Azure Automate Hybrid Worker Groups to Automate On-Premises Workloads

While Azure Automate can run PowerShell and Python scripts to make the cloud workloads to automate I like to focus on the PowerShell side of things. With PowerShell, you have the ability to connect to connect to modules like Exchange Online, MSOL, Azure AD, Az Storage and etc. Similar to that you can use the automation runbooks to update patches on the Azure VMs, Restart VMs and to make sure the VMs are in the desired state configuration.

What are Hybrid Worker Groups?

Hybrid Worker Groups simply allows you to automate the on-premises workloads with the option of High Availability option if the workload is critical. The ability allows you to run the processes via the secure port 443 and it has the ability to install the hybrid worker server in AWS for an example.

The servers in a Hybrid Worker Group can be either Windows or Linux. I will be show casing on how to add Windows servers.

It is recommended to setup more than one hybrid worker servers in a Worker Group for High Availability. You can’t pick and choose which server in the Group will execute the runbook, but it will share the requests accordingly.

Azure Automation Pricing

As of today the pricing are 500 minutes per month free and $0.003/minute and for Watchers 744 hours free and $0.003/hour. More on pricing can be found in this link Pricing – Automation | Microsoft Azure

Before talk about the Hybrid Worker group, lets create the Azure Automation Account


Runbooks will have basically have your script, schedule etc.

Runbooks can be created from the scratch or from the Runbook gallery where it has PowerShell scripts from the community (GitHub)

Types of Hybrid Workers

Supports a set of hidden runbooks used by the Update Management feature that are designed to install user-specified updates on Windows and Linux machines. This type of Hybrid Runbook Worker is not a member of a Hybrid Runbook Worker group, and therefore doesn’t run runbooks that target a Runbook Worker group.

Supports user-defined runbooks intended to run directly on the Windows and Linux machine that are members of one or more Runbook Worker groups.

Steps includes…

  1. Create the Azure Automation Account
  2. Prepare the Run As account
  3. Create the Azure Log Analytics Workspace
  4. Link the Azure Log Analytics Workspace to the Automation Account
  5. Install the Log Analytics Agent to the selected server (On-premises server)
  6. Register the server as a Runbook Worker
  7. Set the Run As account in the Hybrid Worker Group
  8. Create the Runbook
  9. Execute the Runbook

Create a Azure Automation Account

Add the “Automation” from the Azure Marketplace

Create the account and make sure you have Owner role assigned to the subscription that you planning to add the Automation Account

Module Gallery

If you want to perform a cloud based automation task, you can add a module 1st from the module gallery and then call it from the Runbook.

Supported Windows operating system

  • Windows Server 2019 (including Server Core)
  • Windows Server 2016, version 1709 and 1803 (excluding Server Core)
  • Windows Server 2012, 2012 R2
  • Windows Server 2008 SP2 (x64), 2008 R2
  • Windows 10 Enterprise (including multi-session) and Pro
  • Windows 8 Enterprise and Pro
  • Windows 7 SP1

Minimum machine specs

  • Windows PowerShell 5.1 (download WMF 5.1). PowerShell Core is not supported.
  • .NET Framework 4.6.2 or later
  • Two cores
  • 4 GB of RAM
  • Port 443 (outbound)

Hybrid Worker Group Setup

Hybrid Worker Group is basically the middleman between Azure and the on-premises environments and no need to run the scripts on-premises with schedules and dedicated servers.

Simply install the underling PowerShell module/s for the workload and call them from Azure.

How does it work?

Hybrid Runbook Worker overview

Prepare the Run As Account

When you are running the on-premises workloads often the credentials are not the same as cloud credentials and you have to add the credentials in to your code.
With Run As account, you have the ability to define the account before hand in the “Credential Asset” and call it during the execution of the script.
The format can be

  • domain\username
  • username@domain
  • username (for accounts local to the on-premises computer)

Enabling the Run As account needs to be done during the Automation Account creation step or from Account Settings under the Azure Automate Account.

