Azure Arc Book Published

I am excited to kick off the new year announcing that my 8th book has been published! This book is “Azure Arc-Enabled Kubernetes and Servers“.

I had the honor to co-author this book with a long-time friend and fellow Microsoft MVP John Joyner. This is John’s latest book since his last 8 years ago!

The forward was written by Thomas Maurer a former MVP and now Microsoft Azure Evangelist. This book was reviewed by fellow Microsoft MVP Adnan Hendricks and a chapter contributed by a buddy of mine Fred Limmer.

This book covers an exciting technology from Microsoft exploring Azure Arc-Enabled Kubernetes and Servers. This book is for DevOps professionals, system administrators, security professionals, cloud admins, and IT professionals that are responsible for servers or Kubernetes clusters both on-premises and in the cloud.

Author copies!

This book covers:

  • Introduces the basics of hybrid, multi-cloud, and edge computing and how Azure Arc fits into that IT strategy
  • Teaches the fundamentals of Azure Resource Manager, setting the reader up with the knowledge needed on the technology that underpins Azure Arc
  • Offers insights into Azure native management tooling for managing on-premises servers and extending to other clouds
  • Details an end-to-end hybrid server monitoring scenario leveraging Azure Monitor and/or Azure Sentinel that is seamlessly delivered by Azure Arc
  • Defines a blueprint to achieve regulatory compliance with industry standards using Azure Arc, delivering Azure Policy from Azure Defender for Servers
  • Explores how Git and GitHub integrate with Azure Arc; delves into how GitOps is used with Azure Arc
  • Empowers your DevOps teams to perform tasks that typically fall under IT operations
  • Dives into how to best use Azure CLI with Azure Arc

You can order the book and watch for its official release here:

https://www.amazon.com/gp/product/1484277678

Read more

Inside Azure Management Sessions now on YouTube

I recently presented at the Inside Azure management event. This event was packed full of Microsoft MVP’s and community experts from around the world. The focus on the event was around Azure Management based topics with some Kubernetes, AI, and DevOps topics sprinkled in.

My session was “Azure Policy Insights & Multi-Tag demo via Azure Policy” Here is what it covered: “Azure Policy is a great tool when it comes to auditing and ensuring your cloud governance is met. In this session 9 time Microsoft Azure MVP Steve Buchanan is going to take you on a full-speed ride on the ins and outs of Azure Policy and land you with a recipe for handling a multi-tagging strategy with Azure Policy. Some of the key topics you will learn from this session include:

  • Overview of Azure Policy
  • Azure Policy Configuration best practices to meet compliance (NIST, PCI, ISO, HIPPA)
  • Securing Azure services: AKS / Networking / SQL / App Service
  • Azure Policy vs RBAC
  • Overview of Azure Policy Guest Configuration
  • Tagging and more

The event has passed and if you didn’t make it no worries! All of the sessions have been recorded and uploaded to the Inside Azure management YouTube channel to be watched at your leisure. Here is the link to the YouTube channel where you can watch all the sessions:

https://bit.ly/azurevideos

The event coordinators have also set up some Youtube playlists to make it easier to find videos on the topics that pertain to you. They broke these out in the following categories: Azure Management, Artificial Intelligence in Azure, Cloud Governance, Cybersecurity, and DevOps.

You can watch my session right here:

Also here is the direct link to the video of my session on YouTube: https://youtu.be/EfAiITcExK0

Thanks for checking out my session and others from this event. Stay tuned to my blog for info on where I will be speaking next!

Read more

Speaking at Inside Azure Management Summit

I was recently added to the speaker lineup for the “Inside  Azure Management Summit” happening on 7/23/2020. This event is a FREE 1-day virtual event. It features the Microsoft cloud experts from the authoring team of “Inside Azure Management” book, Microsoft MVP’s, and community experts from around the world.

Attendees will get a day full of deep-dive technical sessions across a variety of Microsoft cloud topics including:

  • DevOps and Automation
  • Cyber Security
  • Cloud Governance
  • Migration and Monitoring
  • Docker and Kubernetes
  • AI and Identity

The sessions will span a 13-hr period to allow audiences from around the world to join a portion of the event.

