Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

Create an Azure Automation account on using Portal PowerShell and AzureCLI

Azure Automation Account is Azure resource allows you to automate tasks against services and resources in Azure, on-premises and with other cloud providers such as Amazon Web Services (AWS). You can write and use runbooks to automate your tasks, or a Hybrid Runbook Worker if you have business or operational processes to manage outside of Azure. Working in any one of these environments require permissions to securely access the resources with the minimal rights required.

This is step by step guide to create new Automation Accounts on Microsoft Azure. Start search on portal for Automation Accounts and click on it.

Next provide a Name for automation account, The account name must be a unique value. The name can contain only letters, numbers, and hyphens. The name must start with a letter, and it must end with a letter or a number. The account name length must be from 6 to 50 characters. Select Subscription, Resource group and Location.  

If you have chosen not to create a Run As Account. Doing so might block the execution of some runbooks due to lack of access to required resources. Azure Run As Accounts provide a means for authentication in Azure, so that your Azure Runbooks can manage Azure resources. Otherwise, you would need to authenticate to Azure in your Runbook scripts as you would from your own computer remotely. 

Click Create button.

Creating new Automation Account goes into Microsoft.AutomationAccount Deployment task, it takes few minutes to create it. If you are creating this Resource for first few additional examples runbooks are created for tutorial purpose with name starting AzureAutomationTutorial. You can go directly to resource or check under Resource Group.

Inside the Resource Group where this resource is created, you will see 3 tutorial runbooks created for Powershell and Python version for test.

My Azure Automation Account is created sucessfully and there are no activities in it.

Powershell

Here is the process to create an Automation Account with Run As Account using PowerShell. As I am creating it with RunAsAccount, it involves multiple steps. Run As accounts in Azure Automation provide authentication for managing resources on the Azure Resource Manager or Azure Classic deployment model using Automation runbooks and other Automation features. 

Powershell step include

  • Generate Self Signed SSL certificate, (If you don't want to use self signed ceritificate, you can use Create Azure Key Vault Certificates on Azure Portal and Powershell and Export certificates from Azure Key Vault using PowerShell to use it with Microsoft Automation account)
  • Create Azure AD App Registration Account (Create an Azure App registrations in Azure Active Directory using PowerShell & AzureCLI)
  • Use SSL ceritificate as a credentials in AAD application. 
  • Create Azure Active directory Service Principal and Assign Azure role (Contributer) to Azure AD application / Service Principal.
  • Create New Azure Automation Account and deploy run certificate and connection to configure Run As Account. (Azure Powershell : Operation returned an invalid status code 'BadRequest')

After Automation Account is created you can check Azure Run As Account properties, it is successfully created.

While using this script change first few line input from 4 to 9 as per your requirement. Download this script here or it is also available on github.com.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#Written By - vcloud-lab.com #vJanvi
#Create new Azure Automation Account Run As

$automationAccount = 'AutomationAC01' 
$certExpiryMonths = 24
$certPfxPassword = '123456'
$certExportPath = 'C:\Temp\Certs'
$resourceGroup = 'vCloud-lab.com'
$location = "East Us"

$certPassword = ConvertTo-SecureString $certPfxPassword -AsPlainText -Force

#Region
#Generate SSL certificate
Write-Host "Generate self signed certificate for - $automationAccount"
$selfSignedCertSplat = @{
    DnsName = $automationAccount
    Subject = $automationAccount
    CertStoreLocation = 'cert:\CurrentUser\My' 
    KeyExportPolicy = 'Exportable'
    Provider = 'Microsoft Enhanced RSA and AES Cryptographic Provider'
    NotAfter = (Get-Date).AddMonths($certExpiryMonths) 
    HashAlgorithm = 'SHA256'
}
$selfSignedCert = New-SelfSignedCertificate @selfSignedCertSplat

#Export SSL certificate to files
Write-Host "Export self signed certificate to folder - $certExportPath"
$certThumbPrint = 'cert:\CurrentUser\My\' + $selfSignedCert.Thumbprint
Export-PfxCertificate -Cert $certThumbPrint -FilePath "$certExportPath\$automationAccount.pfx" -Password $certPassword -Force | Write-Verbose
Export-Certificate -Cert $certThumbPrint -FilePath "$certExportPath\$automationAccount.cer" -Type CERT | Write-Verbose
#EndRegion - Generate self signed certificate

#Region
#Read PFX Certificate
Write-Host "Read PFX file"
$pfxCertSplat = @{
    TypeName = 'System.Security.Cryptography.X509Certificates.X509Certificate2'
    ArgumentList = @("$certExportPath\$automationAccount.pfx",  $certPfxPassword)
}
$pfxCert = New-Object @pfxCertSplat

#Create an Azure AD application (App Registrations)
Write-Host "Create Azure AD application - $automationAccount"
$azADAppRegistrationsSplat = @{
    DisplayName = $automationAccount
    HomePage = "http://$automationAccount"
    IdentifierUris = "http://$automationAccount"
}
$azADAppRegistrations = New-AzADApplication @azADAppRegistrationsSplat

