Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
Error while excuting runbook in Azure Automation account
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 65%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Chinmayi Bose
0
Reputation points
Hi Team,
Could you please provide guidance and troubleshooting steps for an authentication issue I am encountering while attempting to automate the process of identifying inactive Azure AD accounts? I am working on creating a runbook to find these accounts and schedule a weekly email report, a task I currently perform manually.
Below is the script I am running manually.
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes AuditLog.Read.All,Directory.Read.All
$DaysInactive = 30
$CutoffDate = (Get-Date).AddDays(-$DaysInactive)
# Retrieve all enabled users and sign-in activity
$Users = Get-MgUser -All:$true -Property UserPrincipalName, DisplayName, AccountEnabled, SignInActivity |
Where-Object AccountEnabled -eq $true
# Filter users whose last interactive sign-in was before cutoff
$InactiveUsers = $Users |
Where-Object {
$.SignInActivity.LastSignInDateTime -and ($.SignInActivity.LastSignInDateTime -lt $CutoffDate)
} |
Select-Object DisplayName, UserPrincipalName,
@{Name="LastSignIn";Expression={$_.SignInActivity.LastSignInDateTime}}
$InactiveUsers | Format-Table -AutoSize
Optionally export to CSV
$InactiveUsers | Export-Csv Inactive30Days.csv -NoTypeInformation
Disconnect-MgGraph
I am utilizing PowerShell 7.4 in the Automation account, and the necessary Graph modules have been successfully updated. I have explored both managed identity and app registration methods for authentication; however, both scripts consistently return an "authentication needed: Call connect-MgGraph" error.
Your assistance in resolving this authentication problem and setting up the runbook and weekly report would be greatly appreciated.
Thank you for your time and support.
Best regards,
Chinmayi Bose
Azure Automation
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 31%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)
Vinod Pittala 6,310 Reputation points Microsoft External Staff Moderator2025-08-25T09:45:36.3533333+00:00 Hello Chinmayi Bose,
Please run this 2 lines at your runbooks and try executing your script accordingly.
#Connect to Azure with system-assigned managed identity $AzureContext = (Connect-AzAccount -Identity).context # set and store context $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext -
Chinmayi Bose 0 Reputation points
2025-08-25T12:22:41.48+00:00 Please find the below error once I added the above to my script.
-
Vinod Pittala 6,310 Reputation points Microsoft External Staff Moderator
2025-08-25T14:50:05.2633333+00:00 Can you please verify whether you have enabled the system managed identity for your Automation account or not?
Below is the reference for you. if you still did not enable the system managed identity, please go to the below page and enable it.
Adding the reference steps: https://docs.azure.cn/en-us/automation/enable-managed-identity-for-automation#enable-using-the-azure-portal
Once it enabled then run the provided commands.
-
Chinmayi Bose 0 Reputation points
2025-08-26T08:23:20.5433333+00:00 Hi,
It is enabled.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 72%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
Naveena Patlolla 5,365 Reputation points Microsoft External Staff Moderator2025-08-26T08:27:08.34+00:00 I have re-replicated the scenario in my environment, and it worked successfully. We tested exporting the MgUser last password change, and the output was successfully stored in the Storage Account. Please find the results below.
We identified two main issues:
1)Error during execution: The error occurs because the user account action in PowerShell is non-interactive when running under an Automation Account.
2)CSV export location: The command Export-Csv Inactive30Days.csv -NoTypeInformation writes the CSV locally to the Automation Account, which is not accessible externally.
Solutions:
Solution for the issue 1: Install the Microsoft Graph module from the PowerShell Gallery. Navigate to Automation account-> Modules->Click on browse gallery
Search for MicrosoftGraphPS and install the module
Solution for the issue 2:
- Export the CSV directly to an Azure Storage Account.
- Create a Storage Account and container if not already available.
Reference document: https://learn.microsoft.com/en-us/answers/questions/1189941/azure-automation-how-to-use-export-csv-in-azure-au
Please find the updated script below: This script adds the connection and CSV export logic. The core PowerShell logic remains the same:
$AzureContext = (Connect-AzAccount -Identity).context Write-Output "-> Setting context" $azureContext = Set-AzContext -SubscriptionName $azureContext.Subscription -DefaultProfile $azureContext Write-Output "`n+ Connecting to Graph (Managed Identity)" Connect-MgGraph -Identity -NoWelcome # Connect to Microsoft Graph (with required permissions) $InactiveUsers= @() $DaysInactive = 30 $CutoffDate = (Get-Date).AddDays(-$DaysInactive) # Retrieve all enabled users and sign-in activity $Users = Get-MgUser -All:$true -Property UserPrincipalName, DisplayName, AccountEnabled, SignInActivity | Where-Object AccountEnabled -eq $true # Filter users whose last interactive sign-in was before cutoff $InactiveUsers = $Users | Where-Object { $.SignInActivity.LastSignInDateTime -and ($.SignInActivity.LastSignInDateTime -lt $CutoffDate) } | Select-Object DisplayName, UserPrincipalName, @{Name="LastSignIn";Expression={$_.SignInActivity.LastSignInDateTime}} $InactiveUsers | Format-Table -AutoSize $InactiveUsers | ft DisplayName, UserPrincipalName,LastSignIn Write-Host $VM_ARRAY $InactiveUsers | Export-CSV ($env:TEMP+"Inactiveusers.csv") -Notype "upload AutomationFile123.csv file to storage account" $Context = New-AzStorageContext -StorageAccountName "" -StorageAccountKey "" Set-AzStorageBlobContent -Context $Context -Container "test" -File ($env:TEMP+"Inactiveusers.csv") -Blob "Inactiveusers.csv" -ForcePlease let me know if you face any challenge here, I can help you to resolve this issue further
If the comment was helpful, please click "Upvote"
-
Naveena Patlolla 5,365 Reputation points Microsoft External Staff Moderator
2025-08-28T07:49:49.0666667+00:00 Hi Chinmayi Bose
Just want to check if the above solution worked for you or else please let us know if any help, we are always here to help whenever you need us.If the comment is helpful, please click "Upvote it"
Thankyou
-
Naveena Patlolla 5,365 Reputation points Microsoft External Staff Moderator
2025-08-29T01:30:36.6366667+00:00 Just want to check if the above solution worked for you or else please let us know if any help, we are always here to help whenever you need us.
If the comment is helpful, please click "Upvote it"
Thankyou
Sign in to comment
Sign in to answer