How can we run one Azure Automation runbook for all our subscriptions in the same tenant? Currently, I am making use of one runbook which retrieves the resources in the tenant, but it is listing the resources only from one subscription whereas I have 3 subscriptions present.
How do I make sure it outputs all the resources from all subscriptions? Please help
The problem is that the runbook runs in the security context of an Azure automation account and that account is connected to a subscription and therefore only sees resources within that subscription.
https://learn.microsoft.com/en-us/azure/automation/automation-create-standalone-account
There is a "Azure management group" which works cross subscription
https://learn.microsoft.com/en-us/azure/governance/management-groups/overview
It may be possible to run the runbook in a context of a management group user that has access to all subscriptions. But I have never tried this so not sure if it would work.
I would suggest that you install and run the runbook in each subscription. Then combine the contents of each report.
Related
I have a working Azure Automation Hybrid Runbook Worker that is successfully executing runbooks. From one such Hybrid runbook I need to pass a result on to another runbook that must run on Azure, not on the Hybrid Worker.
After doing some research it seems that I have to use the Start-AzAutomationRunbook cmdlet to start the Azure runbook - which requires a Connect-AzAccount before, which means additional authentication:
To use Start-AzAutomationRunbook, the script must authenticate to your
Azure subscription.
But this seems overly complicated. Is there a less complex way to chain Azure and Hybrid runbooks? Without having to explicitly authenticate again? Overall, the runbooks are located in the same Automation account right next to each other.
I want to access Classic Azure resources present in Multiple subscriptions in my Azure powershell Runbook, I use AzureClassicRunAsAccount For accessing the resources in my subscription. For ARM resources which use AzureRunAsAccount I understand a spn is created and giving access to the spn on a different subscription will let the runbook access it. But how do I do the same for ClassicRunAsAccount, this doesn't have an Spn created right ?
I can't create an Azure Batch service. I keep getting error: "Please assign Contributor role to "MicrosoftAzureBatch" service principal through your Subscription's Access control (IAM) blade." even after adding it to my subscription Access control (IAM):
We could get the detail steps about how to Create a Batch account with the Azure portal from azure officail document. It is odd that you can not create the service that if you have assigned the Contributor role.
If it is still not working for you, please have a try to create a Batch account. As the document mentioned that user subscription mode which is no longer recommended for most scenarios.
When creating a Batch account, you should generally choose the default Batch service mode, in which pools are allocated behind the scenes in Azure-managed subscriptions. In the alternative user subscription mode, which is no longer recommended for most scenarios, Batch VMs and other resources are created directly in your subscription when a pool is created. To create a Batch account in user subscription mode, you must also register your subscription with Azure Batch, and associate the account with an Azure Key Vault.
I've already fixed the problem. It seems there was a permissions issue, and the error message was not clarifying at all, though. I've been able to create Azure Batch service logging into Azure portal with the subscription owner account, instead of mine's.
Is it possible to become Subscription Co-Admin in CSP subscription? My current role is Owner.
I have problem with some runbooks in RunAs Automation Account. Runbook fails to execute commands with Forbiden Error. I think that is because, Automation Account was created with account which is not Co-Admin.
Unfortunately, Azure CSP subscriptions have the limitation that they do not allow to manage add users as Co-Administrators from the Azure Portal. If not mistaken there is a process that can be done from the Azure Partner Center
https://learn.microsoft.com/en-us/partner-center/develop/how-to--associate-a-partner-center-account-with-an-active-azure-subscrption-account
Hope this is of help to you!
I have an VM running in Azure which I would like the client to be able to turn on/off easily. I tought this would be simple; just a PS-script that performs an startup/shutdown/dealloc. But it seems I can't generate a "Azure Publish Settings"-file that only gives access to that VM? At the moment it seems I can only control this at the subscription level?
The Azure Publish Settings file basically contains the access information for an entire Azure subscription. It does not specify access to a specific resource (e.g. VM) but to all resources inside of a subscription.
To limit access to a subset of resources in Azure, you should be looking at the new role-based access (RBAC) functionality, which is available in the Azure preview portal and the latest Azure PowerShell cmdlets.
How it works is that you create an Azure resource group, to which you can assign roles with specific rights, and to this role you can then assign individual users.
Check the following Azure documentation link for details on how to do this.