This chapter covers Azure Automation and Runbooks, a key service for automating repetitive cloud management tasks. You'll learn how to create, schedule, and execute runbooks to enforce consistency, reduce human error, and save operational costs. For AZ-900, this falls under 'Azure Management Governance' (Objective 3.4), which typically accounts for about 10-15% of the exam. Mastering automation concepts is critical because the exam frequently tests scenarios where automation improves reliability and efficiency.
Jump to a section
Imagine you own a factory that produces custom widgets. Each widget requires a specific sequence of steps: mix raw materials, heat to a precise temperature, cool, inspect, and package. Doing this manually every time is slow and error-prone. Azure Automation and Runbooks are like hiring a robotic factory manager and giving it a detailed recipe book. The robot (Azure Automation account) holds the book (Runbooks), which contains step-by-step instructions written in a language it understands (PowerShell, Python, or graphical). When a trigger occurs—like a new order arriving (a schedule, an event, or an alert)—the robot picks the right recipe, executes each step in order, and can even make decisions based on intermediate results (e.g., if temperature is too high, extend cooling time). The robot can also delegate tasks to specialized sub-robots (Hybrid Runbook Workers) located in different parts of the factory (on-premises or other clouds). If a step fails, the robot can retry or notify a human supervisor. This automation ensures consistent quality, saves time, and runs 24/7 without breaks. Just like you wouldn't hand-write instructions for every widget, Azure Automation eliminates manual cloud management tasks.
What is Azure Automation and Why Does It Matter?
Azure Automation is a cloud service that provides process automation, configuration management, and update management across Azure and non-Azure environments. Its core component is the Runbook, which is a set of tasks that execute automatically. Think of it as a script—or a collection of scripts—that runs in the Azure cloud without needing a dedicated virtual machine to host it. Runbooks can be triggered by schedules, alerts, or specific events (like a VM being created or deleted).
Business Problem Solved: In any IT environment, many tasks are repetitive and predictable. For example, starting and stopping development VMs on a schedule to save costs, applying security patches to multiple servers, or collecting diagnostic logs every hour. Doing these manually is time-consuming, error-prone, and inefficient. Azure Automation solves this by executing these tasks reliably and consistently, freeing up IT staff for higher-value work.
How Azure Automation Works – Step by Step
Create an Automation Account: This is the container that holds your runbooks, credentials, schedules, and other assets. It acts as the management boundary for your automation resources.
Author a Runbook: You write the automation logic using PowerShell, Python, or a graphical editor. The runbook defines what steps to take and in what order.
Add Modules and Assets: If your runbook needs to interact with Azure resources, you import modules (like Az PowerShell module). Assets include credentials, variables, connections, and certificates that the runbook can use securely.
Publish the Runbook: Before a runbook can be executed, it must be published. This creates a version that can be run on demand or triggered.
Configure Triggers: You set up schedules (e.g., every day at 6 PM) or event-based triggers (e.g., when a new VM is created, run a runbook to tag it).
Execute and Monitor: The runbook runs in the Azure sandbox (or on a Hybrid Runbook Worker for on-premises resources). You can monitor job status, view output logs, and set up alerts for failures.
Behind the Scenes: When a runbook is triggered, Azure Automation creates a job (an instance of the runbook) and allocates a sandbox—a temporary execution environment that is isolated and secure. The sandbox has access to the Azure Resource Manager API and any resources the runbook is authorized to manage via Managed Identity or Run As account.
Key Components
- Runbook: The script or workflow. Types include PowerShell, PowerShell Workflow, Python 2/3, and Graphical. PowerShell Workflow is useful for long-running or parallel tasks because it supports checkpointing (saving state mid-execution).
- Modules: PowerShell or Python modules that contain cmdlets or functions. For Azure management, you typically use the Az module.
- Assets: Reusable items like:
- Credentials: Store username/password securely.
- Variables: Store values like resource names or thresholds.
- Connections: Store information for connecting to external services (e.g., Azure connection).
- Certificates: For authentication.
- Schedules: Define when a runbook runs (one-time or recurring).
- Webhooks: Allow external services (like GitHub or a monitoring tool) to start a runbook via an HTTP request.
- Hybrid Runbook Worker: A feature that lets you run runbooks on machines in your local datacenter or other clouds, extending automation to non-Azure environments.