 I will be giving a session on Azure Policy. Here is my session info:

Session Title:

Azure Policy Insights & Multi-Tag demo via Azure Policy

 

Session Abstract:

Azure Policy is a great tool when it comes to auditing and ensuring your cloud governance is met. In this session 9 time Microsoft Azure MVP Steve Buchanan is going to take you on a full-speed ride on the ins and outs of Azure Policy and land you with a recipe for handling a multi-tagging strategy with Azure Policy. Some of the key topics you will learn from this session include:

  • Overview of Azure Policy
  • Azure Policy Use Cases
  • How Azure Policy can meet NIST standards
  • Azure Policy vs RBAC
  • Overview of Azure Policy Guest Configuration
  • Tagging and more

Here is the direct link to my session:

https://insideazuremgmt.com/session/azure-policy-insights-multi-tag-demo-via-azure-policy/

Be sure to register for this event to check out all the great sessions including mine on Azure Policy.

Here is the link to the official site:

https://www.insideazuremgmt.com

Here is the link to register:

https://www.eventbrite.com/e/inside-azure-management-the-virtual-summit-tickets-109230577598?aff=ebdssbeac

Read more

Cloud Governance, Bringing Order To Your Cloud Chaos – Podcast

Recently I was a guest on the “Day Two Cloud” podcast hosted by fellow Microsoft MVP/Pluralsight author Ned Bellavance.

We talked about how native Azure governance & management tools Azure Policy, Tagging, and Blueprints can be used to bring order to your cloud environments. Listen now here:

Check it out here:

https://packetpushers.net/podcast/day-two-cloud-033-cloud-governance-bringing-order-to-your-cloud-chaos

Read more

Master Azure with VS Code

At Experts Live Europe 2019 I presented a session titled “Master Azure with VS Code”. This was a fun session with an engaging audience that took to twitter after the session. There was some chatter asking this session was recorded. It was not. I did note that I planned to write a blog post on this topic.

Here is that blog post and it is the first one of 2020 for me! In this post, we are going to dive into how VS code is helpful when working with Azure and many extensions I find useful when working with Azure. This post is not set to be an end-all to using VS Code with Azure but from my experience. Use this post as a starting point or a reference for expanding your use of VS Code with Azure. Also, check out the many other community experts and Microsoft MVPs for their additional knowledge plus tips and tricks on this topic.

VS Code Overview

First off if you are not using VS Code stop reading this right now, go download it and install it then come back to finish reading. 🙂 VS Code is a must-have in your toolbox and it is free! For those that are new to VS Code, it is an open-source – code editor developed by Microsoft that runs on Windows, Linux, and macOS. Here is a shortlist of the many benefits of VS Code:

  • Has support for hundreds of languages.
  • Has Integrated Terminal.
  • Also powerful developer tool with functionality, like IntelliSense code completion and debugging.
  • Includes syntax highlighting, bracket-matching, auto-indentation, box-selection, snippets, and more.
  • Integrates with build and scripting tools to perform common tasks making everyday workflows faster.
  • Has support for Git to work with source control.
  • Large Extension Marketplace of third-party extensions.

Note that yes, VS Code is for the “IT Pro”. Not just developers.

Azure Extensions in VS Code

VS Code has a ton of extensions in general. There are a number of Azure specific extensions and you can work with Azure directly from VS Code.

If you go to the VS Code Marketplace here: https://marketplace.visualstudio.com/vscode and search on Azure you will see results for many published by Microsoft and many community based extensions for Azure. As of the time of writing this blog post, there are 93. Here is a screenshot showing some of the results:

You can also go directly to the Azure Tools extension from Microsoft here: 

https://marketplace.visualstudio.com/itemdetails?itemName=ms-vscode.vscode-node-azure-pack

Or the

Azure Extensions from Microsoft here:

https://code.visualstudio.com/docs/azure/extensions

In the rest of this post, I am going to share some key extensions I use with Azure. I will post the marketplace links at the end of each extension I talk about and if it is maintained by community or Microsoft.

Deploy to Azure using VS Code

It is important to note that not all of the Azure extensions available in VS Code can be used to deploy to Azure. Some can but most can’t here is a list of the services that you can deploy to from extensions in VS Code.

