docs.microsoft.com Open in urlscan Pro
2a02:26f0:2b00:bbf::353e Public Scan

Back to summary

URL:
https://docs.microsoft.com/en-us/azure/automation/automation-hrw-run-runbooks
Submission: On September 10 via api (September 10th 2021, 1:43:18 pm UTC) from US — Scanned from DE

Form analysis
5 forms found in the DOM

Name: nav-bar-search-form — GET /en-us/search/

<form class="nav-bar-search-form" method="GET" name="nav-bar-search-form" role="search" id="nav-bar-search-form" aria-label="Search" aria-expanded="false" action="/en-us/search/">
  <div class="autocomplete" data-bi-name="autocomplete"><!---->
    <div class="control ">
      <input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-search-input" class="autocomplete-input input   is-small" type="search" name="terms"
        aria-expanded="false" aria-owns="ax-99-listbox" aria-activedescendant="" aria-label="Search" placeholder="Search">
      <span aria-hidden="true" class="icon is-small is-left" hidden="">
        <span class="has-text-primary docon docon-undefined"></span>
      </span>
      <span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
    </div>
    <ul class="autocomplete-suggestions is-vertically-scrollable" role="listbox" id="ax-99-listbox" aria-label="site-search-input-suggestions" hidden="">
    </ul><!---->
  </div>
  <!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
  <button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
  <input name="category" hidden="" value="">
  <input name="scope" hidden="" value="Azure">
</form>

Name: nav-bar-search-form — GET /en-us/search/

<form class="nav-bar-search-form" method="GET" name="nav-bar-search-form" role="search" id="nav-bar-search-form-desktop" aria-label="Search" aria-expanded="false" action="/en-us/search/">
  <div class="autocomplete" data-bi-name="autocomplete"><!---->
    <div class="control has-icons-left">
      <input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-100" class="autocomplete-input input control has-icons-left  is-small" type="search"
        name="terms" aria-expanded="false" aria-owns="ax-101-listbox" aria-activedescendant="" aria-label="Search" placeholder="Search">
      <span aria-hidden="true" class="icon is-small is-left">
        <span class="has-text-primary docon docon-search"></span>
      </span>
      <span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
    </div>
    <ul class="autocomplete-suggestions is-vertically-scrollable" role="listbox" id="ax-101-listbox" aria-label="ax-100-suggestions" hidden="">
    </ul><!---->
  </div>
  <!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
  <button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
  <input name="category" hidden="" value="">
  <input name="scope" hidden="" value="Azure">
</form>

javascript:

<form action="javascript:" role="search" aria-label="Search" class="has-margin-bottom-small"><label class="visually-hidden" for="ax-113">Search</label>
  <div class="autocomplete is-block" data-bi-name="autocomplete"><!---->
    <div class="control has-icons-left">
      <input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-113" class="autocomplete-input input control has-icons-left is-full-width is-small" type="text"
        aria-expanded="false" aria-owns="ax-114-listbox" aria-activedescendant="" placeholder="Filter by title">
      <span aria-hidden="true" class="icon is-small is-left">
        <span class="has-text-primary docon docon-filter-settings"></span>
      </span>
      <span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
    </div>
    <ul class="autocomplete-suggestions is-vertically-scrollable" role="listbox" id="ax-114-listbox" aria-label="ax-113-suggestions" hidden="">
    </ul><!---->
  </div>
</form>

<form class="feedback-verbatim-form is-hidden" id="rating-container-desktop">
  <div class="verbatim-textarea box position-relative box-shadow-none border has-margin-top-small has-padding-extra-small font-size-xs">
    <label for="rating-textarea-desktop" class="visually-hidden">Any additional feedback?</label>
    <textarea id="rating-textarea-desktop" rows="4" maxlength="999" placeholder="Any additional feedback?" required="" class="textarea border-none box-shadow-none has-inner-focus"></textarea>
  </div>
  <p class="font-size-xs has-line-height-reset">Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services.
    <a href="https://privacy.microsoft.com/en-us/privacystatement">Privacy policy.</a></p>
  <div class="buttons is-right margin-top-xs has-margin-right-extra-small">
    <button class="skip-rating button is-transparent has-text-primary is-small border-none" type="button">Skip</button>
    <button class="submit-rating button is-primary is-small" data-bi-name="rating-verbatim" disabled="" type="submit">Submit</button>
  </div>
</form>

