Automation

Azure Automation allows you to automate the creation, monitoring, deployment, and maintenance of resources in your Azure environment using a highly-available workflow execution engine. Orchestrate time-consuming, error-prone, and frequently repeated tasks against Azure and third party systems to decrease time to value for your cloud operations.

Visit the Automation page to learn more about Automation and how to get started.

How can we improve Azure Automation service?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback

  1. Azure Automation should support using pre-existing Service Principals for RunAs connections

    Currently the only supported method for adding a RunAs connection to an Azure Automation account is to create a new Service Principal. By default the SP is created with Contributor access to the entire subscription.

    This is not ideal for several reasons:
    * Contributor access to a subscription is a relatively high level of access. I would like to ensure that my automation accounts are more tightly constrained.
    * The auto-generated name for the SP can cause problems in accounts that have applied a naming standard/governance model to SP accounts.
    * Since we are unable to reuse our existing SPs…

    61 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Forgot password?
    Create a password
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    3 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

  2. Delete subscriptions without first removing RBAC role definitions /assignable scopes

    We have a custom RBAC role definition that we link to new subscriptions. If we delete a subscription without first removing the link with the RBAC role definition, we are unable to link this role definition to new subscriptions. This is blocking our environment, because we are not able to adapt our current role and rights model.

    So, it should be possible to remove subscriptions without first removing the link(s) with role definitions /assignable scopes.

    See ticket 117020815287840 for more information.

    22 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Forgot password?
    Create a password
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    3 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

  3. Allow 'Protected' RunBook items in the Admin Portal

    Description : Until granular permissions for items becomes available per administrator, allow critical RunBooks to be marked as protected and with a password requirement.

    Reason : Critical runbooks need to be protected as much as possible from accidental deleted or editing. Mitigate possibility of human error.

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Forgot password?
    Create a password
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    3 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Beth Cooper responded

    Would role based access control solve this problem for you?

    Also, are you interested in protecting runbooks from being started or just edited and deleted?

    Thanks,
    Beth

  4. Automation Operator Status View

    We need a mechanism to allow automation operators to read the current status of the runbook. I was using the 'Output' stream to notify the automation operator of which step the runbook was on, but that stream has been removed. I don't want to write to the error or warning streams for status updates (this is counter-intuitive if the status is good). The output window was a perfect solution for this.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Forgot password?
    Create a password
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    1 comment  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

  5. Automation Account: Lower default permissions for RunAs Account

    Instead of Contributor permissions on subscription level, the RunAs account should only have permissions in the scope of the resource group that holds the Automation Account. Imho, always start with least principle rather than the other way round.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Forgot password?
    Create a password
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

  6. RBAC including variable, credential, and certificate objects

    Allow access controls including variable, credential, and certificate objects.

    We would like to create a general automation account using a single on-prem hybrid runbook worker pool. This is not possible while we can not limit access to assets. Under the current model, the cost justification is a harder sell since every automation account requires its own on prem hybrid runbook worker pool.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Forgot password?
    Create a password
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

  7. Automation Accounts are too permissive upon creation

    Upon creating an Automation Account, the following actions happen:


    1. Creates a service principal in Azure Active Directory (Azure AD).

    2. Creates a certificate.

    3. Assigns the Contributor role, which manages Azure Resource Manager resources by using runbooks.

    Action #3 is too permissive as this grants the new service principal Contributor access across the entire subscription whereas most cases, access is only needed for specific resources or resource groups.

    Please change the deployment process to give users the option for this access instead of automatically granting the service principal such a broad role.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Forgot password?
    Create a password
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

  8. External Data Source - Polybase SAS Token unsupported

    Hi Storage Team,

    We are providing some storage accounts to DBA team and generally we insert the SAS token with time limit into the keyvault for DBA team to use in their scenaios.

    This process was working fune until we ran into the use case for DBA team to connect the DataWareHouse/SQL DB in SQL Server to a storage account.

    https://docs.microsoft.com/en-us/sql/t-sql/statements/create-external-data-source-transact-sql?view=azure-sqldw-latest#a-create-external-data-source-to-reference-azure-blob-storage

    As per MS Doc article the SAS token is not supported and we now have to provide the GOD Admin Access Keys for storage account. This is too much power given.

    Can we ask for SAS Token to be…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Forgot password?
    Create a password
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    1 comment  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

  9. Add sourceControls actions to Resource Provider

    The Microsoft.Automation/automationAccounts/sourceControls/* operations (as internally used by the ARM) are not externally visible from the resource provider. As a result, custom RBAC roles cannot be created around these operations.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Forgot password?
    Create a password
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →

  10. Runbook delegation

    Sad that there is no way to grant permissions to a user to create and edit only the runbooks they create or they have access to without giving them contributor access to the whole automation account.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Forgot password?
    Create a password
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Automation

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice