Image for the article
#
Cole's Corner
#
IT Help Desk
#
Guest Post

The Runbook for Azure Runbooks

Cole Erickson
3
minutes
This article is a guest post written by
Cole Erickson
, an independent author. The views and opinions expressed are solely those of the author and do not reflect those of Foqal. Foqal assumes no responsibility for the accuracy, completeness, or validity of any information contained within this article and is not liable for any reliance on the content. For any queries related to this article, please contact the author directly.

I have recently moved back to managing a Microsoft environment after several years in Google Workspaces. When I first got to the Google shop, I missed Microsoft. When I first came back to MS, I missed Google. I don't know. My time at the Google shop showed me the joys of automating through APIs versus locally running PowerShell scripts. It was great; I could automate everything, even the gigabytes (first of many obscure references to 90s TV and movies).

In an effort to get back to my automating ways, I began to work with Microsoft’s Graph API. Things were good, at least until the maintenance of a certain distribution group came up. So, I can manage some of the groups with API and the rest need PowerShell? WHY!? Could they not borrow one more mind for this meeting, or were they all being used for the constant rebranding of products?

Stepping back from a possible rant,, this has led me to discover Azure Runbooks and the point of this article. If you need to automate your PowerShell tasks and your company has moved on from the late 2000s to be a cloud-only shop, this is a great way to bridge the gap. Below I have given a quick run through of setting up your first runbook. There are plenty more use cases than this, but having the ability to run PS scripts on demand without the use of a Windows box is pretty nice. This is the article from MS I used to follow, Tutorial: Create a PowerShell Workflow runbook in Automation. Swap out the Powershell script provided with one that suit your needs and be sure to add any additional modules yours may require. And remember, always do some of your own research before blindly following a step by step of some dude on the internet. You start doing that and next thing you know, money is missing out of your dresser drawer, capisce?

Creating Your First Playbook to Run a PowerShell Script for Removing a User from a Group

1. Create an Automation Account:

  • Sign in to the Azure portal.
  • In the left-hand navigation pane, click on "Create a resource".
  • Under "IT & Management Tools", select "Automation Accounts".
  • Click on "Create".
  • Fill in the required details:
  • Subscription: Select your Azure subscription.
  • Resource Group: Select an existing resource group or create a new one.
  • Name: Provide a unique name for your automation account.
  • Region: Choose the region for your automation account.
  • Click on "Review + create", then "Create" to set up your automation account.

2. Create Credentials

  1. Within your automation account, drop down Shared Resources and choose Credentials
  2. Add a credential
  3. Fill in the creds of a service account with the permission sets required to perform your given tasks.

3. Add Modules

  1. Add modules needed in your powershell script. For this example you will want the following modules in Runtime Version 5.1
    1. AzureAD
    2. ExchangeOnlineManagement
    3. ExchangePowerShell
    4. MSOnline
    5. PowerShellGet

4. Create a Runbook:

  1. In your automation account, select "Runbooks" under the "Process Automation" section.
  2. Click on "Create a runbook".
  3. Provide a name for your runbook, select "PowerShell" as the runbook type, and click "Create".

5. Add Webhook:

  1. Choose "Add webhook" and create a new webhook.
  2. Make sure you click through the next window to finish creating the webhook.

6. Edit the Runbook:

  1. Once the runbook is created, click on "Edit" and choose to do it in the browser or in VS.
  2. Enter the following PowerShell script to remove a user from a group. The email and group name are set to come by way of webhook, but you can modify as needed:

param (
    [Parameter (Mandatory=$false)]
    [object] $WebhookData
)
 
# Convert the incoming WebhookData to JSON
$data = (ConvertFrom-Json -InputObject $WebhookData.RequestBody)
 
# Extract user and group information from the webhook data
$userPrincipalName = $data.userPrincipalName
$groupName = $data.groupName
 
# Import Modules
Import-Module PackageManagement
Import-Module PowerShellGet
Import-Module ExchangeOnlineManagement
 
# Retrieve creds
$cred = Get-AutomationPSCredential -Name "PSSCreds"
 
# Connect to EOL
Connect-ExchangeOnline -Credential $cred
 
# Remove the user from the distribution group
Remove-DistributionGroupMember -Identity $groupName -Member $userPrincipalName -BypassSecurityGroupManagerCheck -confirm:$false

7. Publish and Test the Runbook:

  1. Click on "Save" and then "Publish".
  2. To test the runbook, send a PUT request to the webhook URL you created earlier:
{
   "UserPrincipalName": "{user’s email}",
   "groupName": "{your group name}"
}

Conclusion

Don’t lose hope, there are still ways to automate in a Microsoft environment through webhook payloads. You just sometimes have to do it twice, once in Graph and once in PS. Seriously MS, why!?.

Cole Erickson
Director of IT
Share
tags
#
Cole's Corner
#
IT Help Desk
#
Guest Post
More Articles
Don't Let Your Customers Ghost You: The Power of Automatic Follow-Ups
Take 2: Strategies for Engaging and Retaining Members in Slack Communities
Optimizing HR for Employee Experience

Ready to learn more?

Want to learn about using Slack for Customer Support,
Helpdesk, or success? Want to see how we can help?
Book a Demo