<form class="feedback-verbatim-form is-hidden" id="rating-container-mobile">
  <div class="verbatim-textarea box position-relative box-shadow-none border has-margin-top-small has-padding-extra-small font-size-xs">
    <label for="rating-textarea-mobile" class="visually-hidden">Any additional feedback?</label>
    <textarea id="rating-textarea-mobile" rows="4" maxlength="999" placeholder="Any additional feedback?" required="" class="textarea border-none box-shadow-none has-inner-focus"></textarea>
  </div>
  <p class="font-size-xs has-line-height-reset">Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services.
    <a href="https://privacy.microsoft.com/en-us/privacystatement">Privacy policy.</a></p>
  <div class="buttons is-right margin-top-xs has-margin-right-extra-small">
    <button class="skip-rating button is-transparent has-text-primary is-small border-none" type="button">Skip</button>
    <button class="submit-rating button is-primary is-small" data-bi-name="rating-verbatim" disabled="" type="submit">Submit</button>
  </div>
</form>

Text Content

We use cookies to improve your experience on our websites and for advertising.
Privacy Statement

Accept all Manage cookies

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.

Download Microsoft Edge More info
Documentation
Global navigation
* Docs

* Documentation

* Learn

* Q&A

* Code Samples

* More

* Documentation

* Learn

* Q&A

* Code Samples

Search
Sign in

* Profile
* Collections
* Challenges

Sign out
Azure

* Product documentation

* Compute

* Networking

* Storage

* Web

* Mobile

* Containers

* Databases

* All products

* Architecture

* Get started

* Reference architectures

* Cloud Adoption Framework for Azure

* Azure Well-Architected Framework

* Design patterns

* Assessments

* Learn Azure

* Self-paced learning paths

* Pluralsight

* Instructor-led courses

* Develop

* Python

* .NET

* JavaScript

* Java

* Go

* Resources

* Pricing

* Contact sales

* Videos

* Webinars

* Updates

* White papers

* Blog

* Support

* More

* Product documentation

* Compute

* Networking

* Storage

* Web

* Mobile

* Containers

* Databases

* All products

* Architecture

* Get started

* Reference architectures

* Cloud Adoption Framework for Azure

* Azure Well-Architected Framework

* Design patterns

* Assessments

* Learn Azure

* Self-paced learning paths

* Pluralsight

* Instructor-led courses

* Develop

* Python

* .NET

* JavaScript

* Java

* Go

* Resources

* Pricing

* Contact sales

* Videos

* Webinars

* Updates

* White papers

* Blog

* Support

1. Portal
2. Free account

* Azure

* Automation

Contents Exit focus mode
* Read in English
* Save
* Feedback
* Edit
* Share
* Twitter
* LinkedIn
* Facebook
* Email

Table of contents

* Azure Automation User Documentation
* Overview
* Quickstarts
* Tutorials
* Concepts
* How-to guides
* Automation Account
* Shared resources
* Process automation
* Use existing runbooks and modules
* Learn PowerShell Workflow
* Manage runbooks
* Author and run runbooks
* Monitor runbooks
* Troubleshoot runbooks
* Work with a Hybrid Runbook Worker
* Deploy Windows Hybrid Runbook Worker
* Deploy Linux Hybrid Runbook Worker
* Run runbooks on Hybrid Runbook Worker
* Use Azure Policy to enforce job execution
* Troubleshoot Hybrid Runbook Worker issues
* Use source control integration
* Configuration Management
* Start/Stop VMs during off-hours
* Update Management
* Scenarios
* Reference
* Resources

Download PDF

RUN RUNBOOKS ON A HYBRID RUNBOOK WORKER

* 08/12/2021
* 12 minutes to read
* * M
* d
* v
* m
* v
* +13

IN THIS ARTICLE

1. Plan for Azure services protected by firewall
2. Plan runbook job behavior
3. Configure runbook permissions
4. Install Run As account certificate
5. Work with signed runbooks on a Windows Hybrid Runbook Worker
6. Work with signed runbooks on a Linux Hybrid Runbook Worker
7. Start a runbook on a Hybrid Runbook Worker
8. Logging
9. Next steps

Runbooks that run on a Hybrid Runbook Worker typically manage resources on the
local computer or against resources in the local environment where the worker is
deployed. Runbooks in Azure Automation typically manage resources in the Azure
cloud. Even though they are used differently, runbooks that run in Azure
Automation and runbooks that run on a Hybrid Runbook Worker are identical in
structure.

When you author a runbook to run on a Hybrid Runbook Worker, you should edit and
test the runbook on the machine that hosts the worker. The host machine has all
the PowerShell modules and network access required to manage the local
resources. Once you test the runbook on the Hybrid Runbook Worker machine, you
can then upload it to the Azure Automation environment, where it can be run on
the worker.

PLAN FOR AZURE SERVICES PROTECTED BY FIREWALL

Enabling the Azure Firewall on Azure Storage, Azure Key Vault, or Azure SQL
blocks access from Azure Automation runbooks for those services. Access will be
blocked even when the firewall exception to allow trusted Microsoft services is
enabled, as Automation is not a part of the trusted services list. With an
enabled firewall, access can only be made by using a Hybrid Runbook Worker and a
virtual network service endpoint.

PLAN RUNBOOK JOB BEHAVIOR

Azure Automation handles jobs on Hybrid Runbook Workers differently from jobs
run in Azure sandboxes. If you have a long-running runbook, make sure that it's
resilient to possible restart. For details of the job behavior, see Hybrid
Runbook Worker jobs.

Jobs for Hybrid Runbook Workers run under the local System account on Windows,
or the nxautomation account on Linux. For Linux, verify the nxautomation account
has access to the location where the runbook modules are stored. To ensure
nxautomation account access:

* When you use the Install-Module cmdlet, be sure to specify AllUsers for the
Scope parameter.
* When you use pip install, apt install or other method for installing packages
on Linux, ensure the package is installed for all users. For example sudo -H
pip install <package_name>.

For more information on PowerShell on Linux, see Known Issues for PowerShell on
Non-Windows Platforms.

CONFIGURE RUNBOOK PERMISSIONS

Define permissions for your runbook to run on the Hybrid Runbook Worker in the
following ways:

* Have the runbook provide its own authentication to local resources.
* Configure authentication using managed identities for Azure resources.
* Specify a Run As account to provide a user context for all runbooks.

USE RUNBOOK AUTHENTICATION TO LOCAL RESOURCES

If preparing a runbook that provides its own authentication to resources, use
credential and certificate assets in your runbook. There are several cmdlets
that allow you to specify credentials so that the runbook can authenticate to
different resources. The following example shows a portion of a runbook that
restarts a computer. It retrieves credentials from a credential asset and the
name of the computer from a variable asset and then uses these values with the
Restart-Computer cmdlet.

PowerShell Copy

$Cred = Get-AutomationPSCredential -Name "MyCredential"
$Computer = Get-AutomationVariable -Name "ComputerName"

Restart-Computer -ComputerName $Computer -Credential $Cred

You can also use an InlineScript activity. InlineScript allows you to run blocks
of code on another computer with credentials.

USE RUNBOOK AUTHENTICATION WITH MANAGED IDENTITIES

Hybrid Runbook Workers on Azure virtual machines can use managed identities to
authenticate to Azure resources. Using managed identities for Azure resources
instead of Run As accounts provides benefits because you don't need to:

* Export the Run As certificate and then import it into the Hybrid Runbook
Worker.
* Renew the certificate used by the Run As account.
* Handle the Run As connection object in your runbook code.

Follow the next steps to use a managed identity for Azure resources on a Hybrid
Runbook Worker:

1. Create an Azure VM.

2. Configure managed identities for Azure resources on the VM. See Configure
managed identities for Azure resources on a VM using the Azure portal.

3. Give the VM access to a resource group in Resource Manager. Refer to Use a
Windows VM system-assigned managed identity to access Resource Manager.

4. Install the Hybrid Runbook Worker on the VM. See Deploy a Windows Hybrid
Runbook Worker or Deploy a Linux Hybrid Runbook Worker.

5. Update the runbook to use the Connect-AzAccount cmdlet with the Identity
parameter to authenticate to Azure resources. This configuration reduces the
need to use a Run As account and perform the associated account management.

PowerShell Copy

# Connect to Azure using the managed identities for Azure resources identity configured on the Azure VM that is hosting the hybrid runbook worker
Connect-AzAccount -Identity

# Get all VM names from the subscription
Get-AzVM | Select Name

Note

Connect-AzAccount -Identity works for a Hybrid Runbook Worker using a
system-assigned identity and a single user-assigned identity. If you use
multiple user-assigned identities on the Hybrid Runbook Worker, your runbook
must specify the AccountId parameter for Connect-AzAccount to select a
specific user-assigned identity.