Tiers and Pricing
Azure Automation pricing is based on the number of job execution minutes and the amount of used storage for runbook content and logs. There is a free tier that includes 500 minutes of job execution per month. Beyond that, you pay per minute. There is no separate charge for the Automation Account itself, only for the resources consumed. Update Management and Change Tracking are separate add-on services with their own pricing.
Comparison to On-Premises Automation
Before Azure Automation, IT teams used on-premises tools like Windows Task Scheduler, System Center Orchestrator, or custom scripts running on a server. These required maintaining a server, ensuring high availability, and managing security. Azure Automation eliminates the server management overhead—Microsoft handles the sandbox infrastructure, updates, and scaling. Additionally, Azure Automation integrates natively with Azure services like Azure Monitor, Azure Policy, and Azure Security Center, enabling end-to-end automation scenarios.
Azure Portal and CLI Touchpoints
Azure Portal: - Navigate to 'Automation Accounts' to create and manage accounts. - Inside an account, you see blades for Runbooks, Jobs, Schedules, and Assets. - The 'Runbooks' blade lets you create, edit, test, and publish runbooks. - The 'Jobs' blade shows runbook execution history with status, output, and errors.
Azure CLI (using az extension):
# Create an Automation Account
az automation account create --name MyAutomationAccount --resource-group MyResourceGroup --location eastus
# Create a PowerShell runbook
az automation runbook create --automation-account-name MyAutomationAccount --name MyRunbook --resource-group MyResourceGroup --type PowerShell
# Publish a runbook
az automation runbook publish --automation-account-name MyAutomationAccount --name MyRunbook --resource-group MyResourceGroup
# Start a runbook
az automation runbook start --automation-account-name MyAutomationAccount --name MyRunbook --resource-group MyResourceGroupAzure PowerShell:
# Create Automation Account
New-AzAutomationAccount -Name MyAutomationAccount -ResourceGroupName MyResourceGroup -Location eastus
# Import a runbook
Import-AzAutomationRunbook -Name MyRunbook -Path .\MyRunbook.ps1 -Type PowerShell -AutomationAccountName MyAutomationAccount -ResourceGroupName MyResourceGroup -Published
# Start a runbook
Start-AzAutomationRunbook -Name MyRunbook -AutomationAccountName MyAutomationAccount -ResourceGroupName MyResourceGroupConcrete Business Scenarios
Scenario 1: Cost Optimization – A company runs development VMs that are only needed during business hours. They create a runbook that stops all VMs in a resource group at 7 PM and starts them at 7 AM. The runbook is scheduled daily. This saves up to 60% on compute costs.
Scenario 2: Compliance Enforcement – An organization must ensure all VMs have specific tags (e.g., cost center, owner). They create an event-driven runbook that triggers when a new VM is created (using Azure Event Grid or Azure Monitor alerts). The runbook automatically applies the required tags based on the resource group or subscription.
Scenario 3: Patch Management – Using Azure Update Management (built on Automation), a company schedules monthly patching of all Windows and Linux servers. The runbook installs updates, reboots if necessary, and reports compliance.
Create an Automation Account
Go to the Azure portal, search for 'Automation Accounts', and click 'Create'. Provide a name, subscription, resource group, and location. The location determines where job execution data is stored. You can also enable options like 'Managed Identity' (recommended) or create a 'Run As account' for authentication. An Automation Account is the container for all your runbooks, assets, and schedules. Without it, you cannot use any automation features.
Author and Import a Runbook
In the Automation Account, go to 'Runbooks' and click 'Create a runbook'. Choose a name, type (PowerShell, Python, etc.), and optionally a description. You can write the script directly in the portal's editor or upload a .ps1 file. For complex workflows, use the graphical editor to drag-and-drop activities. After authoring, click 'Save' and then 'Publish' to make it available for execution. Published runbooks are versioned; you can revert to previous versions.
Configure Required Assets
Runbooks often need credentials to access resources. Under 'Shared Resources', create 'Credentials' (username/password), 'Variables' (e.g., resource group name), 'Connections' (e.g., Azure connection), and 'Certificates'. These are stored encrypted and can be referenced in runbooks using built-in cmdlets like `Get-AutomationPSCredential`. Using assets keeps your runbooks secure and reusable across different environments.
