Using Managed Identities with Azure Automation Runbooks

Azure Automation with Managed Identity enables you to automate and orchestrate various tasks and processes within Azure environments. With the added benefit of Managed Identity, it eliminates the need for using credentials and simplifies authentication and authorization process.

By leveraging Azure Automation, you can create and schedule runbooks, which are sets of instructions or scripts, to perform routine or complex operations such as provisioning resources, managing virtual machines, or deploying applications. These runbooks can be executed on a schedule or triggered by specific events.

In this post we will go through setting in an Azure Automation account, runbook and use a managed identity to authentication.

To create a automation account.

Go to the Automation Account blade and click create.

Set the subscription, resource group, name and region.

Set the managed identities, we will be using system assigned the below link to Microsoft document outlines the differences between system / User.

https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types

We will be setting connectivity configuration to private access and create a private endpoint to assign a NIC with a private IP.

Next set tags if required.

Review the details and deploy.

It will take a minute or so for the deployment to complete.

We can now check and confirm that the service principal for the automation account has been created.

We can check by going to to Azure AD > Enterprise Application and search with the objectID

Next we need to assign the required permission. To assign go to Identity and select Azure role assignments.

The permission can be scoped to subscription, resource group, key vault, storage account. I will be setting scope to storage and assigned the storage blob data reader to one of my storage accounts.

Save and the role should apply.

Next we will create a runbook to run a set of task using the managed identity of the automation account.

Add in the PowerShell script to be run. I am going to try create a blob container but this should fail as I have only give read access. Click publish to allow the runbook to be run.

Click start to run the runbook.

Once competed we can view the errors from the run.

We can also check the enterprise app for the automation account and see the sign-in was successful.

This was just a quick example Azure Automation with Managed identify, this can be a very useful tool for setting up task that need to be run on a scheduled in Azure.

Using Parameter File With Bicep Templates

In the previous post we went through the process of deploying an Bicep template using parameter that where called directly from PowerShell.

Deploy Azure Resource Using Bicep template and PowerShell

This is ok when deploying resources that require only a few values to be set, but this can become difficult to manage when there are a lot of parameter like when deploying virtual machines or web apps.

A parameter file for Bicep is a json file that has the specific parameter names and values set.

I used this Microsoft document as a reference to create the parameter file.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/parameter-files

Below is the Bicep file we created in the last post.

A parameter file for the storage Bicep template would look like the below.

Once we have the parameter file, we are ready to test the deployment. To test without actually deploying the resource add the whatif parameter.

New-AzResourceGroupDeployment -ResourceGroupName ResourceGroupName -TemplateFile .\BicepTemplate.bicep -TemplateParameterFile .\BicepParamter.json -WhatIf

Next we will create a template to deploy a virtual machine and it network interface. To create base template in visual studio code type

res-nic to populate the network interface:

Use res-vm-windows to populate the virtual machine.

I will be creating parameters for each part that requires customization and anything that doesn’t I will leave with the hardcode values like. The @descirpiton is a Parameter decorators that allow use to add a description of what the parameter is used for.

I create two variables for the vnetId and subnetref that are used for the network interface

Below is what the updated virtual machine resource template looks like.

Once we have the Bicep template file ready the next step is to configure the parameter file. I copied the default template file code from the above Microsoft document and added in each of the required parameters.

To get the virtual network ID that will be used in the parameters file go to the virtual network and click on properties > Resource ID.

Once we have that we can fill out the reset of the parameter values.

After the template file has been configured, we can test the deployment same way as the storage account and use the whatif to confirm there are no errors.

As I have not set the admin password in the template or parameter file the deployment will prompt for the admin password to be set on the VM.

If the test deployment comes back without any issues we can check the results from the whaif deployment to confirm all the are correct.

Since the template and parameter files have returned no error we are ready to run and deploy the new VM resource.

If we check the resource group the new VM, OSDisk and network interface should be created.

Now that we have all the template and parameter file working we can just create a new parameter file for each VM resource. We can now create fully customized VM’s pretty quickly instead of having to deploy using the Azure market place and manually select the options we want to set.

Deploy Azure Resource Using Bicep template and PowerShell

In a previous post we went through deploying resource using ARM templates. I have been recently working on creating some new templates to be used for additional deployment and decided to use Bicep templates instead as it seem to an easier and more straight forward way of writing template files to deploy resources in Azure.

Bicep uses a simpler syntax than creating templates using JSON, the syntax is declarative and specifies which resources and resource properties you want to deploy.

Below is a comparison of a JSON and Bicep template file to create a storage account.

We can see that the bicep file is an easier format to read and create.

