This chapter covers Azure Automation Runbooks, a core component of Azure Automation that enables you to automate repetitive, time-consuming, and error-prone operational tasks. For the AZ-104 exam, this topic falls under objective 5.1 (Monitor and manage Azure resources) and typically appears in 5–10% of exam questions, often in scenario-based questions where you must choose the correct automation approach. Understanding runbooks — their types, execution environments, triggers, and integration with other Azure services — is essential for passing the exam and for real-world Azure administration.
Jump to a section
Imagine you are the IT manager of a large office building with hundreds of rooms and servers. Every time a server overheats, you must manually walk to the server room, check the temperature, restart the cooling system, and log the incident. That is like running scripts manually in Azure. Now imagine you install an autopilot system: sensors detect when a room exceeds 85°F, which triggers a predefined sequence: send a notification to your phone, activate backup cooling, and log the event automatically. The autopilot does not think — it follows a strict checklist you wrote. This is exactly what an Azure Automation Runbook does. It is a set of instructions (PowerShell, Python, or graphical) that executes automatically in response to a schedule or an event (like an alert). The runbook runs in the Azure Automation sandbox, a secure, isolated environment that provides the necessary modules and authentication. Just as the autopilot can be triggered by a sensor or a timer, runbooks can be triggered by schedules, webhooks, or Azure Monitor alerts. The runbook's execution is logged, and you can review the logs to see exactly what happened, just like reviewing flight data from the autopilot. This analogy is mechanistic: the runbook is the autopilot's code, the sandbox is the autopilot computer, triggers are sensor inputs, and logs are the black box.
What Are Azure Automation Runbooks?
Azure Automation Runbooks are collections of PowerShell, PowerShell Workflow, Python, or graphical scripts that execute in the Azure Automation service. They automate processes such as VM start/stop, patching, backup, or responding to alerts. Runbooks run in a sandbox environment (for cloud jobs) or on a Hybrid Runbook Worker (for on-premises or other clouds). The service provides a secure, scalable execution environment with built-in authentication via Run As accounts or managed identities.
Why Runbooks Exist
Manual administration does not scale. A single administrator can manage dozens of VMs, but hundreds or thousands require automation. Runbooks allow you to define, schedule, and monitor automated workflows without writing complex orchestration code from scratch. They are a key part of Azure's "automation first" philosophy, enabling DevOps practices like infrastructure as code and self-healing systems.
How Runbooks Work Internally
When a runbook is triggered, the Azure Automation service allocates a sandbox — a temporary, isolated environment with a specific set of modules and resources. The sandbox runs on Azure infrastructure and is recycled after the job completes. The runbook code executes within this sandbox, using the modules that are imported into the Automation Account (e.g., Az module, AzureRM module, or custom modules). Authentication is handled via a Run As account (a service principal with Contributor permissions by default) or a managed identity. The runbook can interact with Azure resources via cmdlets or REST APIs. Output, errors, and verbose logs are streamed to the job record, which you can view in the Azure portal or retrieve via PowerShell.
Key Components
- Automation Account: The container for runbooks, modules, schedules, webhooks, and credentials. You must create one before using runbooks.
- Runbook Types:
- PowerShell: Standard PowerShell script (.ps1). Most common for simple automation.
- PowerShell Workflow: Based on Windows Workflow Foundation (.ps1), supports checkpointing and parallel execution. Deprecated but still supported.
- Python 2/3: Python scripts (.py). Useful for cross-platform or Linux-oriented automation.
- Graphical: Drag-and-drop authoring in Azure portal. Generates PowerShell code behind the scenes. Good for beginners but limited for complex logic.
- Execution Environments:
- Azure Sandbox: Default for cloud jobs. Max 3 hours execution time. No persistent storage. Modules must be imported into the Automation Account.
- Hybrid Runbook Worker: Runs on a Windows or Linux machine in your on-premises or other cloud environment. Can access local resources and run longer than 3 hours. Requires the worker to be installed and registered with the Automation Account.
- Triggers:
- Schedule: Start runbook at a specific time or recurring interval (e.g., every hour, daily at 2 AM).
- Webhook: HTTP POST request triggers the runbook. Useful for external systems (e.g., ServiceNow, GitHub).
- Azure Monitor Alert: Runbook responds to a metric or log alert.
- Child Runbook: Called by another runbook.
- Modules: PowerShell modules (e.g., Az, AzureRM, custom) must be imported into the Automation Account. The sandbox preloads some default modules, but you may need to import others.
- Assets: Credentials, variables, connections, certificates used by runbooks. Stored encrypted in the Automation Account.
Configuration and Verification Commands
To create a runbook using Azure PowerShell:
New-AzAutomationRunbook -AutomationAccountName "myAutomationAccount" `
-Name "Start-StopVMs" `
-Type PowerShell `
-ResourceGroupName "myRG" `
-Description "Start or stop VMs based on tag"To import a script:
Import-AzAutomationRunbook -AutomationAccountName "myAutomationAccount" `
-Name "Start-StopVMs" `
-Path ".\Start-StopVMs.ps1" `
-ResourceGroupName "myRG" `
-Type PowerShell `
-ForceTo publish a runbook (draft to published):
Publish-AzAutomationRunbook -AutomationAccountName "myAutomationAccount" `
-Name "Start-StopVMs" `
-ResourceGroupName "myRG"To start a runbook:
Start-AzAutomationRunbook -AutomationAccountName "myAutomationAccount" `
-Name "Start-StopVMs" `
-ResourceGroupName "myRG"To check job status:
Get-AzAutomationJob -AutomationAccountName "myAutomationAccount" `
-ResourceGroupName "myRG" `
-RunbookName "Start-StopVMs"Interaction with Related Technologies
Azure Monitor Alerts: An alert can trigger a runbook via an action group. For example, when CPU > 90%, run a runbook to scale out.
Azure Logic Apps: Logic Apps can call runbooks via webhooks, and runbooks can call Logic Apps.
Azure Functions: Runbooks are best for long-running or complex workflows; Functions are for short, event-driven code.
Azure DevOps: Runbooks can be published via CI/CD pipelines using the Azure Automation extension.
Azure Policy: Remediation tasks can use runbooks to auto-fix non-compliant resources.
Execution Details
The sandbox has a maximum execution time of 3 hours (180 minutes) for cloud jobs. If a runbook exceeds this, it is suspended. To run longer, use a Hybrid Runbook Worker. The sandbox is shared among many jobs, so you must not rely on local state. Modules are loaded from the Automation Account's module gallery. The Run As account is created with a self-signed certificate that expires after one year; you must renew it manually or use a managed identity. Managed identities are recommended for newer deployments because they avoid certificate management.
Error Handling
Runbooks can use try/catch blocks in PowerShell. The $ErrorActionPreference variable controls behavior on non-terminating errors. Use -ErrorAction Stop to make cmdlets throw terminating errors. The Write-Output, Write-Error, Write-Warning, and Write-Verbose cmdlets write to the job stream. The job record stores all streams for up to 30 days by default (configurable).
Security
Run As Account: A service principal with Contributor role on the subscription by default. You can restrict permissions.
Managed Identity: System-assigned or user-assigned identity. More secure and easier to manage.
Credentials: Store sensitive values as encrypted variables or credentials assets; never hardcode in the runbook.
Webhook: Use a webhook URL with a token. The token is the only authentication; keep it secret.
Limits
Maximum runbook size: 1 MB for graphic, 3 MB for PowerShell/Python.
Maximum number of runbooks per Automation Account: 100 (can be increased via support request).
Maximum concurrent jobs: 10 per Automation Account (can be increased).
Maximum job storage: 1 GB per Automation Account.
Common Exam Scenarios
Choose the correct runbook type for a given requirement (e.g., long-running job -> Hybrid Runbook Worker).
Identify when to use schedules vs. webhooks vs. alerts.
Understand that runbooks can be used with Azure Policy remediation tasks.
Know that runbooks must be published before execution.
Recognize that the Run As account expires after one year.
