Azure Automation State Configuration Overview

Azure Automation State Configuration is an Azure service that allows you to write, manage, and compile PowerShell Desired State Configuration (DSC) configurations, import DSC Resources, and assign configurations to target nodes, all in the cloud.

Why use Azure Automation State Configuration

Azure Automation State Configuration provides several advantages over using DSC outside of Azure.

Built-in pull server

Azure Automation State Configuration provides a DSC pull server similar to the Windows Feature DSC-Service so that target nodes automatically receive configurations, conform to the desired state, and report back on their compliance. The built-in pull server in Azure Automation eliminates the need to set up and maintain your own pull server. Azure Automation can target virtual or physical Windows or Linux machines, in the cloud or on-premises.

Management of all your DSC artifacts

Azure Automation State Configuration brings the same management layer to PowerShell Desired State Configuration as Azure Automation offers for PowerShell scripting.

From the Azure portal, or from PowerShell, you can manage all your DSC configurations, resources, and target nodes.

Screenshot of the Azure Automation page

Import reporting data into Azure Monitor logs

Nodes that are managed with Azure Automation State Configuration send detailed reporting status data to the built-in pull server. You can configure Azure Automation State Configuration to send this data to your Log Analytics workspace. To learn how to send State Configuration status data to your Log Analytics workspace, see Forward Azure Automation State Configuration reporting data to Azure Monitor logs.


Please consider the following requirements when using Azure Automation State Configuration (DSC).

Operating System Requirements

For nodes running Windows, the following versions are supported:

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012R2
  • Windows Server 2012
  • Windows Server 2008 R2 SP1
  • Windows 10
  • Windows 8.1
  • Windows 7

The Microsoft Hyper-V Server standalone product sku does not contain an implementation of Desired State Configuraion so it cannot be managed by PowerShell DSC or Azure Automation State Configuration.

For nodes running Linux, the following distros/versions are supported:

The DSC Linux extension supports all the Linux distributions listed under Supported Linux Distributions.

DSC requirements

For all Windows nodes running in Azure, WMF 5.1 will be installed during onboarding. For nodes running Windows Server 2012 and Windows 7, WinRM will be enabled.

For all Linux nodes running in Azure, PowerShell DSC for Linux will be installed during onboarding.

Configure private networks

If your nodes are located within a private network, the following port and URLs are required for State Configuration (DSC) to communicate with Automation:

  • Port: Only TCP 443 is required for outbound internet access.
  • Global URL: *
  • Global URL of US Gov Virginia: *
  • Agent service: https://<workspaceId>

This provides network connectivity for the managed node to communicate with Azure Automation. If you are using DSC resources that communicate between nodes, such as the WaitFor* resources, you will also need to allow traffic between nodes. See the documentation for each DSC resource to understand those network requirements.

Proxy Support

Proxy support for the DSC agent is available in Windows version 1809 and later. To configure this option, set the value for ProxyURL and ProxyCredential in the metaconfiguration script used to register nodes. Proxy is not available in DSC for previous versions of Windows.

For Linux nodes, the DSC agent supports proxy and will utilize the http_proxy variable to determine the url.

Azure State Configuration network ranges and namespace

It's recommended to use the addresses listed when defining exceptions. For IP addresses you can download the Microsoft Azure Datacenter IP Ranges. This file is updated weekly, and has the currently deployed ranges and any upcoming changes to the IP ranges.

If you have an Automation account that's defined for a specific region, you can restrict communication to that regional datacenter. The following table provides the DNS record for each region:

Region DNS record
West Central US
South Central US
East US
East US 2
Canada Central
West Europe
North Europe
South East Asia
Central India
Japan East
Australia South East
UK South
US Gov Virginia

For a list of region IP addresses instead of region names, download the Azure Datacenter IP address XML file from the Microsoft Download Center.


The Azure Datacenter IP address XML file lists the IP address ranges that are used in the Microsoft Azure datacenters. The file includes compute, SQL, and storage ranges.

An updated file is posted weekly. The file reflects the currently deployed ranges and any upcoming changes to the IP ranges. New ranges that appear in the file aren't used in the datacenters for at least one week.

It's a good idea to download the new XML file every week. Then, update your site to correctly identify services running in Azure. Azure ExpressRoute users should note that this file is used to update the Border Gateway Protocol (BGP) advertisement of Azure space in the first week of each month.

Next steps