To get started with Bicep we will first be installing the Bicep extension to Visual Studio Code so we can edit and modify Bicep templates.

The extension adds intellisense which makes it easier than looking up the full syntax for each resource.

To create a new template click on new file in VS code and select bicep as the language.

To create a template using intellisense either start typing the res-resource type or the resource type itself.

Click on the resource to pre populate the template.

The values can be hard code in the template file but this would require manual change each time the template is run.

We can add parameters to the template to make it more reusable. There are a few different types of parameters that can be used.

Below is a brief description of each type.

Parameter	Description
string	Single line value
array	Allow multiple values
int	Integer value
bool	Required true or false
objects	Allows property types

Microsoft have a more in depth document on the different data types.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/data-types

The below is an example of a template with parameters set.

Once we have the template we need to install Azure PowerShell if not already installed and to install the Bicep tools, below is the document to install.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#install-manually

To connect to Azure PowerShell use

Connect-AzAccount

Once connected we can use the New-AzResourceGroupDeployment to deploy the template and specify the parameters values. To test the deployment for errors without running an actual deployment we can use the -whatif parameter.

New-AzResourceGroupDeployment -ResourceGroupName ResourceGroup -TemplateFile pathtotempaltefile\BicepStorageTest.bicep -location regsion -storagename storageaccountname -storagetype Standard_LRS -WhatIf

Run the command and it should return any error if there is an issue or green if there is no issue.

Once the template comes back with no issues we can remove the -whatif and the storage account will be created.

To confirm the storage account has been created use the Get-AzStorageAccount

Using parameters in the Bicep template is fine when there are only a few that need to be called but for more complex deployment it will be better to use a parameters file and pre fill each value.

In the next post we will go through the process of using a template to create a VM and its network interface and will call a parameters files instead of call the parameters in PowerShell directly.

Azure Automation “Run Login-AzureAccount to login”

When I was creating my Azure Automation account and tried to run a runbook that needed to logon to Azure, to start my VM’s I was getting an error:

Run Login-AzureAccount to login. AZAUError2

After looking on technet there where a few different recommendations but none worked.

In the end I just decided to try update the Azure modules. This fixed the issue.

Below is how to update the modules.

Go to Automation Accounts > select account > Modules

AZAUError1

There will be a prompt to update all Azure modules click yes to continue. AZAUError3

To view the progress click on below. AZAUError4

Click on all logs or output to view what is currently running. AZAUError5

Once completed the below will show. AZAUError6

After this I was successfully able to run my runbooks.

Azure Automation PowerShell Runbook

In this post I am going to go through setting up an Azure automation account and creating a runbook to PowerShell.

Azure Automation allows for process automation, configuration management, update management and PowerShell script execution on both Azure / Office 365. I like using Azure Automation as it allows me to save credentials in Azure for running task opposed to having them called in my script which is less secure.

I am going to setup a runbook to power on and off my LAB servers so that they only run during the day.

To start using Azure Automation

Go to All services > Automation Accounts

Once in Automation Accounts we need to create a new account. AZAU2

Give the Automation account a name, assign to a subscription, resource group and location. Leave create as yes and click crate.

AZAU3

Once the task has completed there will now be Automation account showing. AZAU10

Next step is to create a runbook to run the PowerShell command. Click on the Automation account and go to process automation and click on runbooks. AZAU4

Once in runbooks there will be some pre-configure runbooks that can be used as references.

To create a new runbook click Add a runbook AZAU11

Once in the runbook give a name and select the runbook type in this case it will be PowerShell. Then click create. AZAU5

Click on edit to modify the PowerShell script. AZAU6

The connection commands is generic and is copied from AzureAutomationTutorialScript runbook.

$connectionName = “AzureRunAsConnection”

try

{

# Get the connection “AzureRunAsConnection “

$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName

“Logging in to Azure…”

Add-AzureRmAccount -ServicePrincipal `

-TenantId $servicePrincipalConnection.TenantId `

-ApplicationId $servicePrincipalConnection.ApplicationId `

-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

}

catch {

if (!$servicePrincipalConnection)

{

$ErrorMessage = “Connection $connectionName not found.”

throw$ErrorMessage

} else{

Write-Error -Message $_.Exception

throw$_.Exception

}

I have added the command I want to run at the bottom. Once finished, the runbook needs to be saved and published.

AZAU7

To test if the script will work as expected there is a test pane icon

Once in test click start and the script will be executed the output of the command will be returned to the console.

Once the runbook is saved, the start icon will become available so the runbook can be executed.

Last step is to schedule when the runbook will execute, click schedule.

Add a name, description, start time/date, time zone and if the task is a once of or a recurring task.

Once the schedule has been created it will show under schedules.