Link a Schedule or Trigger
To run a runbook automatically, create a schedule under 'Schedules' in the Automation Account. Define start time, time zone, and recurrence (hourly, daily, weekly). Then link the schedule to your runbook. Alternatively, create a webhook to trigger the runbook via HTTP POST. For event-driven triggers, use Azure Monitor alerts or Event Grid to invoke the runbook. Note: A runbook can have multiple schedules, and a schedule can link to multiple runbooks.
Test and Monitor Execution
Before scheduling, test the runbook using the 'Test pane' in the portal. This runs the runbook in a sandbox and shows output and errors. After testing, start a production job manually or via trigger. Monitor jobs under 'Jobs' – you can see status (Queued, Running, Completed, Failed), start time, duration, and output. Use 'Streams' to view detailed logs. Set up alerts for failed jobs using Azure Monitor.
Business Scenario 1: Automated VM Start/Stop for Cost Savings
A medium-sized SaaS company runs 50 VMs in Azure for development and testing. These VMs are only used during business hours (8 AM to 6 PM) but were running 24/7, costing $15,000/month. The IT team implements Azure Automation with a PowerShell runbook that uses Start-AzVM and Stop-AzVM cmdlets. They create two schedules: one to stop all VMs at 7 PM daily, and one to start them at 7 AM. The runbook iterates through all VMs in a specific resource group. They also add a webhook so developers can manually start/stop VMs outside schedule via a Slack command. Result: Monthly costs drop to $6,000. Potential pitfalls: If the runbook fails (e.g., due to permissions), VMs may not stop, incurring extra cost. They set up an alert on job failure and a separate runbook to audit running VMs every hour.
Business Scenario 2: Automated Tagging for Governance
A large enterprise with 500+ subscriptions needs to enforce tagging policies for cost tracking. They create an Event Grid subscription that fires when a resource is created. The event triggers an Azure Automation runbook via webhook. The runbook reads the resource's metadata, looks up the owner from an Azure AD group, and applies tags like 'CostCenter', 'Owner', and 'Environment'. If the resource group already has tags, it inherits them. This automation ensures 100% compliance without manual intervention. Common issue: The runbook may time out if too many resources are created simultaneously. They set the runbook timeout to 60 minutes and use parallel processing for batch jobs.
Business Scenario 3: Automated Patching and Compliance Reporting
A healthcare company must patch all servers monthly to comply with HIPAA. They use Azure Update Management (built on Automation) to assess and install updates. They create a schedule that runs a runbook to deploy updates to all VMs in a specific Azure Arc-enabled environment. The runbook installs missing updates, reboots if required, and sends a compliance report to a Log Analytics workspace. They also create a pre-patch runbook that takes snapshots of disks for rollback. What goes wrong: If the runbook account lacks 'Virtual Machine Contributor' role on the VMs, patching fails. They use Managed Identity with appropriate RBAC to avoid credential management issues.
Objective 3.4: Describe Azure Automation and Runbooks
AZ-900 tests your understanding of what Azure Automation is, its key features, and typical use cases. Expect 2-3 questions on this topic. The exam focuses on concepts, not implementation details. You do not need to memorize cmdlets or syntax.
Common Wrong Answers and Why: 1. 'Runbooks can only run in Azure.' – Wrong. Hybrid Runbook Worker extends automation to on-premises and other clouds. Candidates choose this because they think Azure Automation is Azure-only. 2. 'Azure Automation is only for VMs.' – Wrong. It can automate any task that uses PowerShell or Python, including Azure SQL, storage, networking, and even third-party APIs. 3. 'Runbooks must be written in PowerShell.' – Wrong. They support Python and graphical workflows too. Candidates see 'PowerShell' in demos and assume it's the only option. 4. 'Azure Automation is free.' – Wrong. There is a free tier (500 minutes/month), but beyond that you pay per minute. Candidates think because it's a platform service, it's free.
Specific Terms and Values: - Automation Account – the container. - Runbook – the script/workflow. - Job – an instance of a runbook execution. - Sandbox – the isolated execution environment. - Hybrid Runbook Worker – for on-premises execution. - Free tier: 500 minutes/month of job execution.
Edge Cases: - Graphical runbooks are still supported but less common; exam may ask which types are available. - Runbooks can be triggered by schedules, webhooks, or Azure Monitor alerts. - You can use Managed Identity instead of Run As account for authentication (newer, recommended).
Memory Trick: Think 'A-R-J-S' for key components: Automation Account, Runbook, Job, Schedule. For triggers: 'S-W-A' = Schedule, Webhook, Alert.
