Starting an Azure Runbook from Your Phone
In this post, I am going to show you a way to make it easy for people to execute Azure Automation runbooks from their phone. This solution, based on Office 365 Flow, does not require signing into the Azure admin app or the Azure Portal. It is also very easy. For example, a user can start or stop a line-of-business (LOB) app with the click of a single button.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
The Desired Solution
In my demo lab, I have deployed an Azure Automation account called auto-petriauto. There are two custom runbooks in the account for starting and stopping a set of virtual machines that make up an LOB app:
In my solution, I want to create a button in Flow for each runbook. When I install the Flow app on my phone, each of these buttons will appear. If I click the StartVMs button, Flow will reach out to Azure Automation, via a webhook, and trigger the execution of the StartVMs runbook. The result is a very easy way to start and stop my LOB app without having to do anything with Azure on a day-to-day basis.
I have actually used this solution to start up and shut down demo labs on demand to save credit. I like it because it is very quick and easy to do.
Note: The Runbook Gallery in Azure Automation is full of examples for starting/stopping virtual machines.
The first step of the solution is to make the runbooks’ triggers available to external systems. This is accomplished by creating a webhook for each runbook.
Tip: Make sure the runbooks are published before proceeding.
- Open the runbook.
- Go to webhooks.
- Add a webhook.
- Make sure you copy and save the URL for the webhook before you finish the creation. You cannot retrieve it afterward.
Office 365 Flow
We are going to create two buttons or connectors in Flow, one for each runbook.
Sign into the Office 365 Portal, launch the Flow service, and go to My Flows. Click the button to Create A Flow From Blank. A number of trigger templates are available to use. A trigger is something that starts a flow (or workflow). Our trigger will be a button that appears in the Flow mobile app, so search for Button.
A screen will load to display your trigger. Click the button trigger to continue.
Another screen loads to show the construction of the flow. Name the flow. Now, we have one-half of the flow: the trigger. We need to add an action. Click New Step to add an action step.
Search for and select the HTTP trigger/connector.
The screen for configuring an HTTP action will load. Click Show Advanced Options at the bottom. Enter the following information:
- Method: Select the POST action.
- URI: Paste in the webhook URL of the runbook that will be associated with this connector.
- Authentication: Select Basic.
- Username and Password: Enter credentials for the Azure subscription that have run rights to the runbooks in Azure.
Click Save Flow and wait for the save to complete. You then repeat all of the above Flow steps for any additional runbooks. In my case, I did all of this twice: once for the StartVMs runbook and one for the StopVMs runbook. My two flows are shown below:
Flow App on Mobile Phone
You do not need to sign into the Office 365 Portal to use Flow; Microsoft has published Flow apps for iOS and Android. Install the app and sign in using the same credentials as your Office 365 user. Go to Buttons (the bottom navigation bar) and the flows that you created should appear. My buttons in the Flow app for starting and stopping Azure virtual machines using Azure Automation runbooks can be seen in the Android screenshot below.
Everything is in place! If I want to shut down my LOB app, all I have to do is open the Flow app and press the Stop LOB App button. My part is ended. To check behind the scenes:
- The Flow service will do an HTTP POST to the webhook for the StopVMs runbook.
- Azure Automation will receive the HTTP POST and start the runbook.
- Soon afterward, my virtual machines will be shut down.
A similar set of activities will take place when I press the Start LOB App.
Extending the Concept
Webhooks provide us with a mechanism to extend outside of the system. In the above example, I have made it possible to start an Azure Automation runbook from a system outside of Azure. One could take this concept and use it in anything:
- An external monitoring system
- A task management system
- An LOB app running in AWS or Google compute
In my lab, I used two tenants:
- One for Office 365 using a “work” (Azure AD) account
- Another for Azure using a “personal” (Microsoft) account
This means that a Microsoft partner could use webhooks to manage systems for its many managed customers.
Another interesting concept is that of delegation. Maybe the end user of the LOB app has no administrative rights in Azure. In Office 365 Flow, it is possible to share a flow with someone in the same Office 365 tenant. I, the administrator, can make a flow and share it with the end user. Then the end user could start and stop their LOB app on demand.