Using Azure Automation with Multiple Subscriptions

  • [アーティクル]

Azure Automation is very useful for almost every Azure administrator, but it can be challenging to figure out how to run a process across multiple subscriptions. Below we'll walk through the steps to run a PowerShell run book across multiple subscriptions with the assumption that the automation account already exists in one subscription. For information on how to create an automation account, see here . The other assumption is that we are working with Resource Manager, not Classic deployments.

Once we have our automation account the high level steps are as follows:
1. Find the ApplicationID of the RunAS connection
2. Grant that applicationID the appropriate permissions in the other subscriptions (in my example, I'm giving it subscription level contributor access).
3. Set the appropriate context during runbook execution.

When an Azure Automation account is created it asks if "RunAS" account should be created and defaults to 'yes'. If you keep the defaults, you'll have a connection asset in the automation account called "AzureRunAsConnection". This connection asset is really a Service Principal in Azure AD.
RunAs Connection

Copy the "ApplicationID" of the AzureRunAsConnection to the clipboard and grant it rights to any subscriptions you want to manage with your central automation account. In this example, I've given it contributor rights at the subscription level, but you could certainly use more granular permissions here or scope it to a specific resource group.

Automation Account Subscription Level Permissions

Now I just need to write my runbooks in such a way that they'll use the connection asset and select the appropriate subscription. The following code sample runs from a subscription called 'sub1' and creates a new resource group in subscription name 'sub2'. You'll need to update the certificate thumbprint in this script by retrieving it from the Assets-->Certificates blade in the automation account.

 

 $Conn = Get-AutomationConnection -Name AzureRunAsConnection 
add-AzureRmAccount -ServicePrincipal -Tenant $Conn.TenantID -ApplicationId $Conn.ApplicationID -CertificateThumbprint #yourthumbprint

Select-AzureRmSubscription -SubscriptionName 'sub2'
$rg = 'testrg'
New-AzureRmResourceGroup -Name $rg -Location westus2

Comments

  • Anonymous
    October 23, 2017
    what about Classic Auth?
  • Anonymous
    January 02, 2018
    Hi John,Thanks for the above, pretty clear. I had created a runbook within the same subscription and able to run it using RunAs( Not classic) using Service Prinicipal. Also was able to list resource groups. But even after I added the applicationID of the automation account as contributor to subscription, attempting to list the subsription using name or id gives me "Not exists" message. Does that mean the above method would help only if the automation runbook subscription is different to the subscription we want to use?