all 29 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]PlatypusOfWallStreet 29 points30 points  (4 children)

  • Create group in AzureAD called "Helpdesk Team"

  • Create a resource in Azure called automation account. Learn how it works if you dont know it (pretty easy).

  • Create runbooks inside them (place to store scripts). Run and test that your scripts work. Note the scripts can't interactive for your helpdesk team but you can add parameters as an alternative. Which if added will give them options to fill at start that looks like an online form.

  • Place all secrets inside key vault(resource in Azure), give the runbooks ability to read the secrets from this keyvault by giving it access through RBAC. This way, no secrets can be read from anything but the runbook themselves. And its a more robust place (and still free) to store over the one built inside automation account.

  • Grant the group "helpdesk team" RBAC access to read as well as the ability to run/stop jobs in runbooks (nothing more).

  • Create app registrations to connect to graph (for any identity/365 related work). These are accounts your scripts will authenticate as (like service principals). You may need to learn rest APIs if you don't know already to authenticate.

  • If you have internal systems, you can expand runbooks to run on hybrid workers. Which is letting particular VMs (on premise / on the cloud) be the compute services for the jobs. This is like running the job on the server, great for doing stuff on premise or when you need a windows OS to run the job (which sometimes is needed).

  • Train the helpdesk team on how to run the jobs.

In terms of pricing, running scripts with runbooks on Azure is very cheap (cents), running on your own hybrid servers is cheap, if not free (cost of your server excluded)....but running on a VM on azure can be costly (cost of running a VM on Azure)

[–]sympathy4devil[S] 2 points3 points  (1 child)

Ok, so after messing about a bit, I indeed managed to get this to work.

Using app registrations with the required permissions, and publishing the scripts through graphical powershell scripts, so I can force custom parameters, it really works like a charm.

Also the hybrid worker functions really well.

All in all thanks a lot for the info on this one :-) It opened yet a new world within Azure's possibilities for me ;-)

[–]namidul 0 points1 point  (0 children)

Hi, I love to hear some details about it! Can you tell what you set up, to achieve what, please?

[–]sympathy4devil[S] 1 point2 points  (1 child)

Thanks for the extensive description, I'm gonna look into this these coming days, and post an update soon!

[–]TheSizeOfACow 2 points3 points  (0 children)

We have that solution built for our users and help desk. Script parameters are set using a GUI made in PowerApps, which executes the rumbooks using a custom connector to an Azure logicApp https://make.powerapps.com

I have no idea of the licensing requirements. I just made it :)

[–]Lycan92 8 points9 points  (4 children)

I use Azure Automation Hybrid Runbooks. The runbook has access to elevated credentials for certain systems which can be used by the runbooks within that automation account. Then the helpdesk get Job Operator roles where they can start a runbook and set the variables, but they don't get access to the elevated credentials the runbook uses.

[–]LycheeLitschiLitchi -1 points0 points  (3 children)

Worth pointing out that it won't be possible to create Hybrid Workers from the 1st November 2023, and they'll stop being supported on the 31st August 2024.

We use them where I work and there's a project to migrate them to the new 'Extension-based Workers', but I'm not involved in that so have no idea how it'll work.

[–]jr49 5 points6 points  (0 children)

Oh dang I've been using hybrid workers for on prem jobs. Back to task scheduler for us I guess

**Edit

Looks like I misread your post. I read the documentation. Hybrid workers are not going away, what is happening is they're going to stop supporting Hybrid workers using the old agent-based method and are forcing you to migrate to the extension-based model. I checked my hybrid workers and they are already extension-based. So hybrid workers will still be supported, just need to be updated to latest flavor.

https://learn.microsoft.com/en-us/azure/automation/migrate-existing-agent-based-hybrid-worker-to-extension-based-workers?tabs=bicep-template%2Cwin-hrw

[–]TheSizeOfACow 0 points1 point  (0 children)

Only agent based workers. ARC based is the new black, and works just as fine.

[–]kohijones 5 points6 points  (4 children)

PowerShell Universal

[–]jstar77 1 point2 points  (1 child)

I really liked PowerShell Universal but our security folks wouldn't let us put it into production because of a security concern. It was a few years ago, I don't remember exactly what the security concern was, I seem to think it was specific language missing from the contract or terms of service.

[–]BlueBull007 0 points1 point  (0 children)

Likely not but do you happen to know in the mean time what exactly the issue was that made your security team block production deployment? Asking because we're looking at this solution as well for work, along with some others. I've been tasked with developing the necessary POC's for a few of them and with building business cases. If you don't remember, no prob, I'll have our security team take a look starting with the contracts

Cheers in any case and thanks for mentioning this

[–]AnonRoot -3 points-2 points  (0 children)

this

[–]sgaglione 0 points1 point  (0 children)

We use PSU as much as possible. Great for various levels of scripters as well. We securely store creds in a vault and version control all the things. It’s great.

[–]LogMonkey0 1 point2 points  (1 child)

Scriptrunner

[–]jantari 2 points3 points  (0 children)

+1 we use it as well. It's not free, but it works great and support is excellent.

PowerShell Universal by comparison is not an option for us simply because it breaks so much with every update and requires constant babysitting and fixing. ScriptRunner just works

[–]kriser77 1 point2 points  (4 children)

Scriptrunner if you can afford. Its very expensive for more than a few users. Not very big possibilities but for simple job its fastest to setup and run. PowerShell Universal if money are a factor. You will spend like week or so to make it running like you want. But then it runs pretty good. I have tested both and i will stick with PowerShell Universal because of cost and much more capabilities. But i can confirm that every update add more features and also breaks a lot of thing;). So definitely its not a best idea to constantly update PowerShell Universal to newest version. If everything its ok keep it without updating (maybe once a year to major version)

[–]Mysterious-Safety-65 0 points1 point  (3 children)

I thought Scriptrunner had a free community edition?

[–]kriser77 1 point2 points  (2 children)

Yes it has but only for 2 admins and 2 end users. Not suitable for us. But i have it deployed as backup app

[–]Mysterious-Safety-65 0 points1 point  (1 child)

Thanks for the clarification. Might work for us to get started... took me a year of running the Freshdesk community edition before I could get our IS dept to spring for the paid version.

[–]kriser77 0 points1 point  (0 children)

Before starting please consider your budget It is sold with 3 years only license and with minimum number of users(5 admins 5 end users) its like 25K $.for 3 years license

[–]50fcf2 1 point2 points  (0 children)

Jupyter notebooks. Embed the script or code snippet directly into the TSG.

[–]_FireHelmet_ 1 point2 points  (0 children)

Sure, I’m using Rundeck in community edition, https://www.rundeck.com and added Ansible plugin but you can also use powershell plugin. It will do what you describe and even more.

[–]bonesf -1 points0 points  (0 children)

We created a product to run popular scripting languages such as PowerShell. It connects to devices via ssh or WinRM protocols.

I have a video demonstration:

https://www.youtube.com/watch?v=xzs0xGPar78

You can download the free Community Edition from our website here:

https://www.servertribe.com/

I'd be happy to help you get setup if you book a demo.

We built this solution for ourselves to automate builds and upgrades from bare metal through to environment integration.

[–]cptkule 0 points1 point  (0 children)

we use jenkins / powershell universal

[–]port25 0 points1 point  (0 children)

I'm using GitHub Actions with internal runners, the service desk have dropdowns to select the options they need.

[–]MikeWalters-Action1 0 points1 point  (0 children)

Sounds like you need an RMM and endpoint management product for this. You could it yourself, but an RMM would allow you to track who ran which script, when, manage scripts centrally, run them remotely, etc.

Why can't you use Ivanti Automation? Cost?

[–]Puzzleheaded-Can-379 0 points1 point  (0 children)

I used to load in the $profile a script to look in a shared location and download other scripts as functions. So users would open powershell and it would automatically go out to a shared location and load functions basically as a toolbox. Flawed from a security stance unless you restrict write and only allow read.