Search code examples
azureazure-powershellazure-automation

How to start vm from different subscription using Azure Automation Account

I have three subscription in same tenant say Sub1, Sub2 and Sub3. I have created Automation Account is in Sub1 and my VMs are in Sub3. (Cant create Automation account in Sub3 due to some restrictions). I want to write a powershell script which will start Sub3 VM.

When I ran Get-AzureRmSubscription it is giving me only my current subscription i.e. Sub1 My azure automation script is as below - 

$connectionName = "AzureRunAsConnection"
try
{
    # Get the connection "AzureRunAsConnection "
    $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName         

    "Logging in to Azure..."
    Add-AzureRmAccount `
        -ServicePrincipal `
        -TenantId $servicePrincipalConnection.TenantId `
        -ApplicationId $servicePrincipalConnection.ApplicationId `
        -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 
}
catch {
    if (!$servicePrincipalConnection)
    {
        $ErrorMessage = "Connection $connectionName not found."
        throw $ErrorMessage
    } else{
        Write-Error -Message $_.Exception
        throw $_.Exception
    }
}

Get-AzureRmSubscription

 # $context = Get-AzureRmSubscription -SubscriptionId {subId}
# Set-AzureRmContext $context
# Start-AzureRmVM -ResourceGroupName "ResourceName" -Name "VMName"

Can you please guide how can I go this?

Solution

  • Since your subscriptions are in the same tenant, you can directly assign an Azure RABC role to your Azure Automation connection(service principal ) in your Sub3. Then you can manage Azure resource in Sub3

    For example

    1. Get the Connection Application ID enter image description here

    2. Assign role

    Connect-AzAccount
 $sp=Get-AzADServicePrincipal -ApplicationId < the appId you copy>
Set-AzContext -SubscriptionId <the id of sub3>
#assign Contributor role to the connection at subsciprion level
New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionName Contributor
    1. Test
    $connectionName = "AzureRunAsConnection"
try
{
    # Get the connection "AzureRunAsConnection "
    $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName         

    "Logging in to Azure..."
    Add-AzureRmAccount `
        -ServicePrincipal `
        -TenantId $servicePrincipalConnection.TenantId `
        -ApplicationId $servicePrincipalConnection.ApplicationId `
        -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 
}
catch {
    if (!$servicePrincipalConnection)
    {
        $ErrorMessage = "Connection $connectionName not found."
        throw $ErrorMessage
    } else{
        Write-Error -Message $_.Exception
        throw $_.Exception
    }
}

Get-AzureRmSubscription

    enter image description here