创建独立的 Azure 自动化帐户Create a standalone Azure Automation account

本文介绍如何在 Azure 门户中创建 Azure 自动化帐户。This article shows you how to create an Azure Automation account in the Azure portal. 可以使用门户自动化帐户来评估和了解自动化,而无需使用其他管理功能,或者与 Azure Monitor 日志集成。You can use the portal Automation account to evaluate and learn about Automation without using additional management features or integrating with Azure Monitor logs. 以后随时可以添加管理功能或者与 Azure Monitor 日志集成,以进行高级 Runbook 作业监视。You can add management features or integrate with Azure Monitor logs for advanced monitoring of runbook jobs at any point in the future.

使用自动化帐户,可以对在 Azure 资源管理器部署或经典部署中管理资源的 Runbook 进行身份验证。With an Automation account, you can authenticate runbooks by managing resources in either Azure Resource Manager or the classic deployment model. 一个自动化帐户可以跨所有区域和订阅管理给定租户的资源。One Automation Account can manage resources across all regions and subscriptions for a given tenant.

在 Azure 门户中创建自动化帐户时,会自动创建运行方式帐户。When you create an Automation account in the Azure portal, the Run As account is automatically created. 此帐户执行以下任务:This account does the following tasks:

  • 在 Azure Active Directory (Azure AD) 中创建服务主体。Creates a service principal in Azure Active Directory (Azure AD).
  • 创建证书。Creates a certificate.
  • 分配“参与者”角色,以便使用 Runbook 管理 Azure 资源管理器资源。Assigns the Contributor role, which manages Azure Resource Manager resources by using runbooks.

使用系统创建的此帐户,可以快速开始构建和部署 Runbook 来支持自动化需求。With this account created for you, you can quickly start building and deploying runbooks to support your automation needs.

创建自动化帐户所需的权限Permissions required to create an Automation account

若要创建或更新自动化帐户,并完成本文所述的任务,必须具有以下特权和权限:To create or update an Automation account, and to complete the tasks described in this article, you must have the following privileges and permissions:

  • 若要创建自动化帐户,必须将 Azure AD 用户帐户添加到一个角色,该角色的权限相当于 Microsoft.Automation 资源的所有者角色。To create an Automation account, your Azure AD user account must be added to a role with permissions equivalent to the Owner role for Microsoft.Automation resources. 有关详细信息,请参阅 Azure 自动化中基于角色的访问控制For more information, see Role-Based Access Control in Azure Automation.
  • 在 Azure 门户的“Azure Active Directory” > “管理” > “用户设置”下,如果“应用注册”设置为“是”,则 Azure AD 租户中的非管理员用户可以注册 Active Directory 应用程序In the Azure portal, under Azure Active Directory > MANAGE > User settings , if App registrations is set to Yes , non-administrator users in your Azure AD tenant can register Active Directory applications. 如果“应用注册”设置为“否”,则执行此操作的用户的角色必须至少是 Azure AD 中的应用开发人员 。If App registrations is set to No , the user who performs this action must have at least an Application Developer role in Azure AD.

如果你在被添加到订阅的全局管理员/共同管理员角色之前不是订阅的 Active Directory 实例的成员,则将作为来宾添加到 Active Directory。If you aren't a member of the subscription's Active Directory instance before you're added to the subscription's global Administrator/Coadministrator role, you're added to Active Directory as a guest. 在这种情况下,“添加自动化帐户”窗格中会显示此消息:You do not have permissions to create.In this scenario, you see this message on the Add Automation Account pane: You do not have permissions to create.

如果已将某用户添加到全局管理员/共同管理员角色,则可先将其从订阅的 Active Directory 实例中删除,If a user is added to the global Administrator/Coadministrator role first, you can remove the user from the subscription's Active Directory instance. 然后将其重新添加到 Active Directory 中的用户角色。You can readd the user to the User role in Active Directory. 若要验证用户角色,请执行以下操作:To verify user roles:

  1. 在 Azure 门户中,转到“Azure Active Directory”窗格。In the Azure portal, go to the Azure Active Directory pane.
  2. 选择“用户和组”。Select Users and groups.
  3. 选择“所有用户”。Select All users.
  4. 选择特定的用户后,选择“配置文件”。After you select a specific user, select Profile. 用户配置文件下的“用户类型”属性值不应为“来宾”。The value of the User type attribute under the user's profile should not be Guest.

在 Azure 门户中创建新的自动化帐户Create a new Automation account in the Azure portal

若要在 Azure 门户中创建 Azure 自动化帐户,请完成以下步骤:To create an Azure Automation account in the Azure portal, complete the following steps:

  1. 使用帐户登录到 Azure 门户,该帐户应当是订阅管理员角色的成员并且是订阅的共同管理员。Sign in to the Azure portal with an account that's a member of the subscription Administrators role and a coadministrator of the subscription.

  2. 选择“+ 创建资源”。Select + Create a Resource.

  3. 搜索“自动化”。Search for Automation. 在搜索结果中,选择“自动化”。In the search results, select Automation.

    在 Azure 市场中搜索并选择“自动化和控制”

  4. 在下一个屏幕上,选择“新建”。On the next screen, select Create new.

    添加自动化帐户

    备注

    如果“添加自动化帐户”窗格中显示以下消息,则表示你的帐户不是订阅管理员角色成员和订阅的共同管理员。If you see the following message in the Add Automation Account pane, your account is not a member of the subscription Administrators role and a coadministrator of the subscription.