Create an Automation Account
First, you must have an Azure Automation Account. This is the container that holds all runbooks, modules, schedules, and credentials. To create it, go to the Azure portal, search for 'Automation Accounts', click 'Create', and fill in the required fields: Subscription, Resource Group, Name, and Region. The account will automatically create a Run As account (a service principal) unless you opt out. This step is foundational because without an Automation Account, you cannot create runbooks. The exam expects you to know that the Automation Account is the top-level resource.
Import or create a runbook
Inside the Automation Account, you can create a new runbook from scratch in the portal editor, or import an existing script file. For PowerShell runbooks, the file must have a .ps1 extension; for Python, .py. You can also author graphically using the graphical editor, which generates PowerShell code. The runbook starts as a draft. You can edit it multiple times, but it will not execute until published. The exam may ask you to identify the correct file type for a runbook based on its language.
Publish the runbook
Publishing creates a version of the runbook that can be executed. Until you publish, the runbook remains in draft mode and cannot be triggered. To publish, click 'Publish' in the portal or use the PowerShell cmdlet `Publish-AzAutomationRunbook`. Each publish creates a new version; you can view version history. The exam often tests that a runbook must be published before it can be used. A common wrong answer is to assume the draft can be executed.
Add a trigger (schedule, webhook, or alert)
A runbook can be triggered manually, but for automation you need a trigger. Schedules allow time-based execution (e.g., every hour). Webhooks allow external HTTP POST calls. Azure Monitor alerts can trigger runbooks via action groups. To add a schedule, you must first create a schedule object in the Automation Account, then link it to the runbook. For webhooks, you generate a URL with a token; anyone with the URL can trigger the runbook. The exam may test which trigger is appropriate for a scenario: e.g., use a schedule for nightly shutdown, a webhook for a CI/CD pipeline, or an alert for auto-remediation.
Monitor job execution and output
When a runbook is triggered, a job is created. You can monitor the job's status (Running, Completed, Failed, Suspended) in the portal under 'Jobs'. Each job has streams: Output, Error, Warning, Verbose, and Debug. You can view these streams to troubleshoot. The job record is retained for 30 days by default. For long-running jobs, you can use checkpoints (only in PowerShell Workflow) to resume from a failure. The exam may ask about job retention or how to view output.
Scenario 1: Automated VM Start/Stop for Cost Savings
A large enterprise runs hundreds of development and test VMs that are only needed during business hours. Manually starting and stopping them is error-prone and wastes money. The solution: Create two PowerShell runbooks — one to start VMs with a specific tag (e.g., 'AutoStart=true') and one to stop them. Schedule the start runbook at 7:00 AM and the stop runbook at 7:00 PM every weekday. The runbooks use the Run As account to authenticate and iterate through VMs in the subscription. In production, you must handle time zones, ensure the schedule is in UTC, and account for VMs that are already running or stopped. A common problem is that the Run As account certificate expires after one year, causing the runbook to fail. To avoid this, use a managed identity or set up a reminder to renew the certificate. Also, the 3-hour sandbox limit is not an issue here because the job finishes quickly. This scenario is a frequent exam topic: you must choose runbooks over other automation methods (like Logic Apps) because runbooks can run PowerShell cmdlets natively.
Scenario 2: Auto-Remediation of Non-Compliant Resources
An organization uses Azure Policy to enforce that all storage accounts have HTTPS traffic only. If a non-compliant storage account is created, a remediation task can trigger a runbook to update the property. The runbook uses Azure Policy's 'DeployIfNotExists' effect to associate a runbook with the policy. The runbook is passed the resource ID of the non-compliant resource. In production, you must ensure the runbook has permissions to modify the resource — the Run As account must have the appropriate RBAC role. A common mistake is to forget that the runbook must be published and that the policy assignment must have a managed identity. The exam may ask you to identify the correct way to auto-remediate using runbooks, and the trap answer is to use an Azure Function instead, but runbooks are the native choice for Policy remediation.
