I'm looking to set up a daily PowerShell script that runs through an Azure Automation Account to set a specific property on a SharePoint site. The command I'll be using is `Set-SPOSite -Identity "" -DenyAddAndCustomizePages 0`. This setting tends to revert by itself, so we need a consistent enforcement. I'm aiming to use a Managed Identity for authentication instead of traditional app registration methods, which requires client secrets or certificates. However, I'm worried about permissions since this command needs SharePoint admin rights, and I don't want to grant admin privileges to the app registration. Is it true that Managed Identity can't be used with SharePoint Admin cmdlets? If I give the Managed Identity the SharePoint Admin role in Entra ID, will that still lead to authentication issues? Has anyone had experience with this? What's the best way to automate this without needing app registration admin rights?
3 Answers
Have you thought about just assigning the sites.selected permission to the Managed Identity? I believe I've done that successfully for an app service Managed Identity before.
Just a heads-up: giving anyone access to the Automation account with Managed Identity means they'll have some indirect access to the SharePoint Admin role too. It’s a good idea to restrict RBAC to that automation account to make sure only the necessary people have access.
Thanks for the advice!
You can definitely use the PnP PowerShell module with a Managed Identity through Azure Automation. Check this article for guidance: https://pnp.github.io/powershell/articles/azureautomationrunbook.html. The equivalent command in the PnP module would be `Set-PnPSite -Identity -NoScriptSite $false`.
Thank you so much!! The article is super helpful, I’m doing this for the first time!
Unfortunately, that didn’t work for me either. The command specifically needs SharePoint admin permissions.