Quite a while ago, I created a simple solution when it comes to deallocating VM’s in Azure for one simple reason: I basically kept forgetting to properly deallocate resources, resulting in some surprises when reviewing the bill (The post can be found here).
Fortunately Microsoft introduces (still in preview at the moment) a more robust and elegant way of hosting and executing your PowerShell automation assets which is called Microsoft Azure Automation. This post will cover how to move existing Azure related PowerShell scripts within Microsoft Azure Automation.
NOTE: When new to Microsoft Azure Automation, please consider reviewing the following resources.
My scenario;Deallocate a list of VM’s at midnight.
What’s important to know is that a while ago it was necessary to setup certificate-based authentication within Azure which consists out of a number of steps. Fortunately this can be avoided using Microsoft Azure organization identity credential-based authentication. Jobs aren’t running within the portal but a separate environment, therefore it’s required to authenticate before you can access your Azure resources.
Authenticating using Azure Active Directory
Step 1 – Creating the Automation account
- Within the Azure Management Portal, make sure you are logged in as an Administrator.
- Open Active Directory as found within the right menu.
- Select the Active Directory associated with the Azure subscription to manage
- Select the USERS tab following by the ADD USER button located on the bottom of the page.
- Within the ADD USER Dialog, make sure to select “New user in your organization” and provide a name.
- In the USER PROFILE screen, provide a name and make sure the ROLE is set to User and MULTI-FACTOR AUTHENTICATION isn’t enabled
- On the next screen, click the CREATE button to generate a password and copy both the username as the generated password.
- Open a different browser or incognito session and try to login into the Microsoft Azure portal with the new account.
- And change the temporary password
Step 2 – Enabled subscription management for the automation user
- To grant the automation user permission to manage the Azure subscription, login using your Azure Admin account (not the automation user).
- Open Settings as found within the right menu.
- Click on the ADMINISTRATORS tab > Click the ADD button located on the bottom of the page.
- Copy the full user name of the created automation user and the desired subscriptions you want this user to be able to manage.
Step 3 – Create a Microsoft Azure Automation Credential Asset used as a reference to the Automation user within your Runbook code
- Within the Microsoft Azure Automation section of the portal, select the Azure Automation Account which requires to access to Azure resources using the Automation user (or create a new Azure Automation Account).
- Select the ASSETS tab and Click the button called ADD SETTINGS.
- Select ADD CREDENTIAL within the first screen.
- On the Define Credential screen, select “Windows PowerShell Credential” and provide a name.
- And provide the full user name of the Automation user and matching password. Note that this screen won’t validate the validity of the user.
Step 4 – Test the Automation user
- Open the Azure Automation account Within the Microsoft Azure portal.
- Create a new Runbook within this account by clicking on the tab RUNBOOKS and NEW » RUNBOOK » Quick Create and provide the name “Test”.
- Open the just created Workbook and click on the AUTHOR tab
- Replace the default PowerShell workflow code with the sample below
NOTE: You will need to set the Azure Subscription if the automation users has access to multiple subscriptions
Select-AzureSubscription -Current "XYZ"
- Invoke the Runbook by clicking the TEST button.
This should result in a Azure VM object dump as displayed below:
Step 5 – Creating the Shutdown Runbook
At this point you will be able to access Azure resources from within your Runbooks and therefor we can continue creating the Shutdown Runbook.
- Create a new Runbook by clicking on the tab RUNBOOKS and NEW » RUNBOOK » Quick Create. Name Shutdown
- Open the AUTHOR tab and include the following script:
Runbooks can be consumed by other runbooks and therefore it’s important to construct them in a modular way. Eliminating hard-coded values by passing in parameters and using Microsoft Azure Automation assets. Therefore the script accepts a VM prefix parameter called STARTSWITH. Invoking the Runbook will allow you to provide a value as can be seen below:
- Before it’s possible to schedule the Runbook for execution it’s required to Publish the Runbook first by clicking on the Publish button (located next to the TEST button).
- After publishing the Runbook, click on the SCHEDULE tab for completing the final step; scheduling the Runbook
- On the schedule page select “LINK TO A NEW SCHEDULE” and give the Schedule the name “Midnight”
- Set the schedule date at Midnight and include the STARTSWITH value for the schedule
Yes, there are some steps involved in setting this up, but Microsoft Azure Automation enables you to create some very fancy automation assets.