Azure Automation with Azure Active Directory Authentication

I finally got a bit of time and an excuse to test the integration of Azure Automation with Azure Active Directory authentication. This topic is very important to me for two reasons – firstly because I’m a big advocate of automation and I found the setup of automation, with certificate authentication, cumbersome and therefore a barrier of entry and secondly because using AD will tie automation very nicely to the recently announced role-based access control for Azure

So – to get started, I’ve created a use specifically for automation in the directory used to control access to my subscription. at this point in time Automation will only work with ‘organisational uses’ (i.e not a Microsoft-Account user) but that’s perfectly fine for me.

The User was created as a normal ‘User’, it did not need to be an administrator of any type.

Next, I’ve added the user as a co-admin of the subscription using the Azure Management Portal.

Following that I signed-in to the management portal with that user which gave me the opportunity to change the temporary password to a permanent one.

With the user configured and ready I entered my automation account, switched to the the Assets tab and clicked the Add Setting button on the tool bar. In the dialogue that opened I selected ‘Add Credential’

image

I then selected Windows Powershell Credentials as the Credential Type and entered a friendly name and description

image

Finally – I entered the username (which is the email address within the directory’s domain) and password

image

With the credentials all set-up I went on to write a simple workbook – I wanted to start all the VMs in my subscription, and so my ‘stop’ workbook looks like this –

workflow StartVMs
{
    $cred = Get-AutomationPSCredential -Name "Automation User"
    
    Add-AzureAccount -Credential $cred
    
    Select-AzureSubscription -SubscriptionName "<subscription name here>"
    
    InlineScript 
    {
        $listVM = Get-AzureVM
            foreach ($vm in $listVM) 
                { 
                    Start-AzureVM -ServiceName $vm.ServiceName -Name $vm.Name
                }
    }
}

One of the mistakes I did initially is to specify the Azure Active Directory username when calling Get-AutomationPSCredential instead of the friendly name I assigned when creating the Credential asset which resulted in an authentication error.

About Yossi Dahan
I work as a cloud solutions architect in the Azure team at Microsoft UK. I spend my days working with customers helping be successful in the cloud with Microsoft Azure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: