Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 79%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKU%3C/text%3E%3C/svg%3E)
i like your question
How to read Entra ID user data by automation account?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 5%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
PPA Richard Vaněk
0
Reputation points
I have a runbook in an automation account with managed identity. I want this runbook to read information about federated users and groups from Entra ID. I want it to do it using "Connect-MgGraph -Identity".
I got granted privileges "Directory.Read.All, User.Read.All, GroupMember.Read.All" to the automation account identity, but when calling "Connect-MgGraph -Identity" I still get error "Invalid JWT access token."
What is missing and why?
Update: The privileges are granted by Admin, this is not the issue.
Azure Automation
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 7.000000000000001%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Sandhya Kommineni 245 Reputation points Microsoft External Staff Moderator2025-08-21T12:06:28.98+00:00 Hi PPA Richard Vaněk, Thanks for bringing your question to Microsoft Q&A.
The Automation Account’s managed identity has the right permissions assigned, but admin consent has not been granted in Entra ID. Entra ID will not include them in the issued JWT until admin consent is granted in the Enterprise Application object for the Automation Account identity. without consent, the token issued for Microsoft Graph is invalid and rejected.
Recommended steps to fix the issue:
1.Navigate to Entra ID → Enterprise Applications and locate your Automation Account’s managed identity.
2.Under Permissions → API permissions, add:
Microsoft Graph → Application permissions →
Directory.Read.All,User.Read.All,GroupMember.Read.All.3.Then click Grant admin consent.
4.Finally, re-run your runbook with these updated permissions.
Connect-MgGraph -Identity
Get-MgUser
Get-MgGroup
5.This time the token will be valid, and Graph will return results.
I hope the steps provided help resolve your issue. If you encounter any further problems, please feel free to post them here. I am happy to assist you.
-
PPA Richard Vaněk 0 Reputation points
2025-08-21T12:24:00.33+00:00 Hello,
thank you very much for your answer. I forgot to mention that, of course, the permissions got admin consent, yet it does not work.
AI suggests to grant permissions also to the "Microsoft Graph" (GraphAggregatorService) application itself, however the tenant admins think that this is wrong and no reason for it.
-
Sandhya Kommineni 245 Reputation points Microsoft External Staff Moderator
2025-08-27T07:27:36.0333333+00:00 Hi PPA Richard Vaněk, just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.
-
Sandhya Kommineni 245 Reputation points Microsoft External Staff Moderator
2025-08-29T02:12:35.2166667+00:00 Hi PPA Richard Vaněk, I hope the provided answer is helpful, do let me know if you have any further questions on this Please accept as Yes if the answer is helpful so that it can help others in the community.
Sign in to comment
2 answers
Sort by: Most helpful
-
-
Sandhya Kommineni 245 Reputation points Microsoft External Staff Moderator
2025-08-26T07:20:25.09+00:00 Hi PPA Richard Vaněk, thanks for sharing details
Granting permissions to the Microsoft Graph (GraphAggregatorService) app is not required and not correct. That object represents Graph itself you never assign roles to it.
Try recommended steps to resolve the issue:
1.Verify the token audience
From inside your runbook, dump the token that
Connect-MgGraph -Identitygets:Connect-MgGraph -Identity (Get-MgContext).AccessToken | Out-File "D:\home\LogFiles\graph_token.txt"Then decode it at jwt.ms. Check the
aud(audience) claim it must behttps://graph.microsoft.com.If it’s something else (like
https://management.azure.com), then Graph will reject it.2.Check the app role assignments
Sometimes people add them in API permissions but forget to add them in App role assignments only the latter works for managed identities.Navigate to Entra ID → Enterprise Applications → [your Automation Account MI] → App role assignments, and confirm your roles
3.Explicitly select scopes when connecting
Sometimes
Connect-MgGraph -Identitywithout-Scopesfails to attach roles properly.Try connecting,Connect-MgGraph -Identity -Scopes "Directory.Read.All","User.Read.All","GroupMember.Read.All"4.Retry with user-assigned MI (if possible)
If you’re using a system-assigned MI, test by attaching a user-assigned MI to the Automation Account and then:
Connect-MgGraph -Identity -ClientId <user-assigned-mi-client-id>This helps isolate whether it’s a token issue with the system-assigned identity.
I hope this helps you resolve the issue. If you need any further assistance, I am happy to assist.