Azure Service Description
Azure Functions Build and manage Azure Functions serverless apps directly in VS Code with the Azure Functions extension.
App Service Manage Azure resources directly in VS Code with the Azure App Service extension.
Docker Deploy your website using a Docker container.
Azure CLI Create, deploy, and update a website using a terminal and the Azure CLI.
Static website Create, deploy, and update a static website on Azure Storage.

NOTE: This list is current at the time of writing this blog post. This will change over time.

Azure Cloud Shell in VS Code

Cloud Shell is something you should be using with Azure to make your life easier. It is an interactive command-line shell. You are authenticated to your Azure account when you launch it, It typically runs in the browser and is used for managing Azure resources. When you launch it you can choose the shell experience that best for you, either Bash or PowerShell. With VS Code you can launch Cloud Shell directly in VS Code!

Cloud Shell is a part of the Azure Account extension. Here are some key points on using Cloud Shell with VS Code:

  • Free (storage consumed has costs.)
  • Launch Azure Cloud Shell directly in VS Code.
  • Launch Bash, PowerShell, or Upload.
  • Works in the Integrated Terminal.

Azure and open-source Tooling in Cloud Shell:

Azure Tools:
blobxfer Azure CLI and Azure classic CLI Azure Functions CLI AzCopy Service Fabric CLI Batch Shipyard  
Open-Source:
Bash Terraform Packer Ansible Chef InSpec Puppet Bolt Docker Kubectl Helm DC/OS CLI iPython Client Cloud Foundry CLI

PowerShell Modules in Cloud Shell

You get the following PowerShell modules in Cloud Shell:
Azure Modules (Az.Accounts, Az.Compute, Az.Network, Az.Resources, Az.Storage)
Azure AD Management (Preview)
Exchange Online (In development)
MicrosoftPowerBIMgmt
SqlServer

Marketplace Link:

Azure Account: https://marketplace

Maintained By Microsoft

Read more

Walk-through: use Azure Policy modify effect to require tags

In my day to day I do cloud foundations work helping companies with their Azure governance and management. On projects we will develop a tagging strategy. A tagging strategy is only good if it is actually used.  One way to ensure that tags are used is by using Azure Policy to require tags on resource groups or resources.

In the past I have used the deny effect in an Azure Policy to require tags upon resource creation. I basically use the template as previously blogged about here: https://www.buchatech.com/2019/03/requiring-many-tags-on-resource-groups-via-azure-policy. This policy works but can be a problem because the error that is given when denied during deployment is not clear about what tags are required. Also, folks think it is a pain and slows down the provisioning process.

I set out to require tags using a different method. The idea was to use the effect append vs deny so that resources without the proper tags would be flagged as non-compliant and the policy would add the required tags with generic values. Someone from the cloud team could then go put in the proper values for the tags bringing the resources into compliance. Th end result was that the effect append does work remediating with a single tag but falls down when trying to remediate using multiple tags.

I discovered that this behavior was intended and that the append effect only supports one remediation action (i.e. one tag). On 9-20-19 Microsoft updated the modify effect so that Modify can handle multiple ‘operations’ – where each operation specifies what needs to be remediated.

Now let’s walk through using the modify effect in an Azure Policy to add multiple tags on a resource group.

You will need to start off by coding your Azure Policy definition template. There are three important parts you need to ensure you have in template. You need to have modify effect for the proper effect, roleDefinitionIds as this is the role that will be used by the managed identity set as contributor, and operations to tell Azure policy what to do when remediation out of compliance resources.

"effect": "modify",

and

"roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"

and

 "operations": [
            {
            "operation": "addOrReplace",

Here is a screenshot of the template.

You can get the full Azure Policy definition ARM Template on my GitHub here:

Required Tags Azure Policy Modify Effect.json

Add the ARM template as a new policy definition in the Azure portal.

See the following screenshot to complete your Azure policy definition.

Click for larger image

You will then see your new Azure policy definition.

Next, you need to assign the Azure policy definition. To do this click on Assignments.

See the following screenshot to complete your Azure policy assignment.

Click for larger image

Note that this policy assignment will create a managed identity so that the policy has the ability to edit tags on existing resources.

The assignment will now be created but the evaluation has not happened so the compliance state will be set to not started as shown in the following screenshot.

