I'm looking for a way to automate a PowerShell script that changes a setting on a specific SharePoint site. The command I need to run is "Set-SPOSite -Identity '' -DenyAddAndCustomizePages 0". This needs to happen daily because SharePoint sometimes reverts this setting, and the business needs it to remain enforced. I want to execute this script using an Azure Automation Account with a Managed Identity instead of relying on app registration with client secrets or certificates, as I want to avoid giving SharePoint admin privileges through app registration. However, I've heard that Managed Identities don't work with SharePoint Admin cmdlets. If I grant the Managed Identity the SharePoint Admin role through Entra ID, will it still run into authentication issues? Has anyone successfully done this?
3 Answers
Keep in mind that anyone with access to your Automation account when it uses a Managed Identity will gain indirect access to the SharePoint Admin role. Make sure to limit the role-based access control (RBAC) to just what's necessary, so not every admin can view or manage your automation account.
You can actually use the PnP PowerShell module with a Managed Identity in Azure Automation. There's a great resource that covers this too! The equivalent command with the PnP module is:
Set-PnPSite -Identity -NoScriptSite $false. This might be the solution you're looking for!
Thank you so much!! The article is super helpful, especially since I'm trying this for the first time.
Have you considered just assigning the sites.selected permission directly to the Managed Identity? I recall doing something similar for an app service Managed Identity, and it worked fine.
Unfortunately, this command requires SharePoint admin permission to function. I tried that approach before, but it didn't work for me.
Thanks for the heads up!