#Create Azure active directory Application Credential (App Registrations)
Write-Host "Create credential for Azure AD application - $automationAccount"
$azADAppRegistrationsCredSplat = @{
    ApplicationId = $azADAppRegistrations.ApplicationId
    CertValue = [System.Convert]::ToBase64String($pfxCert.GetRawCertData())
    StartDate = $pfxCert.NotBefore 
    EndDate = $pfxCert.NotAfter
}
[void](New-AzADAppCredential @azADAppRegistrationsCredSplat)

#Azure AD Service Principal
Write-Host "Create Azure AD Service Principal - $automationAccount"
[void](New-AzADServicePrincipal -ApplicationId $azADAppRegistrations.ApplicationId)
Start-Sleep -Seconds 15

#Provide contributer access on Serivce Principal
Write-Host "Assign contributer azure role on Azure AD application / SP - $automationAccount"
$AzRoleAssignment = New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $azADAppRegistrations.ApplicationId -ErrorAction SilentlyContinue
$i = 0;
While (($null -eq $AzRoleAssignment) -and ($i -le 6)) 
{
    Start-Sleep -Seconds 10
    New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $azADAppRegistrations.ApplicationId -ErrorAction SilentlyContinue
    $AzRoleAssignment = Get-AzRoleAssignment -ServicePrincipalName $azADAppRegistrations.ApplicationId -ErrorAction SilentlyContinue
    $i++
}
#EndRegion - Azure AD application 

#Region
Write-Host "Create Azure Automation Account - $automationAccount"
[void](New-AzAutomationAccount -Name $automationAccount -Location $location -ResourceGroupName $resourceGroup)

Write-Host "Create Azure Automation Account Run as certificate - $automationAccount"
Start-Sleep -Seconds 15
$azAutomationCertSplat = @{
    ResourceGroupName =  $resourceGroup 
    AutomationAccountName = $automationAccount
    Path = "$certExportPath\$automationAccount.pfx"
    Name = 'AzureRunAsCertificate' #$automationAccount
    Password = $certPassword
    Description = "This certificate is used to authenticate with the service principal that was automatically created for this account. For details on this service principal and certificate, or to recreate them, go to this account’s Settings. For example usage, see the tutorial runbook in this account."
}
[void](New-AzAutomationCertificate @azAutomationCertSplat -Exportable:$true) 

Write-Host "Create Azure Automation Account connection - $automationAccount"
Start-Sleep -Seconds 15
$azSubscriptionContext = Get-AzContext
$azAutomationConnectionSplat = @{
    ResourceGroupName = $resourceGroup
    AutomationAccountName = $automationAccount
    Name = 'AzureRunAsConnection' #$automationAccount
    ConnectionTypeName = 'AzureServicePrincipal'
    Description = "This connection contains information about the service principal that was automatically created for this automation account. For details on this service principal and its certificate, or to recreate them, go to this account’s Settings. For example usage, see the tutorial runbook in this account."
    ConnectionFieldValues = @{
        ApplicationId = $azADAppRegistrations.ApplicationId.Guid
        TenantId = $azSubscriptionContext.Tenant.Id
        CertificateThumbprint = $pfxCert.Thumbprint
        SubscriptionId = $azSubscriptionContext.Subscription
    }
}
[void](New-AzAutomationConnection @azAutomationConnectionSplat)
#EndRegion

AzureCLI

Here is AzureCLI automation account creation one-liner example without Run As Account, If you don't have automation extension installed it will prompt for to download and install it, Also automation account when creating with AzureCLI is experimental and under development.

az automation account create --automation-account-name "AutomationAc02" --location "East US" --sku "Free" --resource-group "vCloud-lab.com"

The command requires the extension automation. Do you want to install it now? The command will continue to run after the extension 
is installed. (Y/n): Y
Run 'az config set extension.use_dynamic_install=yes_without_prompt' to allow installing extensions without prompt.
The installed extension 'automation' is experimental and not covered by customer support. Please use with discretion.
Command group 'automation account' is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
{
  "creationTime": "2021-06-12T05:46:44.293333+00:00",
  "description": null,
  "etag": null,
  "id": "/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vCloud-lab.com/providers/Microsoft.Automation/automationAccounts/AutomationAc02",
  "lastModifiedBy": null,
  "lastModifiedTime": "2021-06-12T05:46:44.293333+00:00",
  "location": "eastus",
  "name": "AutomationAc02",
  "resourceGroup": "vCloud-lab.com",
  "sku": {
    "capacity": null,
    "family": null,
    "name": "Basic"
  },
  "state": "Ok",
  "tags": {},
  "type": "Microsoft.Automation/AutomationAccounts"
}

Useful Information
Create an Azure App registrations in Azure Active Directory using PowerShell & AzureCLI
Get started and configure with certificate-based authentication in Azure
Create a Virtual machine on Microsoft Azure
PowerShell List All Azure Resverations
Powershell get the list of Azure Reservations Virtual Machines instances
Get the list Azure Reservation Catalog with PowerShell and AzureCLI
Azure automation account DSC for On-Premise Virtual Machine on boarding
Azure Powershell : Operation returned an invalid status code 'BadRequest'
Get Azure virtual machine backup reports using Powershell



This post first appeared on Tales From Real IT System Administrators World And Non-production Environment, please read the originial post: here

Share the post

Create an Azure Automation account on using Portal PowerShell and AzureCLI

×

Subscribe to Tales From Real It System Administrators World And Non-production Environment

Get updates delivered right to your inbox!

Thank you for your subscription

×