Azure Automation provides end-to-end automation solutions for Azure and non-Azure services. Managing Azure Automation occurs entirely through Automation account resources. These consist of several sub-features such as process automation, configuration and update management, and shared resources.
Automation accounts ^
First, we use Automation accounts extensively to access some of the following Azure features:
- Azure Desired State Configuration (DSC)
- Runbooks (PowerShell, Python, and graphical)
- Update management for virtual machines (VMs)
- Configuration management for VMs
- Managing on-premises services using Hybrid Workers
Even though each Automation account has these capabilities by default, it is still necessary to configure each automation account separately based on the requirements. Shared resources in each Automation account—such as variables, certificates, modules, and credentials—can provide all Automation account services with predefined values. For example, we can call out predefined credentials from separate runbooks without having to define them in each one.
Now let's create an Automation account in Azure using the following PowerShell command:
New-AzureRmAutomationAccount -ResourceGroupName 4SYSOPS -Name AzureAutomation1 ‑Location NorthEurope
After creating an Automation account, you can manage it through either the Azure Portal or PowerShell. The following screenshot shows how an Automation account looks in the Azure Portal.
Shared resources ^
When we create an Automation account in the Azure Portal, this automatically creates two Run As accounts and their corresponding elements, such as certificates, connections, and service principals. We can disable this at the time of creation. I'll explain some key terms below.
Run As account: Automatically creates a service principal account in Azure Active Directory (Azure AD) and assigns it a "Contributor" role across the subscription.
Certificate: A certificate manages Azure Resource Manager resources.
Classic Run As account: This account uses a certificate to manage classic resources.
Connection: A connection resource comprises an Azure AD application and a certificate. We use this connection to manage runbooks.
We can also get all of this information through PowerShell using the following commands:
Get-AzureRmAutomationConnection -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 Get-AzureRmAutomationCertificate -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1
Now we can take a look at all elements in an Automation account.
Modules are important when it comes to using specific PowerShell cmdlets in runbooks since Azure needs modules that contain a bunch of cmdlets. Otherwise runbooks will not be able to recognize the cmdlets we use.
For example, if we want to use the Get-AzureRmNetworkSecurityGroup cmdlet in a runbook, we first need to ensure we have already installed the AzureRM.Network module into the module section of the Automation account in which we run the runbook.
To get all modules in detail in an Automation account, we can use this command:
Get-AzureRmAutomationModule -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 | select name, version
To update an existing module with a module package (zip file), you can use the following commands…
With a package on your local computer:
Set-AzureRmAutomationModule -name Azure.Storage -ResourceGroupName 4SYSOPS ‑AutomationAccountName AzureAutomation1 -ContentLinkUri ".\NewModule.zip" ‑ContentLinkVersion "1.5"
With a package from a remote location:
Set-AzureRmAutomationModule -name Azure.Storage -ResourceGroupName 4SYSOPS ‑AutomationAccountName AzureAutomation1 -ContentLink http://NewModule.zip
To install a new module with a package on your local computer:
New-AzureRmAutomationModule -name Azure.Storage -ResourceGroupName 4SYSOPS ‑AutomationAccountName AzureAutomation1 -ContentLinkUri ".\NewModule.zip" ‑ContentLinkVersion "1.5"
With a package from a remote location:
New-AzureRmAutomationModule -name Azure.Storage -ResourceGroupName 4SYSOPS ‑AutomationAccountName AzureAutomation1 -ContentLink http://NewModule.zip
To remove a module:
Remove-AzureRmAutomationModule -name MODULENAME -ResourceGroupName 4SYSOPS ‑AutomationAccountName AzureAutomation1
We also use credentials mostly in runbooks and scripts as needed when it comes to authentication. Thus, we can use credentials in Automation accounts as shared resources and call them out in a runbook whenever needed.
We can use the following commands to create a new credential in an Automation account:
$password = ConvertTo-SecureString "NewPassword1" -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential ("User1", $password) New-AzureRmAutomationCredential -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name UserCred1 -Value $creds
And the command below lists all credentials:
Get-AzureRmAutomationCredential -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1
To remove a credential, you can use this command:
Remove-AzureRmAutomationCredential -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name UserCred3
When it comes to creating a script of any kind, it is essential to define all variables clearly in the script or in a separate variables file. With this in mind, Azure provides us with exactly the same capability. We can save all variables in Azure up front and consume them when a script requires them. We can even define variable types and save strings as encrypted (secure strings).
To create a new variable in an Automation account, execute the following commands:
$var1=New-AzureRmAutomationVariable -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name Variable1 -Encrypted $false -Value "computername" $var1.value.gettype() $var2=New-AzureRmAutomationVariable -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name Variable2 -Encrypted $false -Value 1212 $var2.value.gettype() $var3=New-AzureRmAutomationVariable -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name Variable3 -Encrypted $false -Value $false $var3.value.gettype() $var4=New-AzureRmAutomationVariable -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name Variable4 -Encrypted $true -Value "password" $var4.value.gettype()
To remove a variable:
Remove-AzureRmAutomationVariable -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name Variable1
Azure allows us to create schedules for our runbooks. Thus, we can easily set the runbooks to run as recurring tasks.
To create a new schedule:
New-AzureRmAutomationSchedule -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name Schedule1 -StartTime "27/01/2018 18:00:00" -Description "Schedule for Runbook1 " -DaysOfWeek "Monday,Wednesday" -WeekInterval 1 -ExpiryTime "31/12/2020"
To remove a schedule:
Remove-AzureRmAutomationSchedule -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name Schedule1
At this point, we've seen all Automation account shared resources we will use with our runbooks, DSCs, and other automation features such as update and inventory management.
To understand clearly how we can use all the Azure Automation elements we've seen above, in the next post we will create and manage a runbook so we can automatically start and stop a VM.