Read more

Presenting on Azure Stack and Native Azure Management in June/July 2019

It has been a while since presenting on Azure Stack. On June 26th I will be presenting on “Azure Stack 101 in 45 minutes” at an Azure Virtual Day Camp for a D365 user group. Here is a link to the main site:

https://www.d365ug.com/participate/azure-virtual-day

Here is a direct link to my session:

https://azurevirtualdaycamp2019.sched.com/event/PTQE/azure-stack-101-in-45-minutes?iframe=no&w=100%&sidebar=yes&bg=no

In July I will be co-presenting with Kyle Weeks at the Minnesota Azure User Group on Azure Management. The session is titled “Scale Matters: Policy + Azure Management Groups”. Come check out this session if you want to go through what Azure Management Groups are, how they scale to any complexity and the best part… how to do this with policy configurations + Azure blueprints + RBAC. Here is a link to register for the meeting:

https://www.meetup.com/Minneapolis-Azure-Cloud-Computing-Meetup/events/dtbmtpyzkbgb/

Read more

Speaking at MMS 2019

In a week I will be speaking at MMS 2019! I will be presenting 3 sessions and co-hosting 2 panels. If you are attending MMS check out my sessions and the panels. Here is the rundown:

Sessions:

Monday, May 6 • 1:00pm – 2:45pm
Deploying Infrastructure as Code with Azure and Terraform – With fellow Microsoft MVP Ned Bellavance
https://sched.co/N6cC

Tuesday, May 7 • 8:00am – 9:45am
Improving your on-prem and cloud security with Azure Security Center – With fellow Microsoft MVP Ned Bellavance
https://sched.co/N6c9

Thursday, May 9 • 1:00pm – 2:45pm
Mastering Azure with Visual Studio Code – With fellow Microsoft MVP Peter De Tender.
https://sched.co/N6d4

Panels:

Tuesday, May 7 • 3:00pm – 4:45pm
Azure Governance and Management Panel
https://sched.co/N6gD

This panel includes an all-star group from Microsoft including:

Tim Benjamin
Principal Group PM Manager, Microsoft

Michael Greene
Principal Program Manager, Microsoft

Jim Britt
Senior Program Manager, Microsoft

and

Eamon O’Reilly
Principal Program Manager, Microsoft

Thursday, May 9 • 3:00pm – 4:45pm
Azure Stack Panel Discussion – (400)
https://sched.co/N6hE

This panel consists of a bunch of Microsoft MVP rockstars and Microsoft staff including:

Ned Bellavance
Founder / Microsoft MVP, Ned in the Cloud LLC

Thomas Maurer
Senior Cloud Advocate, Microsoft

Kristopher Turner
Sr. Cloud Architect/Microsoft MVP, NTT Data Services

Bert Wolters
Principal Consultant, Class-IT

Here is the MMS website:
https://mmsmoa.com

Read more

Architect your Cloud with Azure Blueprints

Today as a part of the Azure Governance and management announcements at Microsoft Ignite 2018 Azure Blueprints Public Preview was announced. Azure Blueprints are a core part of the cloud governance and management story. They go hand and hand with Management Groups and will take the enterprise management story of Azure up a level. In this blog post I will take a deep dive into Azure Blueprints explaining what they are and give an example of how they can be used.

NOTE: This is a long blog post so I have also published this content as a whitepaper. The whitepaper PDF can be downloaded here.

BLUEPRINTS OVERVIEW

At a high-level Azure Blueprints help you meet organizational cloud standards, patterns, and requirements through governed subscriptions enabled and enforced by the grouping of artifacts like ARM templates, Azure policies, RBAC role assignments, and resource groups within a Blueprint.

Blueprints can be used to lay a cloud foundation, as cloud patterns, and group cloud governance frameworks. Blueprints are a one-click solution for deploying a cloud foundation, pattern, or governance framework to an Azure subscription. Think of an Azure Blueprint as re-usable design parameters for cloud that can be shared and used across an enterprise.

Azure architects typically map out and plan the many aspects of a cloud foundation for an organization such as access management, networking, storage, policy, security/compliance, naming conventions, tagging, monitoring, backup, locations, and more. Now Azure architects can step this designing a step further build these designs as Azure Blueprints and then apply them to subscriptions. The Blueprints give architects a way to orchestrate the deployment of grouped components to speed up the development and provisioning of new Azure environments ensuring they are meeting organizational compliance.

