Role-based access control in Azure Automation

Role-based access control (RBAC) enables access management for Azure resources. Using RBAC, you can segregate duties within your team and grant only the amount of access to users, groups, and applications that they need to perform their jobs. Role-based access can be granted to users using the Azure portal, Azure Command-Line tools, or Azure Management APIs.

Roles in Automation accounts

In Azure Automation, access is granted by assigning the appropriate RBAC role to users, groups, and applications at the Automation account scope. Following are the built-in roles supported by an Automation account:

Role Description
Owner The Owner role allows access to all resources and actions within an Automation account including providing access to other users, groups, and applications to manage the Automation account.
Contributor The Contributor role allows you to manage everything except modifying other user’s access permissions to an Automation account.
Reader The Reader role allows you to view all the resources in an Automation account but cannot make any changes.
Automation Operator The Automation Operator role allows you to view runbook name and properties and to create and manage jobs for all runbooks in an Automation account. This role is helpful if you want to protect your Automation Account resources like credentials assets and runbooks from being viewed or modified but still allow members of your organization to execute these runbooks.
Automation Job Operator The Automation Job Operator role allows you to create and manage jobs for all runbooks in an Automation account.
Automation Runbook Operator The Automation Runbook Operator role allows you to view a runbook’s name and properties.
Log Analytics Contributor The Log Analytics Contributor role allows you to read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs, reading storage account keys to be able to configure collection of logs from Azure storage, creating and configuring Automation accounts, adding solutions, and configuring Azure diagnostics on all Azure resources.
Log Analytics Reader The Log Analytics Reader role allows you to view and search all monitoring data as well as view monitoring settings. This includes viewing the configuration of Azure diagnostics on all Azure resources.
Monitoring Contributor The Monitoring Contributor role allows you to read all monitoring data and update monitoring settings.
Monitoring Reader The Monitoring Reader role allows you to read all monitoring data.
User Access Administrator The User Access Administrator role allows you to manage user access to Azure Automation accounts.

Role permissions

The following tables describe the specific permissions given to each role. This can include Actions, which give permissions, and NotActions, which restrict them.

Owner

An Owner can manage everything, including access. The following table shows the permissions granted for the role:

Actions Description
Microsoft.Automation/automationAccounts/ Create and manage resources of all types.

Contributor

A Contributor can manage everything except access. The following table shows the permissions granted and denied for the role:

Actions Description
Microsoft.Automation/automationAccounts/ Create and manage resources of all types
Not Actions
Microsoft.Authorization/*/Delete Delete roles and role assignments.
Microsoft.Authorization/*/Write Create roles and role assignments.
Microsoft.Authorization/elevateAccess/Action Denies the ability to create a User Access Administrator.

Reader

A Reader can view all the resources in an Automation account but cannot make any changes.

Actions Description
Microsoft.Automation/automationAccounts/read View all resources in an Automation account.

Automation Operator

An Automation Operator is able to create and manage jobs, and read runbook names and properties for all runbooks in an Automation account. Note: If you want to control operator access to individual runbooks then don’t set this role, and instead use the 'Automation Job Operator' and 'Automation Runbook Operator' roles in combination. The following table shows the permissions granted for the role:

Actions Description
Microsoft.Authorization/*/read Read authorization.
Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read Read Hybrid Runbook Worker Resources.
Microsoft.Automation/automationAccounts/jobs/read List jobs of the runbook.
Microsoft.Automation/automationAccounts/jobs/resume/action Resume a job that is paused.
Microsoft.Automation/automationAccounts/jobs/stop/action Cancel a job in progress.
Microsoft.Automation/automationAccounts/jobs/streams/read Read the Job Streams and Output.
Microsoft.Automation/automationAccounts/jobs/output/read Get the Output of a job.
Microsoft.Automation/automationAccounts/jobs/suspend/action Pause a job in progress.
Microsoft.Automation/automationAccounts/jobs/write Create jobs.
Microsoft.Automation/automationAccounts/jobSchedules/read Get an Azure Automation job schedule.
Microsoft.Automation/automationAccounts/jobSchedules/write Create an Azure Automation job schedule.
Microsoft.Automation/automationAccounts/linkedWorkspace/read Get the workspace linked to the automation account.
Microsoft.Automation/automationAccounts/read Get an Azure Automation account.
Microsoft.Automation/automationAccounts/runbooks/read Get an Azure Automation runbook.
Microsoft.Automation/automationAccounts/schedules/read Get an Azure Automation schedule asset.
Microsoft.Automation/automationAccounts/schedules/write Create or update an Azure Automation schedule asset.
Microsoft.Resources/subscriptions/resourceGroups/read Read roles and role assignments.
Microsoft.Resources/deployments/* Create and manage resource group deployments.
Microsoft.Insights/alertRules/* Create and manage alert rules.
Microsoft.Support/* Create and manage support tickets.