Scenario 3: Hybrid Runbook Worker for On-Premises Automation
A company has a hybrid environment with on-premises SQL Server databases that need nightly maintenance. Cloud-only runbooks cannot access on-premises resources. Solution: Install the Hybrid Runbook Worker on a Windows server in the on-premises network. Register the worker with the Automation Account. Create a PowerShell runbook that uses SQL Server modules to perform maintenance. The runbook runs on the worker, which has access to the local network. In production, you must ensure the worker has the necessary modules installed and that the Run As account has permissions to access the SQL Server. A common problem is network connectivity: the worker must be able to reach Azure over HTTPS (port 443). The exam sometimes tests that Hybrid Runbook Workers are required for on-premises resources and that they can run longer than 3 hours.
Exactly What AZ-104 Tests on This Topic
AZ-104 objective 5.1 includes "Implement automation runbooks to respond to alerts." The exam focuses on:
Choosing the correct runbook type (PowerShell vs. Python vs. Graphical) based on scenario.
Understanding when to use Azure sandbox vs. Hybrid Runbook Worker.
Configuring triggers: schedules, webhooks, alerts.
Integrating runbooks with Azure Monitor alerts via action groups.
Managing runbook assets (credentials, variables, modules).
Understanding the Run As account and managed identity authentication.
Knowing that runbooks must be published before execution.
Common Wrong Answers and Why
"Runbooks can be executed directly from draft mode." Wrong. Drafts are for editing only; you must publish. Candidates confuse draft with published because in some other systems (like Azure Functions), you can run from the editor. But runbooks require explicit publishing.
"Use a Logic App instead of a runbook for PowerShell-based automation." This is a trap. Logic Apps are for workflows that integrate with many services, but they cannot natively run PowerShell. Runbooks are the correct choice when you need to run PowerShell or Python scripts.
"Runbooks can run indefinitely." Wrong. Cloud sandbox jobs have a 3-hour limit. For longer jobs, you must use a Hybrid Runbook Worker. Candidates forget this limit and choose the wrong execution environment.
"Webhooks require authentication." Partially true. The webhook URL includes a token, but there is no additional authentication like Azure AD. Anyone with the URL can trigger the runbook. Candidates think webhooks are secure like Azure AD, but they are not.
Specific Numbers and Terms That Appear on the Exam
3-hour maximum execution time for cloud jobs.
30-day job record retention.
Run As account certificate expires after 1 year.
Maximum runbook size: 1 MB (graphical), 3 MB (PowerShell/Python).
Maximum concurrent jobs: 10 per Automation Account (default).
Hybrid Runbook Worker requires Windows or Linux with the Automation Agent.
Edge Cases and Exceptions
PowerShell Workflow runbooks: Deprecated but still supported. They support checkpointing and parallel execution. The exam may ask about their unique features.
Multiple subscriptions: A runbook can target multiple subscriptions if the Run As account has access. Use Set-AzContext -SubscriptionId to switch.
Child runbooks: Use Start-AzAutomationRunbook with the -Wait parameter to run a child runbook synchronously and get output.
Error handling: $ErrorActionPreference = 'Stop' makes non-terminating errors terminating. This is a common detail.
How to Eliminate Wrong Answers
When you see a scenario question, first identify what the automation needs to do:
If it needs to run PowerShell/Python code, eliminate Logic Apps, Functions, and other services.
If it needs to run longer than 3 hours, eliminate cloud sandbox and choose Hybrid Runbook Worker.
If it needs to respond to an Azure Monitor alert, look for an action group that triggers a runbook.
If it needs to be triggered externally (e.g., from GitHub), look for a webhook.
If the question mentions "schedule," look for a schedule linked to the runbook.
Always check if the runbook is published — if the scenario says "draft," the answer is that it cannot run.
Runbooks must be published before they can be executed; drafts are for editing only.
Cloud sandbox jobs have a maximum execution time of 3 hours; use Hybrid Runbook Worker for longer jobs.
Run As account certificate expires after 1 year; use managed identity to avoid renewal.
Webhooks are triggered by an HTTP POST; the URL contains a token and is the only authentication.
Runbooks can be triggered by schedules, webhooks, or Azure Monitor alerts via action groups.