USE RUNBOOK AUTHENTICATION WITH RUN AS ACCOUNT

Instead of having your runbook provide its own authentication to local
resources, you can specify a Run As account for a Hybrid Runbook Worker group.
To specify a Run As account, you must define a credential asset that has access
to local resources. These resources include certificate stores and all runbooks
run under these credentials on a Hybrid Runbook Worker in the group.

* The user name for the credential must be in one of the following formats:

* domain\username
* username@domain
* username (for accounts local to the on-premises computer)

* To use the PowerShell runbook Export-RunAsCertificateToHybridWorker, you need
to install the Az modules for Azure Automation on the local machine.

USE A CREDENTIAL ASSET TO SPECIFY A RUN AS ACCOUNT

Use the following procedure to specify a Run As account for a Hybrid Runbook
Worker group:

1. Create a credential asset with access to local resources.
2. Open the Automation account in the Azure portal.
3. Select Hybrid Worker Groups, and then select the specific group.
4. Select All settings, followed by Hybrid worker group settings.
5. Change the value of Run As from Default to Custom.
6. Select the credential and click Save.

INSTALL RUN AS ACCOUNT CERTIFICATE

As part of your automated build process for deploying resources in Azure, you
might require access to on-premises systems to support a task or set of steps in
your deployment sequence. To provide authentication against Azure using the Run
As account, you must install the Run As account certificate.

Note

This PowerShell runbook currently does not run on Linux machines. It runs only
on Windows machines.

The following PowerShell runbook, called Export-RunAsCertificateToHybridWorker,
exports the Run As certificate from your Azure Automation account. The runbook
downloads and imports the certificate into the local machine certificate store
on a Hybrid Runbook Worker that is connected to the same account. Once it
completes that step, the runbook verifies that the worker can successfully
authenticate to Azure using the Run As account.

Note

This PowerShell runbook is not designed or intended to be run outside of your
Automation account as a script on the target machine.

Azure PowerShell Copy

Try It

<#PSScriptInfo
.VERSION 1.0
.GUID 3a796b9a-623d-499d-86c8-c249f10a6986
.AUTHOR Azure Automation Team
.COMPANYNAME Microsoft
.COPYRIGHT
.TAGS Azure Automation
.LICENSEURI
.PROJECTURI
.ICONURI
.EXTERNALMODULEDEPENDENCIES
.REQUIREDSCRIPTS
.EXTERNALSCRIPTDEPENDENCIES
.RELEASENOTES
#>

<#
.SYNOPSIS
Exports the Run As certificate from an Azure Automation account to a hybrid worker in that account.

.DESCRIPTION
This runbook exports the Run As certificate from an Azure Automation account to a hybrid worker in that account. Run this runbook on the hybrid worker where you want the certificate installed. This allows the use of the AzureRunAsConnection to authenticate to Azure and manage Azure resources from runbooks running on the hybrid worker.

.EXAMPLE
.\Export-RunAsCertificateToHybridWorker

.NOTES
LASTEDIT: 2016.10.13
#>

# Generate the password used for this certificate
Add-Type -AssemblyName System.Web -ErrorAction SilentlyContinue | Out-Null
$Password = [System.Web.Security.Membership]::GeneratePassword(25, 10)

# Stop on errors
$ErrorActionPreference = 'stop'

# Get the management certificate that will be used to make calls into Azure Service Management resources
$RunAsCert = Get-AutomationCertificate -Name "AzureRunAsCertificate"

# location to store temporary certificate in the Automation service host
$CertPath = Join-Path $env:temp "AzureRunAsCertificate.pfx"

# Save the certificate
$Cert = $RunAsCert.Export("pfx",$Password)
Set-Content -Value $Cert -Path $CertPath -Force -Encoding Byte | Write-Verbose

Write-Output ("Importing certificate into $env:computername local machine root store from " + $CertPath)
$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
Import-PfxCertificate -FilePath $CertPath -CertStoreLocation Cert:\LocalMachine\My -Password $SecurePassword -Exportable | Write-Verbose

# Test to see if authentication to Azure Resource Manager is working
$RunAsConnection = Get-AutomationConnection -Name "AzureRunAsConnection"

Connect-AzAccount `
-ServicePrincipal `
-Tenant $RunAsConnection.TenantId `
-ApplicationId $RunAsConnection.ApplicationId `
-CertificateThumbprint $RunAsConnection.CertificateThumbprint | Write-Verbose

Set-AzContext -Subscription $RunAsConnection.SubscriptionID | Write-Verbose

# List automation accounts to confirm that Azure Resource Manager calls are working
Get-AzAutomationAccount | Select-Object AutomationAccountName

Note

For PowerShell runbooks, Add-AzAccount and Add-AzureRMAccount are aliases for
Connect-AzAccount. When searching your library items, if you do not see
Connect-AzAccount, you can use Add-AzAccount, or you can update your modules in
your Automation account.

