Connecting Azure Automation
Overview
To enable RealmJoin Portal to offer runbooks to automate daily operations, you need to connect an Azure Automation Account. This Automation Account will host your runbooks as well as the permissions needed for the runbooks to function in your environment.
This guide will help you to onboard either a new or existing Automation Account.
Please be aware, the Automation Account (its Managed Identity, to be more precise) will potentially have far reaching permissions in your environment, like the ability to modify group- or user-objects in Entra or mailboxes in Exchange Online. Please carefully limit the number of people with access to this Automation Account to prevent unwanted usage of the given permissions.
When reusing an existing Automation Account, be aware that RealmJoin Portal automates the creation, updating and removal of runbooks coming from the shared online repository of runbooks. This might not be adequate for an existing Automation Account. If in doubt, it is recommended to create a dedicated Azure Automation Account for RealmJoin Runbooks.
Azure Environment
Subscription
An Azure Subscription is needed to host your Automation Account. It is recommended to choose a subscription where only dedicated administrators will have access.
https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade
Please note down the Subscription Id as it will be needed later.
Resource Group
Choose or create an Azure Resource Group in your Azure Subscription, e.g. rjrb-automation
.
https://portal.azure.com/#create/Microsoft.ResourceGroup
Please note down the Resource Group's name as it will be needed later.
Azure Automation Account
Create an Azure Automation Account in the given Resource Group. In this example we will use the name c4a8toydariaazacc01
for the Automation Account. It will host your shared and private runbooks.
https://portal.azure.com/#create/Microsoft.AutomationAccount
Please note down the Automation Account's name as it will be needed later.
Connect to RealmJoin Portal
Entering Info - Part 1
It is assumed you already finished onboarding RealmJoin Portal.
In RealmJoin Portal go to 'Settings -> Runbooks'.
Please fill in the AzureAD Tenant Id, Subscription Id and Resource Group name.
You can review your AzureAD Tenant Id at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
To choose Subscription Id and Resource Group name, see above.
Please leave the windows / wizard open for now. We will return shortly in part 2.
Granting Access for RealmJoin to Azure Automation
RealmJoin Portal will create two lines of AZ CLI Code beneath ResourceGroup
. Example (with anonymized example values):
Executing those lines will create an App Registration (Service Principal) in AzureAD that can interact with the your Automation Account. This is needed, so that RealmJoin can
Create, List and Update Runbooks
Start Runbooks
Display Jobs and Output
RealmJoin Portal automatically included the information given above.
Please execute these two lines of code using AZ CLI with an administrative account that can create App Registrations and also grant contributor permissions on the chosen Resource Group.
Tipp: You can use Azure CloudShell, so you don't need to install and authenticate a local copy of AZ CLI.
The command will return multiple values. Please note down the values for appId
and password
.
You can review the resulting App Registration in AzureAD. It will be named "RealmJoin Runbook Management".
Entering Info - Part 2
In RealmJoin Portal return to the open window/wizard for 'Settings -> Runbooks'.
Continue filling in the missing values for appId
and password
we created in the last step. Also fill in the name of the Automation Account from before.
Choose the Branch of the shared runbook repository you want to follow, wether master
or production
. If unsure, please choose production
as master
will have more bleeding edge / preview runbooks in a less tested state.
Choosing the location to make sure your runbooks are executed in the correct Azure region.
Press "Save" to start the initial import of runbooks. Please leave this window open until you see the message "Sync completed".
Granting Permissions to your Runbooks
Please continue with Azure AD Roles and Permissions in Process Automation to allow your runbooks to interact with objects in your environment.
Last updated