Azure Automation Week!
This week is Azure Automation week here at EphingAdmin! This week you will find new posts every day on cool things you can do with Azure Automation, SCSM, and SCCM. On Friday, you’ll see everything come together in a dynamic offline SCCM OSD task sequence!
Today, we will go over the setup. We will need an Azure AD Subscription, Azure AD Service Account, OMS Account, and an Azure Automation account. Don’t worry, all of this is free and easy to set up. I’ll break this up into sections, so if you already have a part complete, you can skip over it. You can find these sections by doing Ctrl+F and searching for the string! The poor mans table of contents!
The sections are going to be:
1) Sign up for Azure
2) Create a service account in Azure
3) Sign up for OMS
4) Download & install the OMS agent
5) Create the Azure Automation account
6) Give your service account permissions to the Azure Automation account
7) Set up the Hybrid Runbook Worker
If you want additional information on this process, Nickolaj Andersen has a great blog post on Azure Automation and SCCM.
Sign up for Azure
Go to manage.windowsazure.com and sign up for a new account. They give you $200 for signing up, so you can play around with things that cost money if you want. In this example, we will not be signing up for anything that costs money!
Create a service account in Azure
Since we are at manage.windowsazure.com already, might as well create the service account we need! Scroll down to Active Directory and click Default Directory:
Click Users –> Add User (at the bottom of page)
The user profile just needs to be a user
Go through the prompts and make sure to write down the username (full username, with the @ piece) and temporary password. Once you have the user, go to portal.azure.com, sign out of your account and sign in with this new user. It will prompt you to change the password. Do that. Now you can sign back out of the account and sign in with your real one. You now have a AD user create with a real password!
Sign up for OMS
Go to https://www.microsoft.com/en-us/cloud-platform/operations-management-suite and click Sign In. You should get this screen after you log in:
Click Ok and then fill in the information on the OMS page:
Fill it all out then click create!
Now you can select the subscription you want to associate the account with.
I always link it to my free trial. I don’t know if it will let you proceed with “Not Now” or not. I do know that OMS never charges my subscription, so it might work. You are always set up with a free account first!
Now you have an OMS account:
Download & install the OMS agent
You need the OMS agent to get a Hybrid Runbook Worker. This is needed to run scripts on prem in your environment. Otherwise, all the scripts we create in Azure Automation will be run in the cloud, and who wants that?!
You can’t download the agent until you add at least one subscription. Since we are doing Azure Automation, you might as well add that. Add as many as you want! OMS will gather information and keep 500mb for 7 days for free. This gives you some ability to play around with it. If you’re just adding Azure Automation, make sure it’s checked and click Add Selected Solution:
Now, click Connected Sources and download the Windows Agent (64 bit)
- Once it's downloaded, install the agent on a computer in your environment, but keep this page open! The installer asks for your workspace ID and key. Whatever computer you choose will be the one we run scripts on for Azure Automation, so keep that in mind when you choose. I have a direct access server in my lab, and chose that one since it doesn’t do much. I won’t link all the screens in the installer, just the ones you need to change the defaults:
- Select connect the agent to Azure Log Analytics (above). Then put in the Workspace ID and one of the keys (either Primary or Secondary) from the webpage.
- .
Then install! You’ll now have a computer connected to OMS!
Create the Azure Automation account
You’ll now need to create an azure automation account. You are meant to have multiple Azure Automation accounts in your environment. You can only set permissions on the account itself, not on individual runbooks, so I like to split them up by function. Since this account is going to be for OSD, and there will be a service account with run permission to ALL runbooks in this account, I’d suggest an OSD account that is only for your OSD scripts.
Go to portal.azure.com and click Browse:
Select Automation Accounts from the list:
Now click Add
Fill out the information, check “Pin to Dashboard” for easy access, then click create!
If you selected Pin to Dashboard, you should now see this on your dashboard:
You now have an Azure Automation account!
Give your service account permissions to the Azure Automation account
Open up your Azure Automation account, then click the Access icon at the top (the people icon between the cloud icon and tag icon)
Now click Add
We need to give this account two permissions. Automation Operator and Reader. You can only give permissions one at a time, so first we will give Automation Operator.
Add your OSD Service Account
Click Ok at the bottom
Now go through the same process and give the OSD service account permissions for Reader.
Set up the Hybrid Runbook Worker
Make sure you are on portal.azure.com and select your automation account. Then click the keys icon at the top (next to the cloud)
Keep this information up as we need to register the OMS agent to this account. Now, go to the computer you installed the OMS agent on earlier in this post and fire up an admin PowerShell session. Import the Azure Automation hybrid registration cmdlet at CC:\Program Files\Microsoft Monitoring Agent\Agent\AzureAutomation\7.2.10681.0\HybridRegistration\HybridRegistration.psd1 –> NOTE: the number 7.2… is the version number. It may be different when you install.
Now, run the Add-HybridRunbookWorker cmdlet. You’ll need to specify the URL, Key, and GroupName parameters. Since URL and Key should be hidden from the public, I won’t show you a screenshot of me running it. Make sure you copy URL and Key from the portal (what we did at the start of this section). GroupName can be whatever you want, but you can’t use spaces. This will be the hybrid runbook worker group. If you wanted multiple hybrid runbook workers in this group, run this cmdlet on multiple computers specifying the same groupname.
Once this is run, you’ll have a hybrid worker group!
And that’s it! We now have an account all set up and ready to go!
Here’s the schedule for the rest of the week:
Tuesday: Run a runbook in PowerShell without the cmdlets!
Wednesday: Get imaging information with the SCSM portal ahead of time, and gather that information with an Azure Automation Runbook
Thursday: Join a computer to the domain through Azure Automation with offline domain join
Friday: Put it all together in SCCM OSD to create dynamic offline media that can join computers to the domain from anywhere! Your security guys will love it!
Leave a Comment