Azure Automation provides a suite of tools for easier management of IaaS infrastructure.


  • Accounts are where the configuration is stored.
  • Runbooks can be scheduled or ad hoc and provide process automation (analogous to SCORCH).
  • Update management for Windows and Linux (analogous to WSUS).
  • Automation assets provide secure persistent storage of data between runbook executions, and share it across runbooks.

Security warning

Enabling the Create Azure Run As account option when creating an Azure Automation account will create user with Contributor access at the subscription scope. This is almost certainly not what you want outside of a sandbox environment.


Runbooks can be written in a number of languages:

  • PowerShell
  • PowerShell Workflow allows multi-threading.
  • Python
  • Logic App runbooks can be created graphically.

Hybrid worker allow runbooks to execute outside of Azure.

Management of PowerShell modules and Python packages via the Portal is deprecated; use the PowerShell module or `az` CLI.

Automation assets

  • Schedules determine when attached runbooks run.
  • Variables are typed (string, boolean, DateTime, Integer, or arbitrary) and can be encrypted.
  • Credentials are username-password pairs.

Update management

OS updates can be installed on Windows and Linux systems inside and outside of Azure. This requires the Azure Monitor Log agent (or the hybrid worker) to be installed and configured to log to a workspace.


Change tracking and inventory tracks changes made to monitored machines. It can track:

  • Windows software installations and update
  • Linux package management operations
  • Files on both Windows and Linux
  • Windows registry keys
  • Windows and Linux services

Configuration management

Configuration management is facilitated by a PowerShell DSC pull server from which machines can fetch configuration to apply and report results to.

It can also be used as a report-only service for on-premises environments not ready for management via Azure.