Although this is obviously ‘quick and dirty’, it can be useful in restoring things that aren’t easily backed up such as e.g. Logic Apps, and it can aid in change detection/tracking (git change/history). It only requires Azure DevOps which is basically free in this scenario.
The result is a bunch of .json arm templates, the same as would result in using the Export to Template function in the Azure Portal.
I wanted to allow certain users to only start specific azure runbooks in an automation account, so that I wouldn’t need separate automation accounts for each role.
This worked by assigning the ‘Automation Runbook Operator’ per runbook, and the ‘Automation Job Operator’ to the automation account for these users.
The issue
However, some of our runbooks actually run on premises as hybrid runbooks on our Hybrid Worker Group. And when a user tried to start one of those runbooks, they received an error:
“The selected Hybrid Worked Group has no active workers. Until the worker is seen again, the job might fail to start.“
The fix
After some experimenting, I found out that assigning the ‘Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/hybridRunbookWorkers/read’ action (using a custom role) at the automation account scope fixed this error and allowed our users to run hybrid jobs without seeing runbooks they don’t need to see.
The documentation also doesn’t really show (or I couldn’t find it), for what audience to request a token. Using a Logic App I eventually got it to work after a lot of trial and error 🙂
For those googling this, I encountered a bunch of these first before finding the right audience of ‘https://api.fabric.microsoft.com’
Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://api.fabric.microsoft.com/.default was not found in the tenant named XXXXX. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://api.powerbi.com was not found in the tenant named XXX
Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://analysis.windows.net/powerbi/api/.default was not found in the tenant namedXXX
Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://analysis.windows.net was not found in the tenant named XXX
If you want to allow users in Sharepoint to select e.g. security groups or teams from a dropdown in a List and don’t want to manually keep that list of choices up to date….this is for you!
I’ve used Power Automate Flow for this specific scenario, but Logic Apps will of course work just as well.
First, define some variables and retrieve all the groups you want to show up in the Choice column:
Then, create a string with all the group’s names using a simple loop:
Then use ‘Send an HTTP request to Sharepoint’ to retrieve current columns (fields) defined in the list if you don’t know the GUID yet. This step is optional and uses GET to the _api/web/Lists/GetById(”)/Fields method.
Finally, use another Send an HTTP request to Sharepoint to Patch the column definition of the Choice column with the new group names.
Note we’re using PATCH for the _api/Web/Lists(guid”)/Fields(guid”) method and that I’m removing the trailing comma (,) from the data we’re patching in.
Also note that if you’re not using multiple choice but single choice you’ll need to adjust the SP.FieldMultiChoice and 15 values.
Let’s face it, Microsoft’s documentation on using Sharepoint as a data source (or sink) in ADF is pretty bad. And it doesn’t even describe how to use the Managed Identity of ADF, who still wants to register separate app credentials? Noooooo you don’t.
So here’s an example how to use Managed Identity to read a json file from a given SpO site, using minimal permissions given to ADF.
Enable MI in datafactory, I’m assuming you know how to do this.
Give ADF Sites.Selected Graph permissions, e.g. like this:
Go to https://yourtenant.sharepoint.com/sites/yoursite/_api/site/id and copy the Edm Guid:
Go to https://developer.microsoft.com/en-us/graph/graph-explorer. Log in at the top right using a user with sufficient permissions (Sites.FullControl.All), set the mode to POST, add the EDM guid in the URL and create the request body as follows (the id in the body can be found back in step 2, $Msi.AppId)
Create a REST linked service in ADF with Managed Identity auth:
