Azure Runbook - A complete (simple) example

I meant to write about Azure Runbooks (also known as Azure Automation) for quite a while.

I had the chance to be involved in the operations of a solution I helped architect.  When you get beyond trivial Azure Solution, like on premise, you’ll want to have some automations.  For instance, you’ll want to:

Azure is mature enough already that you could do that with other technology.  For instance a mix of Scheduler and Web Job.  But those approaches are a little complicated for PowerShell automation and not ideal for long-running workflows.

Azure Automation is more appropriate for those scenarios.

The example

I’ll give a simple example here.  We’ll build an automation scanning a blob container and deleting all the blobs matching a certain name pattern.  That job will run every hour.

I’ll construct that using a PowerShell workflow.  I won’t go into the graphical tool yet nor will I create a custom PowerShell module.  As you’ll see the script will only take a few lines.  Such simple workflow do not mandate modules or graphical workflows in my opinion.

Creating a Resource Group

I won’t go into ARM templates but we’ll build this example into a Resource Group so at the very least, you’ll be able to destroy all artefacts in one go at the end (by destroying the Resource Group).

So let’s go in the Preview Portal to create a new Resource Group.  In the home page, select Resource groups.


Then select Add.


This should pop up the following blade.


As Resource Group Name, type SampleAutomations.

Select the Subscription you wanna use.

Locate the Resource Group where it’s more convenient for you.

Then click on the Create button at the bottom of the blade.

Creating Automation Account

Let’s create an Automation Account.


Give it a unique name (I used myfirstautomation), ensure it is in the resource group we created and in a suitable region (not all regions are supported yet) and click the Create button.

Exploring Automation Account

Let’s open the newly created account.


Runbooks are PowerShell workflows.  In a nutshell those are a mix of PowerShell scripts and Workflow Foundation (WF) worflows.  They allow long running workflows, pauses, restart, etc.  You already have a runbook, it’s the tutorial runbook.  You can look at it.

Assets come in different forms:

We are going to use a schedule to run our run book.  We are also going to use variables to store configuration about our run book.

Creating Storage Account

Before we create our run book we need a storage account.

We’re going to create a storage account within the Resource Group we’ve created.  Click the plus button at the top left of the portal.


Select Data + Storage then select Storage Account.


Then at the bottom of the Storage Account pane, select “Resource Manager” and click Create.

Name the account something unique (I used mysample2015).

In Resource Group, make sure to select the resource group you just created.  Make sure the location suits you and click Create.


Creating Storage Container

Using your favorite Azure Storage tool (I used CloudXplorer), create a container named my-watched-container.

For the runbook to access to container, we’ll use a Shared Access Signature (SAS) token.  Whenever you can, use the access mechanism giving as little access as possible.  This way, if your assets get compromised, the attacker can do less damage than if you stick the keys of the castle in there.  This is the least privilege principle and you should always apply it.

So, for that newly created container, create a SAS token allowing for listing and deleting.  This is what our runbook will do:  list the blobs, delete the ones matching a certain pattern.

Creating Variables

Let’s create the variables for our run book.

Go back to the run book, select assets then select variables then add variable.

Give it accountName as a Name, leave the default string type there and for value, input the name of the storage account you created.  Then click create.


Do the same for the following:

Name Value
containerName my-watched-container
pattern draft
sas The value of the sas token you created for your container.  This should start with the question mark of the query string.

For the last one, select the encrypted option.


This will make the variable inaccessible to operators in the future.  It’s an added level of security.

You should have the following variables defined.


Creating Runbook

Let’s create the runbook.  Let’s close the Variables and Assets blade.

Let’s select the Runbooks box and click the Add a run book button. Select Quick Create.

For Name, input CleanBlobs. For Runbook type, choose PowerShell Workflow. Hit the Create button.

This is the code of our Workflow. Let’s paste in the following:

workflow CleanBlobs { InlineScript {

Here we load all the variables we defined earlier

$account = Get-AutomationVariable -Name ‘accountName’ $container = Get-AutomationVariable -Name ‘containerName’ $sas = Get-AutomationVariable -Name ‘sas’ $pattern = Get-AutomationVariable -Name ‘pattern’</em>

Construct a context for the storage account based on a SAS

$context = New-AzureStorageContext -StorageAccountName $account -SasToken $sas

List all the blobs in the container

$blobs = Get-AzureStorageBlob -container $container -Context $context

$filteredBlobs = $blobs where-object {$_.Name.ToUpper().Contains($pattern.ToUpper())}

$filteredBlobs | ForEach-Object {Remove-AzureStorageBlob -blob $_.Name -Context $context -Container $container} } }

You can see how we are using the variables by calling the cmdlet Get-AutomationVariable. You could actually discover that by opening the Assets tree view on the left of the edit pane.

We can then test our Run book by hitting the test button on top. First you might want to insert a few empty file in your blob container, with some containing the word “draft” in them.  Once the workflow ran, it should have deleted the draft files.

Scheduling Runbook

Let’s schedule the runbook.  First let’s publish it.  Close the test pane and click the Publish button.


Then click the Schedule button and Link a schedule to your runbook.


We didn’t create any schedule yet, so let’s create one in place.  Give it any name, set the recurrence to hourly and hit the create button.

By default the start time will be 30 minutes from now.  At the time I wrote this blog, there was a little bug in the interface forbidding me to put it in 5 minutes (because of time zone calculations).  That might be fix by the time you try it.

Click ok and your workbook is scheduled.


Azure Automation is a powerful tool to automate tasks within Azure.

In this article I only touched the surface.  I will try to go further in future posting.

One response

  1. Zan K 2016-12-22 at 11:03

    Great overview!

Leave a comment