I am able to execute Runbooks within my Azure tenant/subscription, but would like to use a single Azure Automation Account in my tenant to execute Runbooks against other tenants and their subscriptions.
I have found this article for running against multiple subscriptions, but is it possible to have a centralized Azure Automation Account in one tenant that can connect and execute against other tenants and their subscriptions?
https://blogs.technet.microsoft.com/knightly/2017/05/26/using-azure-automation-with-multiple-subscriptions/
Based on my knowledge, if your account is a Auzre AD account, it is possible. Also, your account is Microsoft account, you also could create a Azure AD account. More information about how to create a new Azure AD user please refer to this link.
You could create a credential and store your account and password in it.
You can retrieve the credential in a runbook using the Get-AutomationPSCredential activity and then use it with Add-AzureRmAccount to connect to your Azure subscription. The following commands work for me.
$cred = Get-AutomationPSCredential –Name "shuitest"
Add-AzureRmAccount –Credential $cred
Select-AzureRmSubscription –SubscriptionName "Your Subscription Name"
More information about this, you could refer to this link.
If you want to login multiple tenants in one runbook, you need to sign in separately and execute your PowerShell cmdlets.
So i stumbled upon this article which offers a guidance how to do what you want:
https://blogs.technet.microsoft.com/knightly/2017/05/26/using-azure-automation-with-multiple-subscriptions/
basically what I said, get appId and grant it permissions to perform actions on other subs
I was struggling with the same issue today, specifically how to authenticate cross-tenant. I solved the authentication part of it by having an Azure Automation Account in both of my tenants, both with a RunAs Account.
By default these will be called AzureRunAsConnection
Tenant01 is my main Tenant that holds the Automation Account that does all the work.
Tenant02 is "passive".
Use this script to export the certificate of Tenant02
import the certificate into Tenant01
in Tenant01 add an additional RunAs connection (e.g."AzureRunAsConnection02") and enter the ApplicationId, TenantId, CertificateThumbprint, SubscriptionId of the RunAs account from Tenant02
with identical RunAs accounts and certificates in both tenants you should now be able to switch between your Tenants in your runbook with:
Get-AutomationConnection -Name AzureRunAsConnection
Get-AutomationConnection -Name AzureRunAsConnection02
etc...
Related
I am trying to put some auto start policy on my VM on Azure.
So, I used automation account and power shell script to do this from this link: https://adamtheautomator.com/azure-vm-schedule/
But on testing it give me error of Run Login-AzureRmAccount to login
Please suggest how to fix this?
## Get the Azure Automation Acount Information
$azConn = Get-AutomationConnection -Name 'AzureRunAsConnection'
## Add the automation account context to the session
Add-AzureRMAccount -ServicePrincipal -Tenant $azConn.TenantID -ApplicationId $azConn.ApplicationId -CertificateThumbprint $azConn.CertificateThumbprint
## Get the Azure VMs with tags matching the value '10am'
$azVMs = Get-AzureRMVM | Where-Object {$_.Tags.StartTime -eq '10am'}
## Start VMs
$azVMS | Start-AzureRMVM
Regards
ESNGSRJ
This can happen when the Run As account isn't configured appropriately. You will need to create one to provide authentication for managing resources on the Azure Resource Manager using Automation runbooks.
When you create a Run As account, it performs the following tasks:
Creates an Azure AD application with a self-signed certificate, creates a service principal account for the application in Azure AD, and assigns the Contributor role for the account in your current subscription.
Creates an Automation certificate asset named AzureRunAsCertificate in the specified Automation account.
Creates an Automation connection asset named AzureRunAsConnection in the specified Automation account.
Please note the following requirements from the referenced link:
You must have an Azure Automation Account with an Azure Run As account already prepared. If you don’t have this yet, learn how to create one when you go to Create a new Automation account in the Azure portal.
The Azure PowerShell module must be installed. If you don’t have this yet, please go to the Install the Azure PowerShell module page for more information.
Note: You can configure your Runbook to use managed identities as well and it has added benefits as compared to using Run As accounts. You can get started with this tutorial to use managed identity.
I have created SPN for Azure devops pipeline and I need to access multiple subscription resources in a powershell task/deploymentScript ARM.I am using below command to switch between subscriptions
#Linking appinsight with storage account in Secondary Region
Get-AzSubscription -SubscriptionId $secSubscriptionId | Set-AzContext
This command works from my local powershell (as I have access to both subscriptions). But with CICD another subscription is not visible.I get below error even though both subs are under same tenant.
