创建独立的 Azure 自动化帐户Create a standalone Azure Automation account

本文介绍如何在 Azure 门户中创建 Azure 自动化帐户。This article shows you how to create an Azure Automation account in the Azure portal. 可以使用门户自动化帐户来评估和了解自动化,无需使用其他管理解决方案,也无需与 Azure Monitor 日志集成。You can use the portal Automation account to evaluate and learn about Automation without using additional management solutions or integration with Azure Monitor logs. 以后随时可以添加这些管理解决方案或者与 Azure Monitor 日志集成,以获得高级的 Runbook 作业监视。You can add those management solutions or integrate with Azure Monitor logs for advanced monitoring of runbook jobs at any point in the future.

使用自动化帐户,可以对在 Azure 资源管理器部署或经典部署中管理资源的 Runbook 进行身份验证。With an Automation account, you can authenticate runbooks by managing resources in either Azure Resource Manager or the classic deployment model. 一个自动化帐户可以跨所有区域和订阅管理给定租户的资源。One Automation Account can manage resources across all regions and subscriptions for a given tenant.

在 Azure 门户中创建自动化帐户时,会自动创建以下帐户:When you create an Automation account in the Azure portal, these accounts are automatically created:

  • 运行方式帐户Run As account. 此帐户执行以下任务:This account does the following tasks:
    • 在 Azure Active Directory (Azure AD) 中创建服务主体。Creates a service principal in Azure Active Directory (Azure AD).
    • 创建证书。Creates a certificate.
    • 向参与者分配基于角色的访问控制 (RBAC),以便使用 Runbook 管理 Azure 资源管理器资源。Assigns the Contributor Role-Based Access Control (RBAC), which manages Azure Resource Manager resources by using runbooks.
  • 经典运行方式帐户Classic Run As account. 此帐户上传一个管理证书。This account uploads a management certificate. 该证书使用 Runbook 管理经典资源。The certificate manages classic resources by using runbooks.

使用系统创建的这些帐户,可以快速开始构建和部署 Runbook 来支持自动化需求。With these accounts created for you, you can quickly start building and deploying runbooks to support your automation needs.

创建自动化帐户所需的权限Permissions required to create an Automation account

若要创建或更新自动化帐户,并完成本文所述的任务,必须具有以下特权和权限:To create or update an Automation account, and to complete the tasks described in this article, you must have the following privileges and permissions:

  • 若要创建自动化帐户,必须将 Azure AD 用户帐户添加到一个角色,该角色的权限相当于 Microsoft.Automation 资源的所有者角色。To create an Automation account, your Azure AD user account must be added to a role with permissions equivalent to the Owner role for Microsoft. Automation resources. 有关详细信息,请参阅 Azure 自动化中基于角色的访问控制For more information, see Role-Based Access Control in Azure Automation.
  • 在 Azure 门户的“Azure Active Directory” > “管理” > “应用注册”下,如果“应用注册”设置为“是”,则 Azure AD 租户中的非管理员用户可以注册 Active Directory 应用程序In the Azure portal, under Azure Active Directory > MANAGE > App registrations, if App registrations is set to Yes, non-admin users in your Azure AD tenant can register Active Directory applications. 如果“应用注册”设置为“否”,则执行此操作的用户必须是 Azure AD 中的全局管理员。If App registrations is set to No, the user who performs this action must be a global administrator in Azure AD.

如果在被添加到订阅的全局管理员/共同管理员角色之前不是订阅的 Active Directory 实例的成员,则将作为来宾添加到 Active Directory。If you aren't a member of the subscription's Active Directory instance before you are added to the subscription's global administrator/coadministrator role, you are added to Active Directory as a guest. 在这种情况下,“添加自动化帐户”页中会显示此消息:“你无权创建。”In this scenario, you see this message on the Add Automation Account page: "You do not have permissions to create."

如果已将某用户添加到全局管理员/共同管理员角色,则可先将其从订阅的 Active Directory 实例中删除,然后将其重新添加到 Active Directory 中的完整用户角色。If a user is added to the global administrator/coadministrator role first, you can remove them from the subscription's Active Directory instance, and then readd them to the full User role in Active Directory.

