Azure Automation State Configuration Overview

Azure Automation State Configuration is an Azure service that allows you to write, manage, and compile PowerShell Desired State Configuration (DSC) configurations, import DSC Resources, and assign configurations to target nodes, all in the cloud.

Why use Azure Automation State Configuration

Azure Automation State Configuration provides several advantages over using DSC outside of Azure.

Built-in pull server

Azure Automation State Configuration provides a DSC pull server similar to the Windows Feature DSC-Service so that target nodes automatically receive configurations, conform to the desired state, and report back on their compliance. The built-in pull server in Azure Automation eliminates the need to set up and maintain your own pull server. Azure Automation can target virtual or physical Windows or Linux machines, in the cloud or on-premises.

Management of all your DSC artifacts

Azure Automation State Configuration brings the same management layer to PowerShell Desired State Configuration as Azure Automation offers for PowerShell scripting.

From the Azure portal, or from PowerShell, you can manage all your DSC configurations, resources, and target nodes.

Screenshot of the Azure Automation page

Import reporting data into Log Analytics

Nodes that are managed with Azure Automation State Configuration send detailed reporting status data to the built-in pull server. You can configure Azure Automation State Configuration to send this data to your Log Analytics workspace. To learn how to send State Configuration status data to your Log Analytics workspace, see Forward Azure Automation State Configuration reporting data to Log Analytics.

Configure your network

The following port and URLs are required for State Configuration (DSC) to communicate with Automation:

  • Port: Only TCP 443 is required for outbound internet access.
  • Global URL: *
  • Global URL of US Gov Virginia: *
  • Agent service: https://<workspaceId>

It's recommended to use the addresses listed when defining exceptions. For IP addresses you can download the Microsoft Azure Datacenter IP Ranges. This file is updated weekly, and has the currently deployed ranges and any upcoming changes to the IP ranges.

If you have an Automation account that's defined for a specific region, you can restrict communication to that regional datacenter. The following table provides the DNS record for each region:

Region DNS record
West Central US
South Central US
East US 2
Canada Central
West Europe
North Europe
South East Asia
Central India
Japan East
Australia South East
UK South
US Gov Virginia

For a list of region IP addresses instead of region names, download the Azure Datacenter IP address XML file from the Microsoft Download Center.


The Azure Datacenter IP address XML file lists the IP address ranges that are used in the Microsoft Azure datacenters. The file includes compute, SQL, and storage ranges.

An updated file is posted weekly. The file reflects the currently deployed ranges and any upcoming changes to the IP ranges. New ranges that appear in the file aren't used in the datacenters for at least one week.

It's a good idea to download the new XML file every week. Then, update your site to correctly identify services running in Azure. Azure ExpressRoute users should note that this file is used to update the Border Gateway Protocol (BGP) advertisement of Azure space in the first week of each month.

Introduction video

Prefer watching to reading? Have a look at the following video from May 2015, when Azure Automation State Configuration was first announced.


While the concepts and life cycle discussed in this video are correct, Azure Automation State Configuration has progressed a lot since this video was recorded. It is now generally available, has a much more extensive UI in the Azure portal, and supports many additional capabilities.


Next steps