info.
Short, efficient, and straight to the point.
1. Login to Azure (Skip the Broken Browser Stuff)
Sometimes PowerShell tries launching the browser, and the browser just says “nope”.
If that happens, use the device code login. It works every time.
Connect-AzAccount -DeviceCode
You’ll get a code.
Put it in https://microsoft.com/devicelogin, sign in, done.
2. Select the Right Azure Subscription (Avoid Accidents)
If you’re in multiple subscriptions, take five seconds to confirm the right one.
Get-AzSubscription
Set-AzContext -Subscription "YOUR-SUB-ID"
Double-check your context. Nothing ruins a day like updating the wrong environment.
3. Pull the Automation Account Identity
Let’s fetch the Automation Account and its Managed Identity:
$aa = Get-AzAutomationAccount `
-ResourceGroupName "YOUR-RG-NAME" `
-Name "YOUR-AA-NAME"
$aa.Identity
AA* : Azure Automation
If the Managed Identity is enabled, you’ll see something like:
Type : SystemAssigned
PrincipalId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
TenantId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Copy the PrincipalId.
That’s the identity whose permissions we’re about to inspect.
4. Check Graph API Permissions for the Managed Identity
This part surprises people: Azure CLI is better than PowerShell for checking Graph app permissions.
Yeah, weird.
Install it if needed: aka.ms/azure-cli
Log in:
az login
Then check the permissions:
az ad app permission list --id <PRINCIPAL-ID>
Let’s say for exemple You want to see permissions like:
- DeviceManagementConfiguration.Read.All
- DeviceManagementApps.Read.All
- Group.Read.All
- Mail.Send
If they’re missing, no problem we can fix that next.
5. Assign Graph API Permissions to the Managed Identity
Graph API ID is always:
00000003-0000-0000-c000-000000000000
Add each permission like this:
az ad app permission add \
--id <PRINCIPAL-ID> \
--api 00000003-0000-0000-c000-000000000000 \
--api-permissions DeviceManagementConfiguration.Read.All=Role
Repeat for:
DeviceManagementApps.Read.All=Role
Group.Read.All=Role
Mail.Send=Role
Then apply admin consent:
az ad app permission admin-consent --id <PRINCIPAL-ID>
Now your Managed Identity finally has the necessary right for your runbooks.
6. Runbooks Are Now Ready for Clean, Secure Execution
If your automation hits Intune endpoints, sends messages, or manages devices, you’ve just saved yourself hours of silent failures and useless troubleshooting.
Once permissions are applied and consented, your runbooks work smoothly, predictably, and without cryptic Graph API errors.
Migration scripts, Intune inventory, dynamic configuration… everything behaves like it should.
Final Word
Verifying Azure Automation Account permissions shouldn’t feel like defusing a bomb.
A couple PowerShell commands, a quick Azure CLI check, and a few permission updates—that’s all it takes to guarantee your automation runs reliably.
When your Managed Identity is properly configured, automation stops being “trial and error” and becomes the stable, predictable tool you actually wanted.
Please check now how to setup an Intune Alerte Activity reports System here