Mobirise TECH BLOG

Cloud can be tricky sometimes. Find out what scenarios we've ran into that are worth being mentioned and explained.

Automating across tenants with Azure Automation Accounts

Level: 400
Publishing date: 21-Feb-2020
Author: Catalin Popa

Azure Automation is a powerful tool to run redundant actions on your Azure subscription and on your Azure resources. It helps you save a lot of time.

But what do you do if you manage multiple tenants in Azure? Managing multiple Azure Automation Accounts is not that hard - you just have to make sure you have the correct scripts on each one and that the scripts run in a correct manner.

Well, while that can be one way of doing it, today I'm going to demonstrate a more elegant approach to that situation - how to manage multiple tenants having one "centralized" Azure Automation Account, while the other act as "agents".

Let me draw the picture, to be clearer:

So let's get started.

As you probably guessed, the first step is to create an Azure Automation Account into the "centralized" tenant. Make sure to create it as a "Run as Account".

Now comes the tricky part.
As second step, we will create an "agent" Azure Automation Account into a secondary tenant. But before doing that, we will need to have/create a certificate, because this is the way we will create and validate the link between the automation accounts across tenants. You can create the certificate any way you like - I chose to create it with PowerShell:

$currentDate = Get-Date
$notAfter = $currentDate.AddYears(2)                       
$dnsName = ""                       
$pfxFilePath = "C:\Users\Desktop\Username\automationcert.pfx"    
$pwd = "password"                                                         
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText 
$thumb = (New-SelfSignedCertificate -DnsName $dnsName -CertStoreLocation "cert:\LocalMachine\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint 
$appName = "automation-appreg" 
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\Users\Desktop\Username\automationcert.pfx", $pwd) 
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) 
$application = Get-AzADApplication -DisplayNameStartWith $appName 
[datetime]$expdate = "11/11/2020"
New-AzADAppCredential -ObjectId $application.ObjectId -CertValue $keyValue -EndDate $expdate

Now that you have a certificate, let's create that "agent" Automation Account that I've mentioned. Please make sure to create this one also as a "Run as Account".
When creating an Azure "Run as Account", Azure creates also an App Registration. Make sure to locate that and upload into it that certificate that we created earlier:

Now, as next step, you'll have to go to your "central" Azure Automation Account and upload into certificates this certificate that we are working with:

After this, there is one last step that we need to take care of: creating the connection that will "link" our "central" account to the "agent" one. 

For this, go to the "Connections" blade of the "central" Azure Automation Account and add a new connection. Make sure to make it an "AzureServicePrincipal" connection:

Also, keep in mind to create it with the correct parameters:
- The ApplicationID is the ID of the App Registration from the "agent" tenant
- The TenantID is the ID of the "agent" tenant
- The CertificateThumbprint is the thumbprint of the certificate uploaded earlier
- The SubscriptionID is the ID of the subscription in which the "agent" account was created.

Now you are all set. You can now store all of your scripts in just the "centralized" Azure Automation Account and run them across other tenants. All you have to do is to make sure that the script that you run uses the correct connection (the one that you created in the last step). Each script that you have running should start like this:

$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName  

Add-AzureRmAccount ` 
-ServicePrincipal ` 
-TenantId $servicePrincipalConnection.TenantId ` 
-ApplicationId $servicePrincipalConnection.ApplicationId ` 
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint | Out-Null 

Set-AzureRmContext -SubscriptionId $SubId | Out-Null             

Where $connectionName is the name of the connection that you created for linking.


Transform your business.
Run adaptive.


Phone: +40 73 523 0005

Legal and Privacy

Privacy Policy - PPD