若要验证用户角色,请执行以下操作:To verify user roles:

  1. 在 Azure 门户中,转到“Azure Active Directory”窗格。In the Azure portal, go to the Azure Active Directory pane.
  2. 选择“用户和组”。Select Users and groups.
  3. 选择“所有用户”。Select All users.
  4. 选择特定的用户后,选择“配置文件”。After you select a specific user, select Profile. 用户配置文件下的“用户类型”属性值不应为“来宾”。The value of the User type attribute under the user's profile should not be Guest.

在 Azure 门户中创建新的自动化帐户Create a new Automation account in the Azure portal

若要在 Azure 门户中创建 Azure 自动化帐户,请完成以下步骤:To create an Azure Automation account in the Azure portal, complete the following steps:

  1. 使用帐户登录到 Azure 门户,该帐户应当是订阅管理员角色的成员并且是订阅的共同管理员。Sign in to the Azure portal with an account that's a member of the subscription Administrators role and a coadministrator of the subscription.

  2. 选择“+ 创建资源”。Select + Create a Resource.

  3. 搜索“自动化”。Search for Automation. 在搜索结果中,选择“自动化”。In the search results, select Automation.

    在 Azure 市场中搜索并选择“自动化和控制”

  4. 在下一个屏幕上选择“创建”。On the next screen select Create.

    添加自动化帐户

    Note

    如果“添加自动化帐户”边栏选项卡中显示以下消息,则表示你的帐户不是订阅管理员角色成员和订阅的共同管理员。If you see the following message in the Add Automation Account pane, your account is not a member of the subscription Administrators role and a coadministrator of the subscription.

    添加自动化帐户警报

  5. 在“添加自动化帐户”窗格的“名称”框中,输入新自动化帐户的名称。In the Add Automation Account pane, in the Name box, enter a name for your new Automation account. 此名称选定后即不可更改。This name cannot be changed after it is chosen. 每个区域和资源组的自动化帐户名称都是唯一的。已删除的自动化帐户的名称可能无法立即可用。Automation Account names are unique per region and resource group. Names for Automation Accounts that were deleted may not be immediately available.

  6. 如果有多个订阅,请在“订阅”框中为新帐户指定一个订阅。If you have more than one subscription, in the Subscription box, specify the subscription you want to use for the new account.

  7. 对于“资源组”,请输入或选择新的或现有的资源组。For Resource group, enter or select a new or existing resource group.

  8. 对于“位置”,请选择一个 Azure 数据中心位置。For Location, select an Azure datacenter location.

  9. 对于“创建 Azure 运行方式帐户”选项,请确保选择“是”,并选择“创建”。For the Create Azure Run As account option, ensure that Yes is selected, and then select Create.

    Note

    如果对“创建 Azure 运行方式帐户”选择“否”以选择不创建运行方式帐户,则“添加自动化帐户”窗格中会显示一条消息。If you choose not to create the Run As account by selecting No for Create Azure Run As account, a message appears in the Add Automation Account pane. 尽管该帐户是在 Azure 门户中创建的,但它在经典部署模型订阅或 Azure 资源管理器订阅目录服务中没有对应的身份验证标识。Although the account is created in the Azure portal, the account doesn't have a corresponding authentication identity in your classic deployment model subscription or in the Azure Resource Manager subscription directory service. 因此,自动化帐户无法访问订阅中的资源。Therefore, the Automation account doesn't have access to resources in your subscription. 这会导致引用此帐户的任何 Runbook 无法进行身份验证,也无法针对这些部署模型中的资源执行任务。This prevents any runbooks that reference this account from being able to authenticate and perform tasks against resources in those deployment models.

    添加自动化帐户警报

    未创建服务主体时不会分配参与者角色。When the service principal is not created, the Contributor role is not assigned.

  10. 若要跟踪自动化帐户的创建进度,请在菜单中选择“通知”。To track the progress of the Automation account creation, in the menu, select Notifications.