Automation Job Operator

An Automation Job Operator role is granted at the Automation account scope. This allows the operator permissions to create and manage jobs for all runbooks in the account. The following table shows the permissions granted for the role:

Actions Description
Microsoft.Authorization/*/read Read authorization.
Microsoft.Automation/automationAccounts/jobs/read List jobs of the runbook.
Microsoft.Automation/automationAccounts/jobs/resume/action Resume a job that is paused.
Microsoft.Automation/automationAccounts/jobs/stop/action Cancel a job in progress.
Microsoft.Automation/automationAccounts/jobs/streams/read Read the Job Streams and Output.
Microsoft.Automation/automationAccounts/jobs/suspend/action Pause a job in progress.
Microsoft.Automation/automationAccounts/jobs/write Create jobs.
Microsoft.Resources/subscriptions/resourceGroups/read Read roles and role assignments.
Microsoft.Resources/deployments/* Create and manage resource group deployments.
Microsoft.Insights/alertRules/* Create and manage alert rules.
Microsoft.Support/* Create and manage support tickets.

Automation Runbook Operator

An Automation Runbook Operator role is granted at the Runbook scope. An Automation Runbook Operator can view the runbook's name and properties.  This role combined with the 'Automation Job Operator' role enables the operator to also create and manage jobs for the runbook. The following table shows the permissions granted for the role:

Actions Description
Microsoft.Automation/automationAccounts/runbooks/read List the runbooks.
Microsoft.Authorization/*/read Read authorization.
Microsoft.Resources/subscriptions/resourceGroups/read Read roles and role assignments.
Microsoft.Resources/deployments/* Create and manage resource group deployments.
Microsoft.Insights/alertRules/* Create and manage alert rules.
Microsoft.Support/* Create and manage support tickets.

Log Analytics Contributor

A Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; creating and configuring Automation accounts; adding solutions; and configuring Azure diagnostics on all Azure resources. The following table shows the permissions granted for the role:

Actions Description
*/read Read resources of all types, except secrets.
Microsoft.Automation/automationAccounts/* Manage automation accounts.
Microsoft.ClassicCompute/virtualMachines/extensions/* Create and manage virtual machine extensions.
Microsoft.ClassicStorage/storageAccounts/listKeys/action List classic storage account keys.
Microsoft.Compute/virtualMachines/extensions/* Create and manage classic virtual machine extensions.
Microsoft.Insights/alertRules/* Read/write/delete alert rules.
Microsoft.Insights/diagnosticSettings/* Read/write/delete diagnostic settings.
Microsoft.OperationalInsights/* Manage Log Analytics.
Microsoft.OperationsManagement/* Manage solutions in workspaces.
Microsoft.Resources/deployments/* Create and manage resource group deployments.
Microsoft.Resources/subscriptions/resourcegroups/deployments/* Create and manage resource group deployments.
Microsoft.Storage/storageAccounts/listKeys/action List storage account keys.
Microsoft.Support/* Create and manage support tickets.

Log Analytics Reader

A Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. The following table shows the permissions granted or denied for the role:

Actions Description
*/read Read resources of all types, except secrets.
Microsoft.OperationalInsights/workspaces/analytics/query/action Manage queries in Log Analytics.
Microsoft.OperationalInsights/workspaces/search/action Search Log Analytics data.
Microsoft.Support/* Create and manage support tickets.
Not Actions
Microsoft.OperationalInsights/workspaces/sharedKeys/read Not able to read the shared access keys.