2020-05-12T17:17:14.9377680Z ##[error]Subscription XXXXXXX was not found in tenant ***. Please verify that the subscription exists in this tenant.
when you created the service principal, did you give it access to resources in both subscriptions?
I have an Azure AD tenant which is not associated to a subscription. When I login from the Azure portal I am able see and get to it using "switch directories".
When I log in from PowerShell, I do not see it, it only shows my subscription not by Azure AD tenant.
How do I connect to the Azure AD tenant which has no subscription?
Neither the Azure AD PowerShell nor the Azure PowerShell modules require that the tenant have an Azure subscription in order to connect.
If you are using the Azure AD PowerShell module, you simply connect:
Connect-AzureAD
If you are using a user account which is a member of multiple tenants, it's best to be explicit about which tenant you'd like to connect to:
Connect-AzureAD -TenantId "{other-tenant-id}"
For registering and managing apps in Azure AD I recommend using the Azure AD PowerShell module. However, if you need/want to use the Azure PowerShell module instead, the process is very similar:
Connect-AzAccount
And, if you need to be explicit:
Connect-AzAccount -TenantId "{other-tenant-id}"
I want to execute a runbook from subscription A which will create a storage a/c on subscription B. I provided the (Username/Password) of subscription B in credential asset.
Firstly, please let me know is it possible to do that ?
When i try to run the below code, it gives an error "Unable to acquire token for tenant 'Common' " when i run Get-AzureRmSubscription
$CredentialAssetName = "login";
$Cred = Get-AutomationPSCredential -Name $CredentialAssetName
if(!$Cred) {
Throw "Could not find an Automation Credential Asset named
'${CredentialAssetName}'. Make sure you have created one in this Automation
Account."
}
add-azurermaccount -credential $Cred
login-AzureRMAccount -Credential $Cred
Select-AzureRmSubscription -SubscriptionName 'Free Trial'
get-azurermsubscription
Unable to acquire token for tenant 'Common'
It just a WARNING, that will not affect your script.
please let me know is it possible to do that?
Yes, it is possible, we can use Azure runbook to login subscription B, and use PowerShell to create an Azure storage account in that subscription.
Runbook just like PowerShell, when we use subscription B to log in, the script will work on subscription B.
If subscription B is a Microsoft account, we can follow this answer to login Azure runbook. (Microsoft account does not support non-interactive login.)
I have this Azure Powershell script, which successfully backs up a SQL Azure DB to Azure Blob.
In its current form, it requires me to log in via AD.
I now need to implement this script to execute via a Azure Function at specific intervals.
The first snippet of the script:
$subscriptionId = "YOUR AZURE SUBSCRIPTION ID"
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId $subscriptionId
I thus need to not use Login-AzureRmAccount, but replace it with a method that does not require human input.
I have found this link:
https://cmatskas.com/automate-login-for-azure-powershell-scripts/
In short, the author:
Creates an Azure AD Application (with its own password)
Creates a Service Principal
Assigns Permissions to the Service Principal
This is a once-off manual creation - which is perfect.
The author then logs in to this newly created application
$psCred = New-Object System.Management.Automation.PSCredential($azureAccountName, $azurePassword)
Add-AzureRmAccount -Credential $psCred -TenantId e801a3ad-3690-4aa0-a142-1d77cb360b07 -ServicePrincipal
My questions:
Is this what I should do to be able to automate my application and prevent human login?
This Azure AD app created in step 1 - can I use this app as a starting point in my of my Azure functions?
Yes, you can use that route, or use certificate auth, or use an Azure AD user, it can login with user\password, but is considered less secure than service principal.
Yes, you can use one service principal for any number of Azure Functions you would like to.
To use Azure PowerShell in Azure Functions, you may refer to the following response in another SO thread. The example is an HTTP-Trigger, but you can modify it to use a Timer-Trigger for your use-case. Here's the link:
Azure Function role like permissions to Stop Azure Virtual Machines
Run PowerShell as Administrator, you need to install AzureRM in PowerShell,
Login to Azure
Login-AzureRmAccount
Enter your Azure credentials
To get your subscription(s) details
enter
Get-AzureRmSubscription
Use the subscription id to select the subscription.
Select-AzureRmSubscription -SubscriptionId xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Save the AzureProfile using the below command
Save-AzureRmProfile -Path "C:\AzureScripts\profile.json"
The json file can be used to login to Azure
Select-AzureRmProfile -Path "C:\AzureScripts\profile.json"
Put this line on top of you .ps1 file, you does not require human input.
Ref : http://www.smartcoding.in/blog/auto-login-azure-power-shell