    提示“你无权在 Azure Active Directory 中创建运行方式帐户”的屏幕截图。

  5. 在“添加自动化帐户”窗格的“名称”字段中,输入新自动化帐户的名称。In the Add Automation Account pane, enter a name for your new Automation account in the Name field. 选择后,将无法更改此名称。You can't change this name after it's chosen.

    备注

    自动化帐户名称在每个区域和资源组中是唯一的。Automation account names are unique per region and resource group. 已删除的自动化帐户的名称可能无法立即可用。Names for deleted Automation accounts might not be immediately available.

  6. 如果有多个订阅,请使用“订阅”字段指定用于新帐户的订阅。If you have more than one subscription, use the Subscription field to specify the subscription to use for the new account.

  7. 对于“资源组”,请输入或选择新的或现有的资源组。For Resource group , enter or select a new or existing resource group.

  8. 对于“位置”,请选择一个 Azure 数据中心位置。For Location , select an Azure datacenter location.

  9. 对于“创建 Azure 运行方式帐户”选项,请确保选择“是”,然后单击“创建” 。For the Create Azure Run As account option, ensure that Yes is selected, and then click Create.

    备注

    如果选择不创建运行方式帐户,则选择“否”,“添加自动化帐户”窗格中会显示一条消息。 If you choose not to create the Run As account by selecting No for Create Azure Run As account , a message appears in the Add Automation Account pane. 尽管该帐户是在 Azure 门户中创建的,但它在经典部署模型订阅或 Azure 资源管理器订阅目录服务中没有对应的身份验证标识。Although the account is created in the Azure portal, the account doesn't have a corresponding authentication identity in your classic deployment model subscription or in the Azure Resource Manager subscription directory service. 因此,自动化帐户无法访问订阅中的资源。Therefore, the Automation account doesn't have access to resources in your subscription. 这会导致引用此帐户的任何 Runbook 无法进行身份验证,也无法针对这些部署模型中的资源执行任务。This prevents any runbooks that reference this account from being able to authenticate and perform tasks against resources in those deployment models.

    带有“你已选择不创建运行方式帐户”消息的提示的屏幕截图。

    未创建服务主体时不会分配参与者角色。When the service principal is not created, the Contributor role is not assigned.

  10. 若要跟踪自动化帐户的创建进度,请在菜单中选择“通知”。To track the progress of the Automation account creation, select Notifications in the menu.

成功创建自动化帐户后,系统会自动创建几个资源。When the Automation account is successfully created, several resources are automatically created for you. 创建后,如果不想保留这些 runbook,可以放心地将其删除。After creation, these runbooks can be safely deleted if you do not wish to keep them. 运行方式帐户可用于对 runbook 中的帐户进行身份验证,除非创建其他运行方式帐户或不需要它们,否则应将其保留。The Run As Accounts, can be used to authenticate to your account in a runbook, and should be left unless you create another one or do not require them. 下表汇总了运行方式帐户的资源。The following table summarizes resources for the Run As account.

资源Resource 说明Description
AzureAutomationTutorial RunbookAzureAutomationTutorial Runbook 一个示例图形 Runbook,演示如何使用运行方式帐户进行身份验证。An example graphical runbook that demonstrates how to authenticate by using the Run As account. 该 Runbook 获取所有资源管理器资源。The runbook gets all Resource Manager resources.
AzureAutomationTutorialScript RunbookAzureAutomationTutorialScript Runbook 一个示例 PowerShell Runbook,演示如何使用运行方式帐户进行身份验证。An example PowerShell runbook that demonstrates how to authenticate by using the Run As account. 该 Runbook 获取所有资源管理器资源。The runbook gets all Resource Manager resources.
AzureAutomationTutorialPython2 RunbookAzureAutomationTutorialPython2 Runbook 一个示例 Python Runbook,演示如何使用运行方式帐户进行身份验证。An example Python runbook that demonstrates how to authenticate by using the Run As account. 该 Runbook 列出订阅中的所有资源组。The runbook lists all resource groups present in the subscription.
AzureRunAsCertificateAzureRunAsCertificate 在创建自动化帐户时自动创建的,或针对现有帐户使用 PowerShell 脚本创建的证书资产。A certificate asset that's automatically created when the Automation account is created, or by using a PowerShell script for an existing account. 使用该证书可向 Azure 进行身份验证,以便通过 Runbook 管理 Azure 资源管理器资源。The certificate authenticates with Azure so you can manage Azure Resource Manager resources from runbooks. 此证书有一年的有效期。This certificate has a one-year lifespan.
AzureRunAsConnectionAzureRunAsConnection 在创建自动化帐户时自动创建的,或针对现有帐户使用 PowerShell 脚本创建的连接资产。A connection asset that's automatically created when the Automation account is created, or by using a PowerShell script for an existing account.

创建经典运行方式帐户Create a Classic Run As account

创建 Azure 自动化帐户时,默认情况下不再创建经典运行方式帐户。Classic Run As accounts are no longer created by default when you create an Azure Automation account. 如果你仍需要经典运行方式帐户:If you still require a Classic Run As account:

  1. 在“自动化帐户”的“帐户设置”下,选择“运行方式帐户” 。From your Automation account, select Run As Accounts under Account Settings.
  2. 选择“Azure 经典运行方式帐户”。Select Azure Classic Run As Account.
  3. 单击“创建”,继续创建经典运行方式帐户。Click Create to proceed with Classic Run As account creation.

后续步骤Next steps