To finish preparing the Run As account:

1. Save the Export-RunAsCertificateToHybridWorker runbook to your computer with
a .ps1 extension.
2. Import it into your Automation account.
3. Edit the runbook, changing the value of the Password variable to your own
password.
4. Publish the runbook.
5. Run the runbook, targeting the Hybrid Runbook Worker group that runs and
authenticates runbooks using the Run As account.
6. Examine the job stream to see that it reports the attempt to import the
certificate into the local machine store, followed by multiple lines. This
behavior depends on how many Automation accounts you define in your
subscription and the degree of success of the authentication.

WORK WITH SIGNED RUNBOOKS ON A WINDOWS HYBRID RUNBOOK WORKER

You can configure a Windows Hybrid Runbook Worker to run only signed runbooks.

Important

Once you've configured a Hybrid Runbook Worker to run only signed runbooks,
unsigned runbooks fail to execute on the worker.

CREATE SIGNING CERTIFICATE

The following example creates a self-signed certificate that can be used for
signing runbooks. This code creates the certificate and exports it so that the
Hybrid Runbook Worker can import it later. The thumbprint is also returned for
later use in referencing the certificate.

PowerShell Copy

# Create a self-signed certificate that can be used for code signing
$SigningCert = New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\my `
-Subject "CN=contoso.com" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
-KeyExportPolicy Exportable `
-KeyUsage DigitalSignature `
-Type CodeSigningCert

# Export the certificate so that it can be imported to the hybrid workers
Export-Certificate -Cert $SigningCert -FilePath .\hybridworkersigningcertificate.cer

# Import the certificate into the trusted root store so the certificate chain can be validated
Import-Certificate -FilePath .\hybridworkersigningcertificate.cer -CertStoreLocation Cert:\LocalMachine\Root

# Retrieve the thumbprint for later use
$SigningCert.Thumbprint

IMPORT CERTIFICATE AND CONFIGURE WORKERS FOR SIGNATURE VALIDATION

Copy the certificate that you've created to each Hybrid Runbook Worker in a
group. Run the following script to import the certificate and configure the
workers to use signature validation on runbooks.

PowerShell Copy

# Install the certificate into a location that will be used for validation.
New-Item -Path Cert:\LocalMachine\AutomationHybridStore
Import-Certificate -FilePath .\hybridworkersigningcertificate.cer -CertStoreLocation Cert:\LocalMachine\AutomationHybridStore

# Configure the hybrid worker to use signature validation on runbooks.
Set-HybridRunbookWorkerSignatureValidation -Enable $true -TrustedCertStoreLocation "Cert:\LocalMachine\AutomationHybridStore"

SIGN YOUR RUNBOOKS USING THE CERTIFICATE

With the Hybrid Runbook Workers configured to use only signed runbooks, you must
sign runbooks that are to be used on the Hybrid Runbook Worker. Use the
following sample PowerShell code to sign these runbooks.

PowerShell Copy

$SigningCert = ( Get-ChildItem -Path cert:\LocalMachine\My\<CertificateThumbprint>)
Set-AuthenticodeSignature .\TestRunbook.ps1 -Certificate $SigningCert

When a runbook has been signed, you must import it into your Automation account
and publish it with the signature block. To learn how to import runbooks, see
Import a runbook.

Note

Use only plaintext characters in your runbook code, including comments. Using
characters with diacritical marks, like á or ñ, will result in an error. When
Azure Automation downloads your code, the characters will be replaced by a
question mark and the signing will fail with a "signature hash validation
failure" message.

WORK WITH SIGNED RUNBOOKS ON A LINUX HYBRID RUNBOOK WORKER

To be able to work with signed runbooks, a Linux Hybrid Runbook Worker must have
the GPG executable on the local machine.

Important

Once you've configured a Hybrid Runbook Worker to run only signed runbooks,
unsigned runbooks fail to execute on the worker.

You will perform the following steps to complete this configuration:

* Create a GPG keyring and keypair
* Make the keyring available to the Hybrid Runbook Worker
* Verify that signature validation is on
* Sign a runbook

CREATE A GPG KEYRING AND KEYPAIR

To create the GPG keyring and keypair, use the Hybrid Runbook Worker
nxautomation account.

