I want to manage Azure resources via a runbook (for example upscaling, downscaling, pausing and resuming resources), how do I provide authentication to do this?
Automation Account |
Solution
For this we can use an Azure Run As account which gives the Automation Account the Contributor role at the subscription level. However this also means that you need to be an Application administrator in Azure Active Directory or an Owner in the subscription to create an Azure Run As account! If you do not have sufficient rights, then the Create Azure Run As account option will be grayed out when you create a new Automation Account.
Insufficient permissions |
Now you can start your PowerShell runbook with the following code which allows your code to manage the various Azure resource. The first example is for those using the PowerShell RM modules and the second example is for the newer PowerShell AZ modules.
# PowerShell code ######################################################## # Log in to Azure with RM (standard code) ######################################################## Write-Verbose -Message 'Connecting to Azure' # Name of the Azure Run As connection $ConnectionName = 'AzureRunAsConnection' try { # Get the connection properties $ServicePrincipalConnection = Get-AutomationConnection -Name $ConnectionName 'Log in to Azure...' $null = Add-AzureRmAccount ` -ServicePrincipal ` -TenantId $ServicePrincipalConnection.TenantId ` -ApplicationId $ServicePrincipalConnection.ApplicationId ` -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint } catch { if (!$ServicePrincipalConnection) { # You forgot to turn on 'Create Azure Run As account' $ErrorMessage = "Connection $ConnectionName not found." throw $ErrorMessage } else { # Something else went wrong Write-Error -Message $_.Exception.Message throw $_.Exception } } ######################################################## # test code getting all resource groups Get-AzureRmResourceGroup
Nearly the same code, but now with AZ modules.
# PowerShell code ######################################################## # Log in to Azure with AZ (standard code) ######################################################## Write-Verbose -Message 'Connecting to Azure' # Name of the Azure Run As connection $ConnectionName = 'AzureRunAsConnection' try { # Get the connection properties $ServicePrincipalConnection = Get-AutomationConnection -Name $ConnectionName 'Log in to Azure...' $null = Connect-AzAccount ` -ServicePrincipal ` -TenantId $ServicePrincipalConnection.TenantId ` -ApplicationId $ServicePrincipalConnection.ApplicationId ` -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint } catch { if (!$ServicePrincipalConnection) { # You forgot to turn on 'Create Azure Run As account' $ErrorMessage = "Connection $ConnectionName not found." throw $ErrorMessage } else { # Something else went wrong Write-Error -Message $_.Exception.Message throw $_.Exception } } ######################################################## # Test code getting all resource groups Get-AzResourceGroup
If you used the Create Run As account option while creating the Automation account, then the name will be AzureRunAsConnection. Otherwise you can find the name under connections in the Azure Automation Account.
Connections in Azure Automation |
Conclusion
This code, in combination with creating the Azure Run As account, allows you to perform all kinds of operations on Azure resources like up- and downscaling Azure SQL Databases or pausing and resuming Azure Analysis Services. The only problem could be insufficient rights to create this. In that case you could ask someone with sufficient rights to create the Automation Account with the Azure Run As account option on and then you could create the runbooks yourself.
Note that support for RM modules will end in December 2020. So don't wait to long to convert your scripts to AZ.