I am preparing automated solution in my Azure environment. I have to provide automation that will be able to manage resources in multiple Azure subscriptions spread across different Azure tenants. I am currently testing Azure Lighthouse, and its very useful service in case of backup and Update Management service management (multiple subscription, many tenants). In MS documentation - Azure Lighthouse - cross-tenant-management-experience there is a section Azure Automation and short description Use Automation accounts to access and work with delegated resources. Question is how does it work? I didn't find method how to run a runbook from one central subscription and manage resources (list VMs, Storage Account) in remote/customers subscription. Is there any way to use Azure Lighthouse for running Automation runbooks from one central point and manage resources in customer's account. I know that we can use Azure Monitor and create alerts and using them run runbooks to manage resources in customers accounts.
This answer is not related to Azure Light house, but you can have an Automation Runbook to access multiple subscriptions by providing necessary permissions.
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Connect-AzAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
$Subs = Get-AzSubscription # filter by name
Select-AzSubscription -SubscriptionName $Subs.Name
Set-AzContext -SubscriptionId $RunAsConnection.SubscriptionId
# Rest of your script goes here
Related
I have created a Run As Account for an Azure automation account. Is it possible to use the same Run As Account in a different automation account by creating a new automation connection with the same service principal?
I have tried to create a new automation connection in a different automation account with the same service principal but in the runbook, i get
No certificate was found in the certificate store with thumbprint xxxxxxxxxxxxxxxxxxxx
error.
Any idea?
Let's say the old automation account is account 1, the new one is account 2.
If you create a Run As Account for account 2, it will create a new service principal. If you want to use the service principal of the Run As Account in account 1, you could simply add a new Connection in account 2 like below.
Fix the values with the ones in Run As Account of account 1.
No certificate was found in the certificate store with thumbprint xxxxxxxxxxxxxxxxxxxx
For this issue, maybe there are some issues with the old certificate, you could click the Renew certificate and try again.
Then in your runnbook, e.g. powershell runbook, you could use the new connection to auth with the same service principal.
$connectionName = "testconn"
try
{
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Connect-AzAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
I have an Azure Automation Hybrid Worker setup. When I run a simple
Get-AzureADUser -SearchString "user#domain"
through the Powershell console on the Hybrid Worker VM I get the proper user object as a response.
But when I run the exact same statement from an Azure Automation runbook on the same Hybrid Worker null is returned.
It's driving me crazy to debug this inconsistency, I'm using the same account to authenticate against Azure.
Can you make sure that the Azure Run as account is setup and the required certificate in PFX is installed on the Hybrid Worker. And also can you trying having only the user name in the searchstring.
Within the runbook you can use the below snippet to connect to AzureAD and then call Get-AzureADUser
$connectionName = "AzureRunAsConnection"
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
"Logging into Azure AD....."
Connect-AzureAD -TenantID $servicePrincipalConnection.TenantID -ApplicationId $servicePrincipalConnection.ApplicationId -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
Get-AzureADUser -SearchString "membername"
Below pane should help you test the run book and show the status of the runbook or any errors you might see.
Additional documentation reference to create Azure Automation Run As Account.
Hope this helps.
I was looking for a way to get notified before an Azure AD App key/credential is expired. The link shows the script to list the details of account and expiration date. Is it possible to somehow automate using azure native apps such as Logic app or azure monitor to notify via email/SMS before 1 week of expiration.
In my personal opinion, I recommend you to use Azure automation runbook to do that.
1.Create automation account(need to create Run As account) and runbook(powershell type).
2.navigate to the automation account in the portal-> Modules -> Browse Gallery -> import the AzureAD module.
3.Follow this link to assign directory role to the service principal generated by the Run As account(I am not sure which role will be enough to Get-AzureADApplication , you could try the Global Administrator directly).
4.In your runbook, use the script as below to login with the service principal. Then run the sample in your question to get the expiry date, write some if else statement to compare with the current time and judge, then use Send-MailMessage to send a mail message. Then save and publish your runbook.
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Connect-AzureAD `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
5.Navigate to the runbook in the portal -> Schedules -> create and link a recurrence schedule to your runbook, maybe every hour or every day, details depend on you.
1)What is the difference between 'Azure' and 'AzureServicePrincipal' in -ConnectionTypeName in New-AzureRMAutomationConnection ?
2) when to use 'Azure' and when to use 'AzureServicePrinciple' ?
Good question (+1), Actually I also tried to figure out the answer to your question for many days, but guess what! Microsoft itself doesn't have enough documentation to explain this.
Actually, there are 3 different connection types
Azure
Azure Service Principal
Azure Classic Certificate
Azure Service Principal (Azure Run As Account)
Azure Run As Account - This account is used to manage Resource Manager
deployment model resources.
Azure Classic Certificate (Azure Classic Run As Account)
This account is used to manage Classic deployment model resources.
You can find the full details here
But regarding the connection type as Azure is not able to find from any Microsoft official docs
So, I open an Issue regarding the same at Github.
You can track that below
https://github.com/Azure/azure-powershell/issues/7048
So as you are trying to Automate the Runbook, you can use the below script for Authenticating with Azure inside your workflow/script. Create Automation account using Create AzureRunAsAccount as Yes.
Then you can include this piece of code in your workflow.
Write-Output "------------------------ Authentication ------------------------"
$connectionName = "AzureRunAsConnection"
try {
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Connect-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection) {
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
}
else {
Write-Error -Message $_.Exception
throw $_.Exception
}
}
## End of authentication
I have a couple of Azure Runbooks which use AzureRM to automatically scale service plans depending in some configuration.
That configuration is saved on my Azure Storage Account as entities in a table.
However, I can't find a way to read the entities from that table using AzureRM in my runbooks...
I can't use any Az modules because it would complain about also importing AzureRM next to Az. And I don't want to have 2 separate automation accounts just to be able to use AzureRM and Az at the same time.
So is there any way to get all the entities from an Azure Storage Table using the AzureRM module?
According to my test, if you want to use AzureRm module to get all the entities from an Azure Storage Table, you can use the modlue AzureRmStorageTable. But please note that its version only lows than 1.0.0.23. For more details, please refer to https://github.com/paulomarquesc/AzureRmStorageTable/blob/master/ReleaseNotes.md.
For example:
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
$table = Get-AzureStorageTableTable -resourceGroup jimtest -tableName SchemasTable -storageAccountName jimtestdiag417
Get-AzureStorageTableRowAll -table $table
Update
Regarding how to install the special version module for Azure Automation account, you can do that via the page.
Thank to the comment of Michale B. on my question, the following has fixed my problem:
Could also make use of the alias option in the Az module. learn.microsoft.com/en-us/powershell/module/az.accounts/… . This will allow you to use (most) AzureRM functions, while also using the Az module