How to Get Started with an Azure Automation Account pt. 1

getting started with azure automation

As the year 2022 came to a close, I embarked on an exciting journey of experimentation with Microsoft’s Azure Automation Account. These powerful tools provide a unique and versatile platform for automating PowerShell script execution, allowing for seamless interaction with a vast array of resources, whether they be on-premises or accessible via REST API. The possibilities are truly endless with Automation Accounts, limited only by your own scripting skills and imagination. But that’s not all – the platform also boasts an array of security features, making it easy to securely store sensitive information such as secrets, keys, and even certificates. And to top it off, as “accounts”, they can even be assigned permissions and roles to automate management within your Azure tenant.

I plan on covering a VERY small portion of what you can do, and as I experiment more, I will bring new ideas to the table here. Today, I’m going to talk about my favorite features of Azure Automation Accounts, and then in the next post, I will give an example of how you can leverage this to make your life just a little bit easier. Join me as we learn how Azure Automation Accounts can streamline your cloud management tasks and automate repetitive processes in minutes, not hours.

DISCLAIMER

Please understand that the content herein is for informational purposes only. This existence and contents shall not create an obligation, liability or suggest a consultancy relationship. In further, such shall be considered as is without any express or implied warranties including, but not limited to express and implied warranties of merchantability, fitness for a particular purpose and non-infringement. There is no commitment about the content within the services that the specific functions of the services or its reliability, applicability or ability to meet your needs, whether unique or standard. Please be sure to test this process fully before deploying in ANY production capacity, and ensure you understand that you are doing so at your own risk.

Table of Contents

What is an Azure Automation Account?
Azure Automation Account Setup
Automation Account Runbooks
Configure Automation Account Resources
Conclusion


What is an Azure Automation Account?

The topic of Azure Automation is MASSIVE and to be fair, I’m not qualified to fully cover everything. If you want the full overview, check out Microsoft’s documentation. I just want to talk about Azure Automation accounts. Essentially, Azure Automation Accounts provide an Azure based service for using “Runbooks” to schedule and run scripts you create. These scripts can perform any limited or simple task to any complex automation task; you are limited by your ability to write scripts. These runbooks can support PowerShell or Python 3 script and can follow a schedule.

Azure Automation Accounts also include some key features like a built-in key vault and the ability to be used as a Managed Identity as well. These features help ensure that your runbooks can be run and managed securely using native tools in Azure.

Another excellent feature of these Azure Automation accounts is that they support various options for external triggers to call the automation runbook. Something like a Power App, or Power Automate flow can trigger these runbooks via a webhook or PowerShell command.

This is only a portion of what these services can perform, but even with that, you can see how these are limited only be your imagination and ability to write the code. Interested? I know I am! Let’s work through setting up an Azure Automation Account, and then we can talk about some other ways we can leverage this to make our lives easier and automate more of our everyday tasks.


How to Setup Azure Automation Account

Like many things, this starts at Portal.Azure.com. We will create a new Automation Account, assign it to a resource group, and then work on setting up the first runbook. I was not able to do this on the developer tenant I had set up, so I had to use my SeeSmitty one. Just be sure that if you keep the automation account, that you keep a minimal schedule to avoid excess charges (or no schedule at all).

Azure Automation Account Setup

  1. First, let’s log into portal.azure.com. In the top search bar, search for Automation Accounts.
create a new azure automation account
  1. Hit the “Create” button to begin the process. Choose a subscription, resource group (recommend creating one just for this), and give your automation account a unique name. Then hit Next.
configure basic details for azure automation account
  1. On the next screen, I recommend leaving it as a System Managed identity. Whether you end up assigning roles or not to this account, it is more secure to let Azure manage the account password than to try and manage it yourself. However, this is your choice, so do what makes sense for you. This choice DOES NOT prevent you from using a service account in your script, this is just for the identity of the Automation Account itself. Then hit Next.
managed identity for azure automation account
  1. The next page is networking. This is another question you have to determine for yourself. If this is just for learning, and not production work, it should be fine to be public facing, if you need external access (like for a 3rd Party API or something like that). Otherwise, you can set it to private to access internal resources only. If you want it to be private, then use the wizard to assign it a private endpoint connection. I left mine as Public for now. Make your choice then Hit Next.
networking for automation account
  1. On the next page, you can add some tags. I find tags to be incredibly helpful in my daily work, but don’t tend to do it in my personal tenant. Hit next when you are finished.
  2. Finally, we get to the review and create tab. If everything checks out, then hit Create. Give it a few minutes to finish, then click on “Go To Resource” to enter the automation account.

Setup Complete!

There we go! We have now created an Azure Automation account. Take some time to look at the different elements of the automation account, and then when you are ready, we’ll take a look at some of the features that make Automation Accounts awesome to work with.


Automation Account Runbooks

Runbooks are what make Azure Automation Accounts to valuable. The runbook section offers the following options to leverage the power of these scripts to their fullest.

