How to use a Runbook in Azure Automation to interact with Services – Using the example of restarting a web app via a PowerShell runbook

Azure Automation is a cloud-based automation platform that provides an automation service. It enables you to easily automate tasks who normally would cost time to do manually. This works with the help of Runbooks.

A runbook is a way to automate your cloud management withing Azure. There are several types to choose from.

  • Graphical Runbooks
  • PowerShell and PowerShell Workflow Runbooks
  • Python Runbooks

For more details ro runbooks please visit the official documentation eacht type is clearly stated with advantages and methods of use (https://docs.microsoft.com/en-au/azure/automation/automation-runbook-types)

First of all we need a Azure Automation Account. We can create that via ARM and automation pipeline or directly in the Azure Portal. To keep it simple we use the Portal in this example.

We can fill in all needed informations. The important step is to enable the “Create Azure Run As Account” option. With this a AAD Application will be automatically created which can interact with the Azure Services and is “connected” to the Automation Account. This means we now have

  • An Automation certificate asset named AzureRunAsCertificate for the account with the private key used by the AAD Application.
  • An Automation connection named AzureRunAsConnectionfor the account which holds the holds the applicationId, tenantId, subscriptionId, and certificate thumbprint.
  • The AAD Application with a self-signed certificate (Service Principal Account)

Please note that the application receives contributor access to the entire subscription per default. So it is first an foremost important that we have the necessary rights to agrant this at time of creation and furthermore we should adjust the accesses to limit the possibilities what the service principal can do afterwards. We later need this to use the so called RunAsConnection in the code.

Furthermore now three tabs are important.

First we create a Runbook and then we install all needed Az. Modules to use the new PowerShell possibilities and code it. After this we create a schedule. as said in our example we create a Runbook wich can use PowerShell in the Automation Account.

Then we load the needed Modules (Az.Account, Az.Automation, Az.Resources, Az.Websites and Az.Subscriptions) Please note that Az.Account is a prerequisite to the other modules and has to be isntalled first.

Now we can create our Runbook with this little code snippet.

#Create the Run as connection
$connection = Get-AutomationConnection -Name AzureRunAsConnection
#Logging into Azure Account with Service Principal identity
$account= Connect-AzAccount `
-ServicePrincipal `
-Tenant $connection.TenantID `
-ApplicationId $connection.ApplicationID `
-CertificateThumbprint $connection.CertificateThumbprint
#Secure that the correct subscription is selected (if there is more than one subscription)
Select-AzSubscription -Subscription "Subscription Name"
#Restart the WebApp
Restart-AzWebApp `
-ResourceGroupName "Website RG name" `
-Name "App service name"

Now we can create a schedule within the automation account

After this all is up and running and our Web Application will be restarted to given time and date. We can replace the Web App with different services and change just the bottom part of the script and customize it further.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s