Monitoring Contributor

A Monitoring Contributor can read all monitoring data and update monitoring settings. The following table shows the permissions granted for the role:

Actions Description
*/read Read resources of all types, except secrets.
Microsoft.AlertsManagement/alerts/* Manage Alerts.
Microsoft.AlertsManagement/alertsSummary/* Manage the Alert dashboard.
Microsoft.Insights/AlertRules/* Manage alert rules.
Microsoft.Insights/components/* Manage Application Insights components.
Microsoft.Insights/DiagnosticSettings/* Manage diagnostic settings.
Microsoft.Insights/eventtypes/* List Activity Log events (management events) in a subscription. This permission is applicable to both programmatic and portal access to the Activity Log.
Microsoft.Insights/LogDefinitions/* This permission is necessary for users who need access to Activity Logs via the portal. List log categories in Activity Log.
Microsoft.Insights/MetricDefinitions/* Read metric definitions (list of available metric types for a resource).
Microsoft.Insights/Metrics/* Read metrics for a resource.
Microsoft.Insights/Register/Action Register the Microsoft.Insights provider.
Microsoft.Insights/webtests/* Manage Application Insights web tests.
Microsoft.OperationalInsights/workspaces/intelligencepacks/* Manage Log Analytics solution packs.
Microsoft.OperationalInsights/workspaces/savedSearches/* Manage Log Analytics saved searches.
Microsoft.OperationalInsights/workspaces/search/action Search Log Analytics workspaces.
Microsoft.OperationalInsights/workspaces/sharedKeys/action List keys for a Log Analytics workspace.
Microsoft.OperationalInsights/workspaces/storageinsightconfigs/* Manage Log Analytics storage insight configurations.
Microsoft.Support/* Create and manage support tickets.
Microsoft.WorkloadMonitor/workloads/* Manage Workloads.

Monitoring Reader

A Monitoring Reader can read all monitoring data. The following table shows the permissions granted for the role:

Actions Description
*/read Read resources of all types, except secrets.
Microsoft.OperationalInsights/workspaces/search/action Search Log Analytics workspaces.
Microsoft.Support/* Create and manage support tickets

User Access Administrator

A User Access Administrator can manage user access to Azure resources. The following table shows the permissions granted for the role:

Actions Description
*/read Read all resources
Microsoft.Authorization/* Manage authorization
Microsoft.Support/* Create and manage support tickets

Onboarding

The following tables show the minimum required permissions needed for onboarding virtual machines for the change tracking or update management solutions.

Onboarding from a virtual machine

Action Permission Minimum scope
Write new deployment Microsoft.Resources/deployments/* Subscription
Write new resource group Microsoft.Resources/subscriptions/resourceGroups/write Subscription
Create new default Workspace Microsoft.OperationalInsights/workspaces/write Resource group
Create new Account Microsoft.Automation/automationAccounts/write Resource group
Link workspace and account Microsoft.OperationalInsights/workspaces/write
Microsoft.Automation/automationAccounts/read
Workspace
Automation account
Create solution Microsoft.OperationalInsights/workspaces/intelligencepacks/write Resource group
Create MMA extension Microsoft.Compute/virtualMachines/write Virtual Machine
Create saved search Microsoft.OperationalInsights/workspaces/write Workspace
Create scope config Microsoft.OperationalInsights/workspaces/write Workspace
Link solution to scope config Microsoft.OperationalInsights/workspaces/intelligencepacks/write Solution
Onboarding state check - Read workspace Microsoft.OperationalInsights/workspaces/read Workspace
Onboarding state check - Read linked workspace property of account Microsoft.Automation/automationAccounts/read Automation account
Onboarding state check - Read solution Microsoft.OperationalInsights/workspaces/intelligencepacks/read Solution
Onboarding state check - Read VM Microsoft.Compute/virtualMachines/read Virtual Machine
Onboarding state check - Read account Microsoft.Automation/automationAccounts/read Automation account

