Execute Azure Automation Runbooks Across Tenants
Question
I am able to execute Runbooks within my Azure tenant/subscription, but would like to use a single Azure Automation Account in my tenant to execute Runbooks against other tenants and their subscriptions.
I have found this article for running against multiple subscriptions, but is it possible to have a centralized Azure Automation Account in one tenant that can connect and execute against other tenants and their subscriptions?
3 answers
solution1
1 2017-06-04 08:18:05
So i stumbled upon this article which offers a guidance how to do what you want:
https://blogs.technet.microsoft.com/knightly/2017/05/26/using-azure-automation-with-multiple-subscriptions/
basically what I said, get appId and grant it permissions to perform actions on other subs
solution2
1 ACCPTED 2017-06-05 02:59:02
Based on my knowledge, if your account is a Auzre AD account, it is possible. Also, your account is Microsoft account, you also could create a Azure AD account. More information about how to create a new Azure AD user please refer to this link .
You could create a credential and store your account and password in it.
You can retrieve the credential in a runbook using the Get-AutomationPSCredential activity and then use it with Add-AzureRmAccount to connect to your Azure subscription. The following commands work for me.
$cred = Get-AutomationPSCredential –Name "shuitest"
Add-AzureRmAccount –Credential $cred
Select-AzureRmSubscription –SubscriptionName "Your Subscription Name"
More information about this, you could refer to this link .
If you want to login multiple tenants in one runbook, you need to sign in separately and execute your PowerShell cmdlets.
solution3
1 2022-07-13 15:02:06
I was struggling with the same issue today, specifically how to authenticate cross-tenant. I solved the authentication part of it by having an Azure Automation Account in both of my tenants, both with a RunAs Account. By default these will be called AzureRunAsConnection
Tenant01 is my main Tenant that holds the Automation Account that does all the work.
Tenant02 is "passive".
- Use this script to export the certificate of Tenant02
- import the certificate into Tenant01
- in Tenant01 add an additional RunAs connection (eg"AzureRunAsConnection02") and enter the ApplicationId, TenantId, CertificateThumbprint, SubscriptionId of the RunAs account from Tenant02
with identical RunAs accounts and certificates in both tenants you should now be able to switch between your Tenants in your runbook with:
Get-AutomationConnection -Name AzureRunAsConnection
Get-AutomationConnection -Name AzureRunAsConnection02
etc...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.