In this series about automating Azure with PowerShell, I will explain Automation accounts and how to manage shared resources using PowerShell.
Latest posts by Baki Onur Okutucu (see all)

Azure Automation provides end-to-end automation solutions for Azure and non-Azure services. Managing Azure Automation occurs entirely through Automation account resources. These consist of several sub-features such as process automation, configuration and update management, and shared resources.

Automation accounts ^

First, we use Automation accounts extensively to access some of the following Azure features:

  • Azure Desired State Configuration (DSC)
  • Runbooks (PowerShell, Python, and graphical)
  • Update management for virtual machines (VMs)
  • Configuration management for VMs
  • Managing on-premises services using Hybrid Workers

Even though each Automation account has these capabilities by default, it is still necessary to configure each automation account separately based on the requirements. Shared resources in each Automation account—such as variables, certificates, modules, and credentials—can provide all Automation account services with predefined values. For example, we can call out predefined credentials from separate runbooks without having to define them in each one.

Now let's create an Automation account in Azure using the following PowerShell command:

New-AzureRmAutomationAccount -ResourceGroupName 4SYSOPS -Name AzureAutomation1 ‑Location NorthEurope
Creating a new Automation account

Creating a new Automation account

After creating an Automation account, you can manage it through either the Azure Portal or PowerShell. The following screenshot shows how an Automation account looks in the Azure Portal.

Automation account console in the Azure Portal

Automation account console in the Azure Portal

Shared resources ^

When we create an Automation account in the Azure Portal, this automatically creates two Run As accounts and their corresponding elements, such as certificates, connections, and service principals. We can disable this at the time of creation. I'll explain some key terms below.

Run As account: Automatically creates a service principal account in Azure Active Directory (Azure AD) and assigns it a "Contributor" role across the subscription.

Certificate: A certificate manages Azure Resource Manager resources.

Classic Run As account: This account uses a certificate to manage classic resources.

Connection: A connection resource comprises an Azure AD application and a certificate. We use this connection to manage runbooks.

Run As accounts in Azure Automation

Run As accounts in Azure Automation

We can also get all of this information through PowerShell using the following commands:

Get-AzureRmAutomationConnection -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1
Get-AzureRmAutomationCertificate -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1
Run As account details through Powershell

Run As account details through Powershell

Now we can take a look at all elements in an Automation account.

Modules ^

Modules are important when it comes to using specific PowerShell cmdlets in runbooks since Azure needs modules that contain a bunch of cmdlets. Otherwise runbooks will not be able to recognize the cmdlets we use.

For example, if we want to use the Get-AzureRmNetworkSecurityGroup cmdlet in a runbook, we first need to ensure we have already installed the AzureRM.Network module into the module section of the Automation account in which we run the runbook.

To get all modules in detail in an Automation account, we can use this command:

Get-AzureRmAutomationModule -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 | select name, version
Listing Automation modules

Listing Automation modules

To update an existing module with a module package (zip file), you can use the following commands…

With a package on your local computer:

Set-AzureRmAutomationModule -name Azure.Storage -ResourceGroupName 4SYSOPS ‑AutomationAccountName AzureAutomation1 -ContentLinkUri ".\" ‑ContentLinkVersion "1.5"

With a package from a remote location:

Set-AzureRmAutomationModule -name Azure.Storage -ResourceGroupName 4SYSOPS ‑AutomationAccountName AzureAutomation1 -ContentLink

To install a new module with a package on your local computer:

New-AzureRmAutomationModule -name Azure.Storage -ResourceGroupName 4SYSOPS ‑AutomationAccountName AzureAutomation1 -ContentLinkUri ".\" ‑ContentLinkVersion "1.5"

With a package from a remote location:

New-AzureRmAutomationModule -name Azure.Storage -ResourceGroupName 4SYSOPS ‑AutomationAccountName AzureAutomation1 -ContentLink

To remove a module:

Remove-AzureRmAutomationModule -name MODULENAME -ResourceGroupName 4SYSOPS ‑AutomationAccountName AzureAutomation1

Credentials ^

We also use credentials mostly in runbooks and scripts as needed when it comes to authentication. Thus, we can use credentials in Automation accounts as shared resources and call them out in a runbook whenever needed.

We can use the following commands to create a new credential in an Automation account:

$password = ConvertTo-SecureString "NewPassword1" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("User1", $password)
New-AzureRmAutomationCredential -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name UserCred1 -Value $creds
Creating a new Automation credential

Creating a new Automation credential

And the command below lists all credentials:

Get-AzureRmAutomationCredential -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1
Listing all Automation credentials

Listing all Automation credentials

To remove a credential, you can use this command:

Remove-AzureRmAutomationCredential -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name UserCred3

Variables ^

When it comes to creating a script of any kind, it is essential to define all variables clearly in the script or in a separate variables file. With this in mind, Azure provides us with exactly the same capability. We can save all variables in Azure up front and consume them when a script requires them. We can even define variable types and save strings as encrypted (secure strings).

To create a new variable in an Automation account, execute the following commands:

$var1=New-AzureRmAutomationVariable -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name Variable1 -Encrypted $false -Value "computername"
$var2=New-AzureRmAutomationVariable -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name Variable2 -Encrypted $false -Value 1212
$var3=New-AzureRmAutomationVariable -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name Variable3 -Encrypted $false -Value $false
$var4=New-AzureRmAutomationVariable -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name Variable4 -Encrypted $true -Value "password"
Creating new Automation variables

Creating new Automation variables

To remove a variable:

Remove-AzureRmAutomationVariable -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name Variable1

Schedules ^

Azure allows us to create schedules for our runbooks. Thus, we can easily set the runbooks to run as recurring tasks.

To create a new schedule:

New-AzureRmAutomationSchedule -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name Schedule1 -StartTime "27/01/2018 18:00:00" -Description "Schedule for Runbook1 " -DaysOfWeek "Monday,Wednesday" -WeekInterval 1 -ExpiryTime "31/12/2020"
Creating new Automation schedules

Creating new Automation schedules

To remove a schedule:

Remove-AzureRmAutomationSchedule -ResourceGroupName 4SYSOPS -AutomationAccountName AzureAutomation1 -Name Schedule1

Conclusion ^

At this point, we've seen all Automation account shared resources we will use with our runbooks, DSCs, and other automation features such as update and inventory management.

To understand clearly how we can use all the Azure Automation elements we've seen above, in the next post we will create and manage a runbook so we can automatically start and stop a VM.

Articles in series

Azure Automation

  1. Azure Automation accounts and shared resources
  2. Azure Automation with PowerShell runbooks

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account