BLUEPRINTS ARE NOT AZURE POLICY

Azure policy is a service targeted to resource properties that exists or when being deployed with allow or explicit deny policies. It is used to ensure resources in an Azure subscription adhere to requirements and standards of an organization.

Azure policies can exist on their own or be a part of an Azure Blueprint. Blueprints do not replace Policy they are one of the Artifact types that make up a Blueprint.

THE MAKEUP OF A BLUEPRINT

Definition

A Blueprint consists of a Definition. The Definition is the design of what should be deployed it consists of the name of the Blueprint, the description and the Definition location. The Definition Location is the place in the Management Group hierarchy where this Blueprint Definition will be stored and determines the level assignment is allowed at. Currently you must have Contributor access to a Management Group to be able to save a Blueprint Definition to it. A Blueprint can be assigned at or below the Management Group it has set in its Definition Location. Here is a diagram to visualize Blueprint Assignment in relation to Management Group hierarchy:

Azure Blueprint Assignment

Artifacts

The Definition is where Blueprint Artifacts are added. As of right now the following is a list of the Artifact types:

  • Policy Assignments – Lets you add an Azure Policy. This can be a built-in or custom policy.
  • Role Assignments – Lets you add a user, app, or group and set the role. Only built-in roles are currently supported.
  • Azure Resource Manager templates – Lets you add an ARM Template. This does not let you import a parameters file. It does let you pre-set the parameters or set the parameters during assignment of the Blueprint.
  • Resource Groups – Lets you add a Resource Group to be created as a part of this Blueprint.

In my opinion the ARM Template artifact is the most impactful of the Blueprint artifact types because you can define such a variety of resources here. It opens the Blueprint to the power of ARM in general. Hopefully in the future we will see more scripting capability or the ability to load PowerShell scripts, runbooks, and or Functions.

There are two levels in the Artifacts. The first level is Subscription. The second level is Resource Group. Resource Group artifacts cannot be added to a Resource Group artifact. A Resource Group artifact can be created in a Subscription. An ARM Template artifact can only be created in a Resource Group artifact. A Policy Assignments or Role Assignments can be created at either the Subscription or Resource Group level.

Assignment

After a Blueprint has been built it needs to be applied. Applying a Blueprint is known as Blueprint assignment. The assignment is essentially the “what was deployed” for a Blueprint. This is how the artifacts are pushed out to Azure and used to track and audit deployments in Azure.

Sequencing

When the assignment of a Blueprint is processed the default order of resource creation is:

  • Role assignment artifacts at the Subscription level
  • Policy assignment artifacts at the Subscription level
  • Azure Resource Manager template artifacts at the Subscription level
  • Resource group artifacts and its child artifacts (role assignment, policy assignment, ARM Templates) at the Resource Group level

When a blueprint includes multiple Azure Resource Manager templates there may be a need to customize the sequencing order in which the Blueprint will deploy artifacts during assignment. You customize the artifact deployment sequence by deploying a Blueprint from an ARM Template declaring a dependency within it or declaring a dependency within an ARM Template artifact in the Blueprint. You declare a dependency using the dependsOn property in JSON. This essentially is a string array of artifact names.

Resource Locking

In cloud environments consistency is key. Naturally Azure Blueprints can also leverage resource locking in Azure. Blueprints have a Locking Mode. This Locking Mode can be applied to None or All Resources and is determined during the assignment of the Blueprint. The decision on cannot be changed later. If a locking state needs to be removed, then you must first remove the Blueprint assignment.

Some Blueprint artifacts create resources during assignment. These resources can have the following state:

  • Not Locked – Can be changed. Can be deleted.
  • Read Only – Can’t be changed and can’t be deleted.
  • Cannot Edit / Delete – Create, update, and delete within the resource group.

Artifacts that become Resource groups get the state of Cannot Edit / Delete automatically but you can create, update, and delete resources within them.

The high-level stages of an Azure Blueprint are Create it, assign it to a scope, and track it.

Anatomy of a Blueprint:

Azure Blueprint Anatomy

 

Blueprint does have a REST API. I am not covering the REST API in this blog post as I have not had the opportunity to spend much time working with it yet.