包含的资源Resources included

成功创建自动化帐户后,系统会自动创建几个资源。When the Automation account is successfully created, several resources are automatically created for you. 创建后,如果不想保留这些 runbook,可以放心地将其删除。After creation, these runbooks can be safely deleted if you do not wish to keep them. 运行方式帐户可用于对 runbook 中的帐户进行身份验证,除非创建其他运行方式帐户或不需要它们,否则应将其保留。The Run As Accounts, can be used to authenticate to your account in a runbook, and should be left unless you create another one or do not require them. 下表汇总了运行方式帐户的资源。The following table summarizes resources for the Run As account.

资源Resource 说明Description
AzureAutomationTutorial RunbookAzureAutomationTutorial Runbook 一个示例图形 Runbook,演示如何使用运行方式帐户进行身份验证。An example graphical runbook that demonstrates how to authenticate by using the Run As account. 该 Runbook 获取所有资源管理器资源。The runbook gets all Resource Manager resources.
AzureAutomationTutorialScript RunbookAzureAutomationTutorialScript Runbook 一个示例 PowerShell Runbook,演示如何使用运行方式帐户进行身份验证。An example PowerShell runbook that demonstrates how to authenticate by using the Run As account. 该 Runbook 获取所有资源管理器资源。The runbook gets all Resource Manager resources.
AzureAutomationTutorialPython2 RunbookAzureAutomationTutorialPython2 Runbook 一个示例 Python Runbook,演示如何使用运行方式帐户进行身份验证。An example Python runbook that demonstrates how to authenticate by using the Run As account. 该 Runbook 列出订阅中的所有资源组。The runbook lists all resource groups present in the subscription.
AzureRunAsCertificateAzureRunAsCertificate 在创建自动化帐户时自动创建的,或针对现有帐户使用 PowerShell 脚本创建的证书资产。A certificate asset that's automatically created when the Automation account is created, or by using a PowerShell script for an existing account. 使用该证书可向 Azure 进行身份验证,以便通过 Runbook 管理 Azure 资源管理器资源。The certificate authenticates with Azure so you can manage Azure Resource Manager resources from runbooks. 此证书有一年的有效期。This certificate has a one-year lifespan.
AzureRunAsConnectionAzureRunAsConnection 在创建自动化帐户时自动创建的,或针对现有帐户使用 PowerShell 脚本创建的连接资产。A connection asset that's automatically created when the Automation account is created, or by using a PowerShell script for an existing account.

下表汇总了经典运行方式帐户的资源。The following table summarizes resources for the Classic Run As account.

资源Resource 说明Description
AzureClassicAutomationTutorial RunbookAzureClassicAutomationTutorial Runbook 一个示例图形 Runbook。An example graphical runbook. 该 Runbook 使用经典运行方式帐户(证书)获取订阅中的所有经典 VM。The runbook gets all classic VMs in a subscription by using the Classic Run As Account (certificate). 然后,它显示 VM 名称和状态。Then, it displays the VM names and status.
AzureClassicAutomationTutorial 脚本 RunbookAzureClassicAutomationTutorial Script Runbook 一个示例 PowerShell Runbook。An example PowerShell runbook. 该 Runbook 使用经典运行方式帐户(证书)获取订阅中的所有经典 VM。The runbook gets all classic VMs in a subscription by using the Classic Run As Account (certificate). 然后,它显示 VM 名称和状态。Then, it displays the VM names and status.
AzureClassicRunAsCertificateAzureClassicRunAsCertificate 自动创建的证书资产。A certificate asset that's automatically created. 使用该证书可向 Azure 进行身份验证,以便通过 Runbook 管理 Azure 经典资源。The certificate authenticates with Azure so you can manage Azure classic resources from runbooks. 此证书有一年的有效期。This certificate has a one-year lifespan.
AzureClassicRunAsConnectionAzureClassicRunAsConnection 自动创建的连接资产。A connection asset that's automatically created. 使用该资产可向 Azure 进行身份验证,以便通过 Runbook 管理 Azure 经典资源。The asset authenticates with Azure so you can manage Azure classic resources from runbooks.

后续步骤Next steps