Automation

Azure Automation allows you to automate the creation, monitoring, deployment, and maintenance of resources in your Azure environment using a highly-available workflow execution engine. Orchestrate time-consuming, error-prone, and frequently repeated tasks against Azure and third party systems to decrease time to value for your cloud operations.

Visit the Automation page to learn more about Automation and how to get started.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Azure Automation should support using pre-existing Service Principals for RunAs connections

    Currently the only supported method for adding a RunAs connection to an Azure Automation account is to create a new Service Principal. By default the SP is created with Contributor access to the entire subscription.

    This is not ideal for several reasons:
    * Contributor access to a subscription is a relatively high level of access. I would like to ensure that my automation accounts are more tightly constrained.
    * The auto-generated name for the SP can cause problems in accounts that have applied a naming standard/governance model to SP accounts.
    * Since we are unable to reuse our existing SPs…

    43 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  2. Delete subscriptions without first removing RBAC role definitions /assignable scopes

    We have a custom RBAC role definition that we link to new subscriptions. If we delete a subscription without first removing the link with the RBAC role definition, we are unable to link this role definition to new subscriptions. This is blocking our environment, because we are not able to adapt our current role and rights model.

    So, it should be possible to remove subscriptions without first removing the link(s) with role definitions /assignable scopes.

    See ticket 117020815287840 for more information.

    22 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow 'Protected' RunBook items in the Admin Portal

    Description : Until granular permissions for items becomes available per administrator, allow critical RunBooks to be marked as protected and with a password requirement.

    Reason : Critical runbooks need to be protected as much as possible from accidental deleted or editing. Mitigate possibility of human error.

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Beth Cooper responded

    Would role based access control solve this problem for you?

    Also, are you interested in protecting runbooks from being started or just edited and deleted?

    Thanks,
    Beth

  4. Automation Operator Status View

    We need a mechanism to allow automation operators to read the current status of the runbook. I was using the 'Output' stream to notify the automation operator of which step the runbook was on, but that stream has been removed. I don't want to write to the error or warning streams for status updates (this is counter-intuitive if the status is good). The output window was a perfect solution for this.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  5. Automation Account: Lower default permissions for RunAs Account

    Instead of Contributor permissions on subscription level, the RunAs account should only have permissions in the scope of the resource group that holds the Automation Account. Imho, always start with least principle rather than the other way round.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  6. RBAC including variable, credential, and certificate objects

    Allow access controls including variable, credential, and certificate objects.

    We would like to create a general automation account using a single on-prem hybrid runbook worker pool. This is not possible while we can not limit access to assets. Under the current model, the cost justification is a harder sell since every automation account requires its own on prem hybrid runbook worker pool.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  7. External Data Source - Polybase SAS Token unsupported

    Hi Storage Team,

    We are providing some storage accounts to DBA team and generally we insert the SAS token with time limit into the keyvault for DBA team to use in their scenaios.

    This process was working fune until we ran into the use case for DBA team to connect the DataWareHouse/SQL DB in SQL Server to a storage account.

    https://docs.microsoft.com/en-us/sql/t-sql/statements/create-external-data-source-transact-sql?view=azure-sqldw-latest#a-create-external-data-source-to-reference-azure-blob-storage

    As per MS Doc article the SAS token is not supported and we now have to provide the GOD Admin Access Keys for storage account. This is too much power given.

    Can we ask for SAS Token to be…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add sourceControls actions to Resource Provider

    The Microsoft.Automation/automationAccounts/sourceControls/* operations (as internally used by the ARM) are not externally visible from the resource provider. As a result, custom RBAC roles cannot be created around these operations.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  9. Runbook delegation

    Sad that there is no way to grant permissions to a user to create and edit only the runbooks they create or they have access to without giving them contributor access to the whole automation account.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  10. Runbook delegation

    Sad that there is no way to grant permissions to a user to create and edit only the runbooks they create or they have access to without giving them contributor access to the whole automation account.

    0 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  11. Trigger for Azure Automation Runbook needs Webhook writing permission.

    We want feature about RABC for action group.
    If Automation Runbook is selected in action group configuration, the user need permission for over Contributor at Subscription.

    If permission is Owner for Resource Group, we can not configure Automation trigger.
    This is because Automation trigger needs also webhook writing permission in configuration.

    Now, configuration is only permitted to Contributor or Owner of Subscription.
    It is very hard to permit these Role in every customer.
    If there is Webhook role for writing and reading, this issue will be resolved easily.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Role Based Access Control  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base