Decision Tree for Exam Questions: - If the question asks about automating repetitive tasks in Azure → Azure Automation. - If it asks about running scripts on-premises from Azure → Hybrid Runbook Worker. - If it asks about patching VMs → Azure Automation (Update Management). - If it asks about configuration management (e.g., DSC) → Azure Automation (State Configuration).
Azure Automation executes runbooks (PowerShell, Python, or graphical) to automate cloud management tasks.
An Automation Account is the container for runbooks, assets, schedules, and jobs.
Runbooks can be triggered by schedules, webhooks, or Azure Monitor alerts.
Hybrid Runbook Worker extends automation to on-premises and other cloud environments.
Azure Automation includes a free tier of 500 minutes of job execution per month.
Runbooks execute in a secure, isolated sandbox environment managed by Azure.
Common use cases include VM start/stop scheduling, patching, tagging, and compliance enforcement.
These come up on the exam all the time. Here's how to tell them apart.
Azure Automation
Orchestrates complex scripts (PowerShell/Python)
Ideal for IT automation and infrastructure tasks
Supports Hybrid Runbook Worker for on-premises
Execution in sandbox; longer runtimes possible
Priced per job execution minute
Azure Logic Apps
Orchestrates workflows using connectors (no code/low code)
Ideal for business process automation and integrations
Cloud-only; no hybrid worker (but can use on-premises data gateway)
Execution in serverless environment; 2-minute timeout for HTTP requests
Priced per action and connector calls
Mistake
Azure Automation can only run PowerShell scripts.
Correct
It supports PowerShell, PowerShell Workflow, Python 2 and 3, and graphical runbooks. You can also import custom modules for other languages if you create a hybrid worker.
Mistake
Runbooks always run in the Azure cloud, even for on-premises resources.
Correct
Runbooks run in an Azure sandbox by default. To manage on-premises resources, you must install a Hybrid Runbook Worker on a machine in your local network that can communicate with Azure.
Mistake
Azure Automation is completely free with no usage limits.
Correct
There is a free tier that includes 500 minutes of job execution per month. Beyond that, you pay per minute. Storage for runbook content and logs also incurs charges.
Mistake
You need to create a VM to host runbooks.
Correct
Runbooks execute in a managed sandbox provided by Azure Automation. No VM is required. The sandbox is automatically scaled and secured by Microsoft.
Mistake
Azure Automation cannot integrate with third-party services.
Correct
Runbooks can call any REST API, so they can integrate with third-party services like Slack, ServiceNow, or GitHub via webhooks or HTTP requests.
A runbook is the definition of the automation workflow (the script or graph), while a job is an individual execution instance of that runbook. When you start a runbook, a job is created. Each job has its own execution ID, status, start time, and output. You can have multiple jobs running the same runbook simultaneously.
Yes, by using a Hybrid Runbook Worker. You install the Hybrid Runbook Worker agent on a Windows or Linux machine in your on-premises network. The worker registers with your Automation Account and can execute runbooks that target local resources. The runbook code runs on the worker machine, not in the Azure sandbox.
Runbooks can authenticate using a Run As account (a service principal in Azure AD) or a Managed Identity (recommended). Managed Identity eliminates the need to store credentials. You assign the Automation Account a system-assigned or user-assigned identity and grant it RBAC permissions to the target resources.
Create a schedule in the Automation Account with the desired recurrence (e.g., daily at 8 AM). Then link the schedule to your runbook. You can also specify a start time and time zone. Multiple schedules can be linked to the same runbook.
Runbooks running in the Azure sandbox have a maximum execution time of 3 hours. For longer-running tasks, you should use a Hybrid Runbook Worker, where the timeout is configurable (default 3 hours, but can be increased). PowerShell Workflow runbooks support checkpointing, which allows them to resume after a timeout.
Yes, by using a Hybrid Runbook Worker installed in the other cloud environment (e.g., on an AWS EC2 instance). The runbook can then use PowerShell modules or REST APIs to manage those resources. Azure Automation itself does not natively connect to other clouds, but the hybrid worker bridges the gap.
The job status changes to 'Failed'. You can view the error details in the job output streams. You can configure alerts to notify you on failure. Additionally, you can implement retry logic within the runbook using try-catch blocks or by configuring the runbook to restart automatically (up to 3 retries).
You've just covered Azure Automation and Runbooks — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?