The Test Pane

Like any good tool, testing behavior should be a regular part of any new implementation. With the runbooks you can get your script loaded into the automation account and test it before it goes live. Now whatever your script is supposed to do, it will do, the automation account test pane won’t block external access or anything like that. But it allows you to avoid saving, then publishing, then queueing and then running your script every time, you are making changes to test functionality. Its honestly nice just having that capability built in.

The Publish / Revert to Published Button

If you have ever accidentally saved over a working version of a script, you will appreciate this functionality. First off, once you have done your preliminary testing, you can publish a working version of the script. Then you can keep testing and working on the script. This means you can have a working and a testing version of a runbook available. It also means you can revert back to the last known working version if you use the Revert to Published button. This is like a reset based on a specific point in time. These are both helpful when working with these runbooks, so I felt they deserved a mention.

Assets Section

We will see more about it below, but all of your shared resources are available from within the runbook pages. There are easy to follow buttons for importing and calling those assets directly into the runbook. This will enable management of variables, credentials and certificates to be far easier than previous tools.


Configure Automation Account Resources

One of the best parts of the Azure Automation Accounts is the native key vault function built right into the tool. This allows you to securely store and access API keys, secrets, certificates and even credentials. This is a much-needed feature and should help ensure that your secrets are stored securely and not in plain text in your code. The Shared Resources section gives you an opportunity to create resources like access keys, credentials and certificates that can be used across multiple run books. This makes it much easier to manage access to these things and allows you to have similar scripts all living in the same place.

Automation Account Shared Resources
Automation Account Shared Resources

Schedules

Schedules allow for you to create reoccurring events that will automatically trigger a runbook in your Automation Account to run. This is helpful if your script is running a clean-up process to remove stale devices or syncing information from an API. Automation accounts have multiple methods for triggering a runbook to run, and the schedules tab is one of them.

Modules/Python Packages

The modules section is an incredibly powerful section. This allows your runbooks to import whatever modules are needed to successfully run your scripts. You can search the Microsoft Gallery and import PowerShell Modules as needed. The load in sections, so it can take a while to get them all loaded, but they will load faster once your script actually runs if you call the Import-Module in the beginning. This is an awesome feature, and really what gives the automation accounts so much value. The same is true for Python Packages as well (though as you know, I am a PowerShell guy, so for me this is an afterthought. Sorry!)

Credentials

The credentials section allows you to leverage the built in key vault functionality to save credentials needed to run sections of your script. You can save the login information for service accounts encrypted in the key vault so they are available yet secure within your scripts.

Connections

azure automation account connections tab

Admittedly, I haven’t used the connections section yet, but I’m confident it isn’t for finding ads about the one that got away. This section looks to leverage native Azure connections as hard-coded connections in the automation account. They are tied to specific modules and other Azure services and will have specific use cases associated with them. If you come across one of these, let me know so I can check it out for myself!

Certificates

The certificates section allows you to upload certificates and their private keys into another area of Azure Key Vault storage. These certificates may apply a signing function or may be used in an authentication context from within your script. The area just ensures that you can use them safely and securely.

Variables

The Variables section is by far one of my favorites. The allows you to do 2 things right off the bat. First, you can define your variables OUTSIDE of the script. Meaning you can have a variable all throughout your script and can set it using a variable you configure in the automation account. For example, if you needed to change a security key that is rotated regularly, you can save that in the Variables section and just have the variable in the script call the automation account variable. This means you don’t have to update and republish the script when you need to update a variable.

Secondly, these variables you configure in this section can also be treated like secrets in a key vault. If you want to store secret keys you can do so by encrypting them when you store them. This then allows you to call them from within the script without ever exposing the secret in plain text.

The flexibility these shared resources offer are a major part of the strength of automation accounts, and they truly open up some awesome possibilities as we dive deeper into these tools.


Conclusion

There we go! We are ready to start using Azure Automation Accounts. Now that we have covered the basics for setup, we can start planning on configuring our first runbook. I didn’t cover every aspect of Automation Accounts because I wanted to focus on the basics of what I could demonstrate so far. As I get more comfortable, I’ll bring more examples to the blog.

I was able to rewrite an older script I have posted out here, related to terminated user follow up emails to managers with Delegate access. For me this was an excellent example of a repetitive tedious process that needed done on a regular basis, that required more time than it was worth doing manually. Azure Automation Accounts allowed me to fully automate the entire thing, and now it is something that just happens. I’ll break down how I did it in the next part of this Azure Automation Account series.

What about you? Are you excited to get started with Azure Automation Accounts? Have you already created some awesome automation tasks to help with your daily job? What kinds of things might you be interested in seeing happen? Let me know! I want to hear your ideas because I know my imagination is the biggest limitation to what I can accomplish on this platform.

Hit me up on Twitter @SeeSmittyIT to let me know what you thought of this post. Or if you are avoiding the bird site, I’m also posted up on Mastodon @[email protected]. Thanks for reading!

Smitty

Curtis Smith works in IT with a primary focus on Mobile Device Management, M365 Apps, and Azure AD. He has certifications from CompTIA and Microsoft, and writes as a hobby.

View all posts by Smitty →