Azure Automation Accounts enable you to perform un-attended and re-occurring tasks through the use of scripts, such as regular reporting, automatic event remediation and automation of administrative tasks. The integration between Azure Automation and Microsoft Graph PowerShell enables endless possibilities for the management and maintenance of your environment using Graph API.
In this tutorial, I am going to show you how to can create an Azure Automation account and integrate your Microsoft Graph PowerShell script to perform regular automated tasks with no user interaction.
Pre-requites
To complete the steps outlined in this tutorial, you must ensure you have the following:
- An Azure Subscription
- An account with global administrator access
As Automation Accounts are a service located in Azure, they need to be linked to a subscription for billing purposes. As well as this, to consent to the necessary permissions to allow your script to run unattended, you must do so with a global administrator account.
Create an Azure AD Application and Assign Permission
To run your Microsoft Graph PowerShell script without any user interaction or authentication, you will need to create a new application in Azure Active Directory with the necessary permissions to perform the actions in the script. Start by logging into the Microsoft Entra admin center and follow the below steps:
1. Select Applications > App registrations.
2. At the top of the page, select New registration.
3. Define a meaningful name for the app, select Accounts in this organizational directory only and then click Register.
4. You now need to assign your apps the relevant permissions. Select API permissions.
5. Select Add a permission, then select Microsoft Graph from the new pop-out window.
6. For the permission type, select Application permissions.
7. Search for and select each permission from the list, then once all your permissions are selected, click Add permissions.
8. You now need to grant admin consent for your application to use the requested permissions. Click Grant admin consent for Default Directory.
9. Once admin consent has been granted, the status column will show green ticks.
10. The final step is to configure the method that our script will authenticate to the application. For this, we are going to use a client secret, which is available in version 2 of Microsoft Graph PowerShell. On your application settings page, select Certificates & secrets.
11. Select Client secrets > New client secret.
12. Define the description for the secret and the expiry date (the maximum lifetime is 2 years or 730 days).
13. Save the Value for the secret key for use within your script.
As the purpose of this guide is to demonstrate how to use Microsoft Graph PowerShell with Azure Automation, follow my other tutorial to learn how to use application permissions with a client secret in your scripts: How to Connect To Microsoft Graph PowerShell With a Client Secret.
Create an Azure Automation Account
As PowerShell run-books make up part of the ‘Process Automation’ features of Azure Automation Accounts, the next thing we must do is create a new automation account. To create an Automation Account, follow the below steps:
2. On the Automation Accounts page, select Create to launch the new Automation Account wizard.
3. On the first page of the wizard, select the subscription that this resource will belong to (this is the subscription that will be billed). Then define the resource account name, Automation account name and the region where this resource will be geographically stored.
Finally, click Review & Create, then Create and wait until the deployment is complete.
Import Microsoft Graph PowerShell modules
By default, Azure Automation includes a number of PowerShell modules to help you manage Azure resources. To view a list of default modules, check out the Microsoft docs page for a full list. Importantly, the Microsoft Graph PowerShell modules need to be manually imported. The process is also slightly different if you need to import the preview versions of the modules. Follow the steps below to import the current and preview versions of Microsoft Graph PowerShell into your Azure Automation Account.
Import current versions of Microsoft Graph PowerShell
2. Under the Shared resources heading, select Modules.
3. Select Add a module to launch the new module wizard.
4. Select Browse from gallery then the Click here to browse from gallery button.
5. Start by searching for the Microsoft.Graph.Authentication module, select it from the results list, then on the next page, click Select.
6. Repeat steps 3 – 5 for each additional module you require.
Import preview versions of Microsoft Graph PowerShell
The module gallery page does not include preview modules for you to deploy within your Automation Account. The most convenient way to deploy a preview module is to do so directly from the PowerShell Gallary website. To install a preview module to your Azure Automation account, follow the below steps:
1. Go to https://www.powershellgallery.com/packages/Microsoft.Graph/ and select the preview version you wish to deploy from the Version History section. In this example, I am choosing version 2.0.09-rc3.
2. As you can only deploy specific modules via Azure Automation and not the whole SDK, expand the Package Details section and click on the module you want to deploy.
You may notice the URL will change on your browser to match the module you selected, you can also modify this manually.
3. The Azure Automation tab will now appear under the Installation Options session. Open this tab and click Deploy to Azure Automation.
4. A new window will open in your browser for the Azure Automation module import wizard. Authenticate if required and select your Automation Account from the list.
5. On the next page click OK and wait for your deployment to complete. You will see this from the notification icon in the Azure Portal.
6. Complete the steps 1-5 for each module you need to import.
Implement automation script with a Runbook
Runbooks make up the automation component of your Azure Automation account. Runbooks are based on Windows PowerShell and the version is determined by the Runtime version that is specified when creating the Runbook, the available runtime versions include:
- Version 5.1
- Version 7.1
- Version 7.2
Follow the below steps to create your Runbook and add your PowerShell script:
2. Select Create a runbook.
3. On the Create a runbook page, define the name of your runbook, select the Runbook type as PowerShell and Runtime version as 5.1, then click Create.
4. Once created the Edit PowerShell window will open. If it does not open, return to the Runbook page within your Automation account, select the new Runbook and click Edit.
5. From the Edit PowerShell window, add your script in the code area and then click Save > Publish.
6. You should now test your Runbook to ensure it runs as expected. From your Runbook overview page, select Start.
7. You can verify if the job completes with or without errors by selecting the job from the Recent Jobs list at the bottom of the Overview page.
8. Select through each tab to view any warnings or errors which should help you resolve any problems if the script fails to complete successfully.
Configure the automation run schedule
The schedule defines the time in which the runbook runs on a re-occurring schedule, this is convenient if you need your script to run on a daily, weekly or even monthly basis. For this tutorial, I am going to create a schedule to run my script on a daily basis. Follow the below steps to define the schedule for your runbook:
1. Open your Automation Account and select Schedules under the Shared Resources heading.
2. From the Schedules page, select Add a schedule.
3. On the pop-out windows, define your schedule settings and then click Create.
- Name: Enter a meaningful name.
- Starts: Add your desired start date and time.
- Time Zone: Specify your time zone.
- Recurrence: Specify how often the runbook runs on a schedule.
- Set expiration: Specify when the runbook schedule stops.
Summary
You now have a Microsoft Graph PowerShell script that will run unattended on a schedule using Azure Automation! In this tutorial, you learnt how to:
- Create an Azure Application to support your script to run with application permissions
- Create an Azure Automation Account
- Import modules into your Azure Automation Account
- Implement your script using a Runbook
- Define a schedule for your Runbook