1. Use the sudo application to sign in as the nxautomation account.

Bash Copy

sudo su - nxautomation

2. Once you are using nxautomation, generate the GPG keypair. GPG guides you
through the steps. You must provide name, email address, expiration time,
and passphrase. Then you wait until there is enough entropy on the machine
for the key to be generated.

Bash Copy

sudo gpg --generate-key

3. Because the GPG directory was generated with sudo, you must change its owner
to nxautomation using the following command.

Bash Copy

sudo chown -R nxautomation ~/.gnupg

MAKE THE KEYRING AVAILABLE TO THE HYBRID RUNBOOK WORKER

Once the keyring has been created, make it available to the Hybrid Runbook
Worker. Modify the settings file home/nxautomation/state/worker.conf to include
the following example code under the file section [worker-optional].

Bash Copy

gpg_public_keyring_path = /home/nxautomation/run/.gnupg/pubring.kbx

VERIFY THAT SIGNATURE VALIDATION IS ON

If signature validation has been disabled on the machine, you must turn it on by
running the following sudo command. Replace <LogAnalyticsworkspaceId> with your
workspace ID.

Bash Copy

sudo python /opt/microsoft/omsconfig/modules/nxOMSAutomationWorker/DSCResources/MSFT_nxOMSAutomationWorkerResource/automationworker/scripts/require_runbook_signature.py --true <LogAnalyticsworkspaceId>

SIGN A RUNBOOK

Once you have configured signature validation, use the following GPG command to
sign the runbook.

Bash Copy

gpg --clear-sign <runbook name>

The signed runbook is called <runbook name>.asc.

You can now upload the signed runbook to Azure Automation and execute it like a
regular runbook.

START A RUNBOOK ON A HYBRID RUNBOOK WORKER

Start a runbook in Azure Automation describes different methods for starting a
runbook. Starting a runbook on a Hybrid Runbook Worker uses a Run on option that
allows you to specify the name of a Hybrid Runbook Worker group. When a group is
specified, one of the workers in that group retrieves and runs the runbook. If
your runbook does not specify this option, Azure Automation runs the runbook as
usual.

When you start a runbook in the Azure portal, you're presented with the Run on
option for which you can select Azure or Hybrid Worker. If you select Hybrid
Worker, you can choose the Hybrid Runbook Worker group from a dropdown.

When starting a runbook using PowerShell, use the RunOn parameter with the
Start-AzAutomationRunbook cmdlet. The following example uses Windows PowerShell
to start a runbook named Test-Runbook on a Hybrid Runbook Worker group named
MyHybridGroup.

Azure PowerShell Copy

Try It

Start-AzAutomationRunbook -AutomationAccountName "MyAutomationAccount" -Name "Test-Runbook" -RunOn "MyHybridGroup"

LOGGING

To help troubleshoot issues with your runbooks running on a hybrid runbook
worker, logs are stored locally in the following location:

* On Windows at C:\ProgramData\Microsoft\System
Center\Orchestrator\<version>\SMA\Sandboxes for detailed job runtime process
logging. High-level runbook job status events are written to the Application
and Services Logs\Microsoft-Automation\Operations event log.

* On Linux, the user hybrid worker logs can be found at
/home/nxautomation/run/worker.log, and system runbook worker logs can be
found at /var/opt/microsoft/omsagent/run/automationworker/worker.log.

NEXT STEPS

* If your runbooks aren't completing successfully, review the troubleshooting
guide for runbook execution failures.
* For more information on PowerShell, including language reference and learning
modules, see PowerShell Docs.
* Learn about using Azure Policy to manage runbook execution with Hybrid
Runbook Workers.
* For a PowerShell cmdlet reference, see Az.Automation.

IS THIS PAGE HELPFUL?

Yes No
Any additional feedback?

Feedback will be sent to Microsoft: By pressing the submit button, your feedback
will be used to improve Microsoft products and services. Privacy policy.

Skip Submit

Thank you.

--------------------------------------------------------------------------------

docs.microsoft.com Open in urlscan Pro 2a02:26f0:2b00:bbf::353e Public Scan

Form analysis 5 forms found in the DOM

Name: nav-bar-search-form — GET /en-us/search/

Name: nav-bar-search-form — GET /en-us/search/

javascript:

Text Content

docs.microsoft.com Open in urlscan Pro
2a02:26f0:2b00:bbf::353e Public Scan

Form analysis
5 forms found in the DOM