You need to be a Owner of the subscription in order to create the Run As account. Once the account is created, you can allocate a lower level role like ContributorAzureTestLabs

To create the Run As account, go to Run As Accounts under Account Settings of the Automation Account

Go to Azure Run as Account option > hit Create

More about the Run As Account can be found here Manage an Azure Automation Run As account | Microsoft Docs

This will create an Application in the Azure AD with a certificate that has an expiry of 12 months. The Certificate can be renewed from the portal itself. This app is responsible for all run as accounts for the automation account.

Add the Credentials for the Credential Asset

In the Automation Account, go to Shared Resources > Credentials > Add a credential >

Hybrid Worker Server Prerequisites

Create a Log Analytics workspace

From the Azure Marketplace search for Log Analytics workspace

Select Create

Complete the creation of the workspace

Link the Log Analytics Workspace to the Azure Automation Account

Go back to the Automation Account > Inventory > Select the Automation Account under Log Analytics workspace

You can further confirm this, if you go to Linked Workspaces under Related Resources in the Automation Account

Install the log Analytics agent to the server in the On-premises network

There are 2 agent installation types. I will be going through the setup assuming the hybrid server is in on-premises network.
If the target machine is a non-Azure VM (Corp network, physical server) use this link to get the steps

  • Go to your Log Analytics Workspace
  • Go to Agent Management
  • Download the agent according to the architecture
  • Install it on the server

Press Next and Next to the install location > Select “Connect the agent to Azure Log Analytics (OMS)” option

Fill in the Workspace ID, Workspace Key, Azure Cloud details.

You can grab the Workspace ID and the Workspace Key from the Agents Management blade

Complete the installation

Register the Hybrid Worker Server

  • Go in to that server
  • go to this location

cd “C:\Program Files\Microsoft Monitoring Agent\Agent\AzureAutomation\\HybridRegistration”
Import-Module .\HybridRegistration.psd1

  • Run the below command for the registration

Specify a Group Name
You can find the URL and the Key from Keys under Account Settings of the Automation account.

Add-HybridRunbookWorker –GroupName <Group Name> -Url <URL> -Key <KEY>

Once you execute the above command, the server will register as a Hybrid Runbook Worker in the Group Name you specify.

Success!! Now that the server has been added, check the results in the Hybrid Worker Group

Change the Run As account for the Worker Group

Go to the Hybrid Worker Group Settings tab in the Hybrid Worker Group and select Custom from the slider

Select the previously created Run As account from the dropdown which is now saved in the Credential Asset section.

This account will be used to execute the On-premises workloads as it doesn’t have any attachment to the cloud side of things.

Create the Runbook

Important – You have to make sure the PowerShell modules have been imported to the Hybrid Worker server so the Runbook can execute the script/ command

You can always import a pre-created Runbook from the Runbook gallery and go from there or create one from the scratch (which I will be doing here)

  • Go to the Automation Account > Select Runbooks under Process Automation
  • Select Create a runbook button and complete the necessary fields and press Create

Enter your script as mentioned below

I will be adding a very simple command to create an AD account in the local AD

Now that I have created my Run As Account and created the credentials as a Credentials Asset.

When I’m testing the runbook notice that I have the option to select the location to run this command

Select Hybrid Worker and make sure the Worker Group has selected if you have more than one worker group

If the Tests are running without errors, publish the runbook

Execute the workload

Press OK

Status page as below

And my user has been created in the local AD as expected

Scheduled On Premises tasks

You can create a Scheduled job if you have anything to be executed periodically and that can be a great tool to get a report of the disabled users in the AD every month.

Schedules can be setup from the the Specific Runbook > Schedules >Add a schedule steps.

Final Thoughts

The configuration includes number of steps that can be a tedious task, but once that’s done, it’s easier to manage On-premises tasks and automate them as you automate your cloud workloads.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.