A brief analysis of the new Azure Automation account (iii)---manage AAD application Key with Runbooks

The new Azure Automation Account Analysis (iii)---with Runbooks Management AAD of the application Key

In the previous section, there was a public-facing Runbook Library, where the community and Microsoft had been adding new runbooks that users could download or import directly in Azure portal. In this way, you can refer to how engineers around the world use Runbooks to solve work problems and improve productivity. Https://gallery.technet.microsoft.com/scriptcenter/site/search?f[0]. Type=rootcategory&f[0]. VALUE=WINDOWSAZURE&F[1]. TYPE=SUBCATEGORY&F[1]. VALUE=WINDOWSAZURE_AUTOMATION&F[1]. Text=automation

So, if this article or write a runbook to implement the Azure virtual machine automatic switch machine, it is estimated that no one looked. It happened that some time ago the customer raised a question "for security reasons, you will choose to generate a key that is valid for one or two years when you register your application with Azuread." Will it be possible to automatically email the development OPS team to modify the deployment of the new key 2 months before the key expires? Each app has a different time in AD registration, and it's not realistic to use human resources to manage keys for dozens of apps. "

This is a typical case where runbooks can help streamline workflow and improve operational efficiency. Let's take this example to find out what scenarios can be used with runbooks, how to write runbooks, how to use a good runbook.

Demand Grooming

• As an OPS team for the company Azure Environment, I need a list of automatically generated information that contains all apps registered in Azure ad that are key is not within 2 weeks, within 1 months, 2 months of expiring information
• As an OPS team for the company's Azure environment, I need to receive email notifications every week about the latest status of app key expiration

Demand analysis

The automation of this task can be divided into 2 parts:

The first part is to read the application key information in azure AD, can be obtained using PowerShell Azuread module, as for sending email can use PowerShell SMTP code, in the Runbook has embedded PowerShell support.

The other part is that this code must be repeated automatically every day for a fixed period of time, and the user does not need to configure a single server to run the code. The schedules of the Runbook can be implemented with a simple configuration in the portal

Implementation process

• Import Azuread module in Automation account

• Create 2 credential in the automation account, one for Azure AD's Administrator login credential, and we'll use this to get information about the key associated with the app in AAD. One is the credential of the email account used to send the key information, usually this is the team email address of the OPS group.

You can see that the relevant password after creation is invisible and not clear, and there is no security problem.

• To create a runbook named Aadappkeymanagement, the first code needs to read the two credential that we created in the previous step. Remember, the PowerShell command you need to use here is get-automationpscredential instead of get-azurermautomationcredential. The latter usage is covered in the automation of our next Automation account. The code is as follows:

$aadadmincredential ="Aadadmin"$opsteamemailcredential="Opsteamemail"Try{    $aadadmin=get-automationpscredential-Name $aadadmincredential $opsteamemail=get-automationpscredential-Name $opsteamemailcredential}Catch {    if(! $aadadmin-or $opsteamemail) {$ErrorMessage="credential is not found."        Throw$ErrorMessage}Else{Write-error-Message $_. ExceptionThrow $_. Exception}}

Next, we connect Azure AD to read key information and record apps that are about to expire in 2 weeks/1 months/2 months, into their respective arrays

Connect-azuread-credential $aadadmin-azureenvironmentname azurechinacloud$2monthsresults=@ () $1monthresults=@ () $2weeksresults= @()foreach($AADappinchget-azureadapplication) {$EndDate= (Get-azureadapplicationpasswordcredential-objectid $AADapp. Objectid). Enddate $2monthsresults+= ("<br>"+ $AADapp. DisplayName) | Where {$EndDate-lt $ (Get-date). AddMonths (2)} $1monthresults+= ("<br>"+ $AADapp. DisplayName) | Where {$EndDate-lt $ (Get-date). AddMonths (1)} $2weeksresults+= ("<br>"+ $AADapp. DisplayName) | Where {$EndDate-lt $ (Get-date). Adddays ( -)}}

Finally, the information obtained in the previous step to do some formatting to enhance the readability of the email, and then send an email with smtpclient. Here is O365 's mailbox to send email, SMTP server is ' smtp.office365.com ', port is 587

$EmailBody =@ () # Format the email body$emailbody+="""Content-type""content=""text/html; charset=iso-8859-1""/><title></title>"$EmailBody+="<body bgcolor=""#FFFFFF""style=""font-size:small; font-family:tahoma; color: #000000""><P>"$EmailBody+="IT OPS Team"$EmailBody+="<br>"$EmailBody+="<br>"$EmailBody+="<font face= ' Arial ' color= ' red ' >the following applications ' key would expire in both weeks.</font>"$EmailBody+=""$EmailBody+=""$EmailBody+="$2weeksresults"$EmailBody+="<br>"$EmailBody+="<br>"$EmailBody+="<font face= ' Arial ' color= ' red ' >the following applications ' key would expire in one month.</font>"$EmailBody+="<br>"$EmailBody+="<br>"$EmailBody+=""$EmailBody+=""$EmailBody+="$1monthsresults"$EmailBody+="<br>"$EmailBody+="<br>"$EmailBody+="<font face= ' Arial ' color= ' red ' >the following applications ' key would expire in both months.</font>"$EmailBody+=""$EmailBody+=""$EmailBody+="$2monthsresults"$EmailBody+=""$EmailBody+=""$SMTPClient= New-object Net.Mail.SmtpClient ('smtp.office365.com',587) $SMTPClient. Enablessl= $true$SMTPClient. Credentials= new-Object System.Net.NetworkCredential ($opsteamemail. Username, $opsteamemail. password); $mail= New-object Net.Mail.MailMessage ($opsteamemail. Username, $opsteamemail. Username,"alert:some AAD Application key would expire soon", $EmailBody) $mail. isbodyhtml= $true$SMTPClient. Send ($mail)

• After filling in the above code with the Runbook, let's take a look at how to use the Runbook

After writing the code, click Save. Next, we need to test our code. Click Test Pane and start sequentially.

The test sandbox for the Automation account runs the Runbook that you just saved. We have a script to send email this paragraph, after the test to check the information, you will receive the script sent by email.

The debug output information can also be added to the script, which is displayed in the Run-time Test window. After the test is successful, go back to the Runbook window and click ' Publish '. Our Runbook was officially released. Any changes to the code after publishing can continue to be tested by clicking save-"Test pane-" start without affecting the published Runbook functioning properly. Is there a trace of testing and production feeling? And it's an azure managed testing environment.

• Next we begin to deploy the Runbook to run automatically

In the published Runbook main screen, click ' Schedule ' to create a Schedule that runs the runbook every Monday 10:30 GMT. Of course, it can also be set to hourly, daily or monthly schedule

Well, next week, the OPS team will be able to receive an email notification to see if Application key in AAD will have an expired rollup email. Interested students can also continue to try to automatically update the expiring key with a runbook.

Alternatively, you can check the success of each automatic Runbook execution on the job page of the automation account

Summary

The entire Automation account's Runbook is to write a piece of code that uploads Azure configuration to automate the schedule, and there's no need to maintain one or more servers in order to run an OPS script. And this lightweight server-free tool itself integrates security, source code integration, multi-environment testing, production environment rollback and many other functions.

A brief analysis of the new Azure Automation account (iii)---manage AAD application Key with Runbooks