I am preparing automated solution in my Azure environment. I have to provide automation that will be able to manage resources in multiple Azure subscriptions spread across different Azure tenants. I am currently testing Azure Lighthouse, and its very useful service in case of backup and Update Management service management (multiple subscription, many tenants). In MS documentation - Azure Lighthouse - cross-tenant-management-experience there is a section Azure Automation and short description Use Automation accounts to access and work with delegated resources. Question is how does it work? I didn't find method how to run a runbook from one central subscription and manage resources (list VMs, Storage Account) in remote/customers subscription. Is there any way to use Azure Lighthouse for running Automation runbooks from one central point and manage resources in customer's account. I know that we can use Azure Monitor and create alerts and using them run runbooks to manage resources in customers accounts.
CodePudding user response:
This answer is not related to Azure Light house, but you can have an Automation Runbook to access multiple subscriptions by providing necessary permissions.
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Connect-AzAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
$Subs = Get-AzSubscription # filter by name
Select-AzSubscription -SubscriptionName $Subs.Name
Set-AzContext -SubscriptionId $RunAsConnection.SubscriptionId
# Rest of your script goes here