Onboarding from Automation account

Action Permission Minimum Scope
Create new deployment Microsoft.Resources/deployments/* Subscription
Create new resource group Microsoft.Resources/subscriptions/resourceGroups/write Subscription
AutomationOnboarding blade - Create new workspace Microsoft.OperationalInsights/workspaces/write Resource group
AutomationOnboarding blade - read linked workspace Microsoft.Automation/automationAccounts/read Automation account
AutomationOnboarding blade - read solution Microsoft.OperationalInsights/workspaces/intelligencepacks/read Solution
AutomationOnboarding blade - read workspace Microsoft.OperationalInsights/workspaces/intelligencepacks/read Workspace
Create link for workspace and Account Microsoft.OperationalInsights/workspaces/write Workspace
Write account for shoebox Microsoft.Automation/automationAccounts/write Account
Create solution Microsoft.OperationalInsights/workspaces/intelligencepacks/write Resource Group
Create/edit saved search Microsoft.OperationalInsights/workspaces/write Workspace
Create/edit scope config Microsoft.OperationalInsights/workspaces/write Workspace
Link solution to scope config Microsoft.OperationalInsights/workspaces/intelligencepacks/write Solution
Step 2 - Onboard Multiple VMs
VMOnboarding blade - Create MMA extension Microsoft.Compute/virtualMachines/write Virtual Machine
Create / edit saved search Microsoft.OperationalInsights/workspaces/write Workspace
Create / edit scope config Microsoft.OperationalInsights/workspaces/write Workspace

Update management

Update management reaches across multiple services to provide its service. The following table shows the permissions needed to manage update management deployments:

Resource Role Scope
Automation account Log Analytics Contributor Automation account
Automation account Virtual Machine Contributor Resource Group for the account
Log Analytics workspace Log Analytics Contributor Log Analytics workspace
Log Analytics workspace Log Analytics Reader Subscription
Solution Log Analytics Contributor Solution
Virtual Machine Virtual Machine Contributor Virtual Machine

Configure RBAC for your Automation account

The following section shows you how to configure RBAC on your Automation Account through the portal and PowerShell

Configure RBAC using the Azure portal

  1. Log in to the Azure portal and open your Automation account from the Automation Accounts page.
  2. Click on the Access control (IAM) control at the top left corner. This opens the Access control (IAM) page where you can add new users, groups, and applications to manage your Automation account and view existing roles that can be configured for the Automation account.

    Access button

Add a new user and assign a role

  1. From the Access control (IAM) page, click + Add to open the Add permissions page where you can add a user, group, or application, and assign a role to them.

  2. Select a role from the list of available roles. You can choose any of the available built-in roles that an Automation account supports or any custom role you may have defined.

  3. Type the username of the user you want to give permissions to in the Select field. Select the user from the list and click Save.

    Add users

    Now you should see the user added to the Users page with the selected role assigned

    List users

    You can also assign a role to the user from the Roles page.

  4. Click Roles from the Access control (IAM) page to open the Roles page. From here, you can view the name of the role, the number of users and groups assigned to that role.

    Assign role from users page

    Note

    Role-based access control can only be set at the Automation account scope and not at any resource below the Automation account.

Remove a user

You can remove the access permission for a user who is not managing the Automation account, or who no longer works for the organization. Following are the steps to remove a user:

  1. From the Access control (IAM) page, select the user wish to remove and click Remove.
  2. Click the Remove button in the assignment details pane.
  3. Click Yes to confirm removal.

    Remove users

Configure RBAC using PowerShell

Role-based access can also be configured to an Automation account using the following Azure PowerShell cmdlets:

Get-AzureRmRoleDefinition lists all RBAC roles that are available in Azure Active Directory. You can use this command along with the Name property to list all the actions that can be performed by a specific role.

Get-AzureRmRoleDefinition -Name 'Automation Operator'

The following is the example output:

Name             : Automation Operator
Id               : d3881f73-407a-4167-8283-e981cbba0404
IsCustom         : False
Description      : Automation Operators are able to start, stop, suspend, and resume jobs
Actions          : {Microsoft.Authorization/*/read, Microsoft.Automation/automationAccounts/jobs/read, Microsoft.Automation/automationAccounts/jobs/resume/action,
                   Microsoft.Automation/automationAccounts/jobs/stop/action...}
NotActions       : {}
AssignableScopes : {/}

Get-AzureRmRoleAssignment lists Azure AD RBAC role assignments at the specified scope. Without any parameters, this command returns all the role assignments made under the subscription. Use the ExpandPrincipalGroups parameter to list access assignments for the specified user as well as the groups the user is a member of. Example: Use the following command to list all the users and their roles within an automation account.

