Using Azure Automation with Multiple Subscriptions

Azure Automation is very useful for almost every Azure administrator, but it can be challenging to figure out how to run a process across multiple subscriptions. Below we'll walk through the steps to run a PowerShell run book across multiple subscriptions with the assumption that the automation account already exists in one subscription. For information on how to create an automation account, see here . The other assumption is that we are working with Resource Manager, not Classic deployments.

Once we have our automation account the high level steps are as follows:
1. Find the ApplicationID of the RunAS connection
2. Grant that applicationID the appropriate permissions in the other subscriptions (in my example, I'm giving it subscription level contributor access).
3. Set the appropriate context during runbook execution.

When an Azure Automation account is created it asks if "RunAS" account should be created and defaults to 'yes'. If you keep the defaults, you'll have a connection asset in the automation account called "AzureRunAsConnection". This connection asset is really a Service Principal in Azure AD.
RunAs Connection

Copy the "ApplicationID" of the AzureRunAsConnection to the clipboard and grant it rights to any subscriptions you want to manage with your central automation account. In this example, I've given it contributor rights at the subscription level, but you could certainly use more granular permissions here or scope it to a specific resource group.

Automation Account Subscription Level Permissions

Now I just need to write my runbooks in such a way that they'll use the connection asset and select the appropriate subscription. The following code sample runs from a subscription called 'sub1' and creates a new resource group in subscription name 'sub2'. You'll need to update the certificate thumbprint in this script by retrieving it from the Assets-->Certificates blade in the automation account.


 $Conn = Get-AutomationConnection -Name AzureRunAsConnection 
add-AzureRmAccount -ServicePrincipal -Tenant $Conn.TenantID -ApplicationId $Conn.ApplicationID -CertificateThumbprint #yourthumbprint

Select-AzureRmSubscription -SubscriptionName 'sub2'
$rg = 'testrg'
New-AzureRmResourceGroup -Name $rg -Location westus2