I am preparing automated solution in my Azure environment. I have to provide automation that will be able to manage resources in multiple Azure subscriptions spread across different Azure tenants. I am currently testing Azure Lighthouse, and its very useful service in case of backup and Update Management service management (multiple subscription, many tenants). In MS documentation - Azure Lighthouse - cross-tenant-management-experience there is a section Azure Automation and short description Use Automation accounts to access and work with delegated resources. Question is how does it work? I didn't find method how to run a runbook from one central subscription and manage resources (list VMs, Storage Account) in remote/customers subscription. Is there any way to use Azure Lighthouse for running Automation runbooks from one central point and manage resources in customer's account. I know that we can use Azure Monitor and create alerts and using them run runbooks to manage resources in customers accounts.
This answer is not related to Azure Light house, but you can have an Automation Runbook to access multiple subscriptions by providing necessary permissions.
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Connect-AzAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
$Subs = Get-AzSubscription # filter by name
Select-AzSubscription -SubscriptionName $Subs.Name
Set-AzContext -SubscriptionId $RunAsConnection.SubscriptionId
# Rest of your script goes here