Now let’s look at building and assigning an Azure Blueprint.

BUILD A BLUEPRINT

Now I am going to give an example of building and using an Azure Blueprint in a cloud foundation mock scenario. In my mock scenario I have 3 Azure subscriptions. Each subscription should have a Core services Resource Group consisting of a core VNet with 3 subnets, an NSG for each subnet, and the web subnet should be ready for DMZ traffic. For the core VNet and any additional VNet added to the Core Services Resource Group I need network watcher deployed to it.

Each subscription also should have a core storage account and a blob storage that is ready for general storage needs. I want a tag applied to any Blueprint assignment labeling it with the assignment name, so it is easy to track. The last requirement I have is that I need the CloudOps team to automatically be owner of all core services resources. To accomplish all of this I created the following Blueprint:

Now let’s walk through the parts of creating and assigning the Blueprint. The first step is to create the Blueprint Definition.

In the basics step I give it a meaningful name and meaningful description. I set the Definition Location to the root of my Management groups. Doing this will allow me to assign this Blueprint to all 3 subscriptions in turn creating the core services RG in each subscription.

Next the Artifacts need to be added. Note that when adding an Artifact at the Subscription level you have these options as types:

The Resource Group Artifact type is only available at the subscription level and the ARM template Artifact type is only available at the Resource Group level. I added the Resource Group that the core networking and core storage will be deployed into.

Read more

The “argument is null or empty” error in Azure Automation Runbook

I was recently working on an Azure Automation runbook that provisions an empty resource group in Azure. I was running into an issue when the runbook ran that the variable being used with New-AzureRmRoleAssignment was null. The errors I was receiving are:

New-AzureRmRoleAssignment : Cannot validate argument on parameter ‘SignInName’. The argument is null or empty. Provide
an argument that is not null or empty, and then try the command again.
At line:96 char:39
+ New-AzureRmRoleAssignment -SignInName $RequesterSignIn -RoleDefinitio …
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [New-AzureRmRoleAssignment], ParameterBindingValidationException
+ FullyQualifiedErrorId :
ParameterArgumentValidationError,Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand

and

New-AzureRmRoleAssignment : Cannot validate argument on parameter ‘ObjectId’. Specify a parameter of type ‘System.Guid’
and try again.
At line:97 char:37
+ New-AzureRmRoleAssignment -ObjectID $RequesterID -RoleDefinitionName  …
+                                     ~~~~~~~~~~~~
+ CategoryInfo          : InvalidData: (:) [New-AzureRmRoleAssignment], ParameterBindingValidationException
+ FullyQualifiedErrorId :
ParameterArgumentValidationError,Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand

It turned out to be a permission issue with AzureRM.Resources CMDLETS not being able to talk to AAD specifically Get-AzureRmADUser that I was using for a variable.

To fix this I had to give the following permissions for the AAD directory to the AzureServicePrincipal Run As Account:

Windows Azure Active Directory (AAD)
Application Permissions

·       Read/Write directory data
·       Read directory data

Delegated Permissions
·       Read directory data
·       Read all users’ full profiles
·       Read all users’ basic profiles

Microsoft Graph
App Permissions
·       Read directory data

In your runbook code you will typically have

# Authenticate to Azure resources
$connectionName = “AzureRunAsConnection”

# Get the connection “AzureRunAsConnection “
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
“Logging in to Azure…”
Login-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

You may have a some differences like the connection variable and the name of the runasconnection. The point here is that the runas connection is what needs to have the proper permissions. You can find this account here to get the name and ApplicationID:

To give the permissions go to Azure Active Directory>the directory you are using in this automation>App registrations>and search based on the ApplicationID. Don’t forget to select All apps in the drop down.

Click on Add first and add the AAD and then Microsoft Graph permissions.

After you add the proper permissions make sure you click on Grant Permissions. The permissions are not actually applied until you do this. Once you click on Grant permissions you will see the prompt shown in the screenshot. Click Yes.

Verify the permissions have been added properly. In AAD go to All applications>select All applications. Find your service principle application.

Click on the service principle applications permissions.

Verify the AAD and graph permissions are listed. If the AAD and graph permissions are listed then the runbook should be good to go.

Read more