Hybrid Runbook Worker is required to access on-premises resources or run jobs longer than 3 hours.
Job records are retained for 30 days by default and include output, error, warning, and verbose streams.
These come up on the exam all the time. Here's how to tell them apart.
Azure Automation Runbook
Runs PowerShell, Python, or graphical scripts natively.
Best for long-running or complex automation tasks (up to 3 hours in cloud, longer with Hybrid Worker).
Uses Run As account or managed identity for authentication.
Primarily code-based; requires scripting knowledge.
Integrated with Azure Monitor alerts and Azure Policy remediation.
Azure Logic Apps
Uses a visual designer with connectors; no native script execution.
Best for integrating SaaS services (e.g., Office 365, Salesforce) with simple workflows.
Uses managed identity or connection references for authentication.
Low-code/no-code; ideal for non-developers.
Can call runbooks via webhooks but cannot run PowerShell directly.
Mistake
Runbooks can only be written in PowerShell.
Correct
Runbooks support PowerShell, PowerShell Workflow, Python 2/3, and Graphical (which generates PowerShell). The exam may test that Python is an option, especially for Linux-focused scenarios.
Mistake
A runbook in draft mode can be triggered by a schedule.
Correct
Only published runbooks can be executed. Draft runbooks cannot be triggered by any means. You must publish first.
Mistake
Hybrid Runbook Workers are only for on-premises machines.
Correct
Hybrid Runbook Workers can run on any machine that can connect to Azure, including VMs in other clouds (AWS, GCP) or even Azure VMs that need to access on-premises resources. The key requirement is network connectivity to Azure.
Mistake
Run As accounts never expire.
Correct
The Run As account is a service principal with a self-signed certificate that expires after one year. You must renew it manually or use a managed identity to avoid expiration issues. The exam may test this expiration period.
Mistake
Runbooks can access on-premises resources without a Hybrid Runbook Worker.
Correct
Cloud sandbox runbooks cannot access on-premises resources because they run in Azure's isolated environment. To access on-premises, you must use a Hybrid Runbook Worker installed on a machine in that network.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
First, create an Automation Account in the Azure portal. Then, inside the account, go to 'Runbooks' and click 'Create a runbook'. Choose a name, type (PowerShell, Python, or Graphical), and description. You can then edit the script in the portal editor or import an existing .ps1 or .py file. After editing, click 'Publish' to make it available for execution. You can then add triggers like schedules or webhooks.
PowerShell runbooks are standard PowerShell scripts. PowerShell Workflow runbooks are based on Windows Workflow Foundation and support features like checkpointing (ability to resume from a failure) and parallel execution. However, PowerShell Workflow has syntax differences and is deprecated. For new automation, use PowerShell runbooks unless you need checkpointing for long-running jobs.
Yes, but not in the cloud sandbox. The cloud sandbox has a 3-hour limit. For longer executions, you must use a Hybrid Runbook Worker, which can run on a machine in your on-premises network or in another cloud. The Hybrid Worker can run indefinitely as long as the machine is available.
You can define input parameters in the runbook. When triggering via the portal, you can specify parameter values. For scheduled triggers, you define parameter values when linking the schedule. For webhooks, parameters can be passed in the HTTP request body (JSON). For alert triggers, you can use the alert context to pass data.
The two main options are the Run As account (a service principal with a certificate) and a managed identity (system-assigned or user-assigned). Managed identities are recommended because they do not require certificate renewal and are more secure. The Run As account is created by default but its certificate expires after one year.
Go to the Automation Account, select 'Jobs', and find the failed job. Click on it to view the job streams. Look for error messages in the 'Error' stream. You can also enable verbose logging by setting `$VerbosePreference = 'Continue'` in the runbook. Common issues include missing modules, incorrect permissions, or script errors.
Yes. Azure Policy supports 'DeployIfNotExists' and 'Modify' effects that can trigger a remediation task. You can associate a runbook with the policy to automatically fix non-compliant resources. The runbook receives the resource ID and must have permissions to modify the resource.
You've just covered Azure Automation Runbooks — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?