Get-AzureRMRoleAssignment -scope '/subscriptions/<SubscriptionID>/resourcegroups/<Resource Group Name>/Providers/Microsoft.Automation/automationAccounts/<Automation account name>'

The following is the example output:

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Automation/automationAccounts/myAutomationAccount/provid
                     ers/Microsoft.Authorization/roleAssignments/cc594d39-ac10-46c4-9505-f182a355c41f
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Automation/automationAccounts/myAutomationAccount
DisplayName        : admin@contoso.com
SignInName         : admin@contoso.com
RoleDefinitionName : Automation Operator
RoleDefinitionId   : d3881f73-407a-4167-8283-e981cbba0404
ObjectId           : 15f26a47-812d-489a-8197-3d4853558347
ObjectType         : User

New-AzureRmRoleAssignment to assign access to users, groups, and applications to a particular scope. Example: Use the following command to assign the "Automation Operator" role for a user in the Automation account scope.

New-AzureRmRoleAssignment -SignInName <sign-in Id of a user you wish to grant access> -RoleDefinitionName 'Automation operator' -Scope '/subscriptions/<SubscriptionID>/resourcegroups/<Resource Group Name>/Providers/Microsoft.Automation/automationAccounts/<Automation account name>'

The following is the example output:

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/myResourceGroup/Providers/Microsoft.Automation/automationAccounts/myAutomationAccount/provid
                     ers/Microsoft.Authorization/roleAssignments/25377770-561e-4496-8b4f-7cba1d6fa346
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/myResourceGroup/Providers/Microsoft.Automation/automationAccounts/myAutomationAccount
DisplayName        : admin@contoso.com
SignInName         : admin@contoso.com
RoleDefinitionName : Automation Operator
RoleDefinitionId   : d3881f73-407a-4167-8283-e981cbba0404
ObjectId           : f5ecbe87-1181-43d2-88d5-a8f5e9d8014e
ObjectType         : User

Use Remove-AzureRmRoleAssignment to remove access of a specified user, group, or application from a particular scope. Example: Use the following command to remove the user from the “Automation Operator” role in the Automation account scope.

Remove-AzureRmRoleAssignment -SignInName <sign-in Id of a user you wish to remove> -RoleDefinitionName 'Automation Operator' -Scope '/subscriptions/<SubscriptionID>/resourcegroups/<Resource Group Name>/Providers/Microsoft.Automation/automationAccounts/<Automation account name>'

In the preceding examples, replace sign in Id, subscription Id, resource group name, and Automation account name with your account details. Choose yes when prompted to confirm before continuing to remove user role assignment.

User experience for Automation operator role - Automation Account

When a user, who is assigned to the Automation Operator role on the Automation Account scope views the Automation account they are assigned to, they can only view the list of runbooks, runbook jobs, and schedules created in the Automation account but can’t view their definition. They can start, stop, suspend, resume, or schedule the runbook job. The user does not have access to other Automation resources such as configurations, hybrid worker groups, or DSC nodes.

No access to resources

Configure RBAC for Runbooks

Azure Automation allows for you to assign RBAC to specific runbooks. To do this run the following script to add a user to a specific runbook. The following script can be ran by an Automation Account Admin or Tenant Admin.

$rgName = "<Resource Group Name>" # Resource Group name for the Automation Account
$automationAccountName ="<Automation Account Name>" # Name of the Automation Account
$rbName = "<Name of Runbook>" # Name of the runbook
$userId = "<User ObjectId>" # Azure Active Directory (AAD) user's ObjectId from the directory

# Gets the Automation Account resource
$aa = Get-AzureRmResource -ResourceGroupName $rgName -ResourceType "Microsoft.Automation/automationAccounts" -ResourceName $automationAccountName

# Get the Runbook resource
$rb = Get-AzureRmResource -ResourceGroupName $rgName -ResourceType "Microsoft.Automation/automationAccounts/runbooks" -ResourceName "$automationAccountName/$rbName"

# The Automation Job Operator role only needs to be ran once per user.
New-AzureRmRoleAssignment -ObjectId $userId -RoleDefinitionName "Automation Job Operator" -Scope $aa.ResourceId

# Adds the user to the Automation Runbook Operator role to the Runbook scope
New-AzureRmRoleAssignment -ObjectId $userId -RoleDefinitionName "Automation Runbook Operator" -Scope $rb.ResourceId

Once ran, have the user log in to the Azure portal and view All Resources. In the list they see the Runbook they were added as a Automation Runbook Operator for.

Runbook RBAC in the portal

User experience for Automation operator role - Runbook

When a user, who is assigned to the Automation Operator role on the Runbook scope views a Runbook they are assigned to, they can only start the runbook and view the runbook jobs.

Only has access to start

Next steps