CODEWITHSUNDEEP
azurepowershellautomation
chprpipr
chprpipr

Reputation: 2039

How to remove App Service using Azure Automation

The following code works great via Azure Cloud Shell (completes, App Service deleted as expected). 

Remove-AzWebApp -ResourceGroupName "ResourceGroup1" -Name "AppService1" -Force

It also completes without error within my Runbook workflow, but the App Service remains operational. This feels like a permissions problem, but I've tried adding the Owner role at the subscription level without success.

Any ideas/tips for how to make this work for the AzureRunAsConnection account?

Upvotes: 0

Views: 425

Answers (2)

Joy Wang
Joy Wang

Reputation: 42043

This feels like a permissions problem, but I've tried adding the Owner role at the subscription level without success.

It is not a permission problem, when you create the automation account along with the RunAsAccount, it will add the service principal related to the RunAsAccount to the subscription as a Contributor role, which is enough to remove the web app.

If you are using the PowerShell Workflow Runbook, try the sample below, it works for me. (First, make sure you have installed the Az.Accounts, Az.Websites modules in the automation account -> Modules.)

workflow testrun3
{
    $connectionName = "AzureRunAsConnection"
    try
    {
        # Get the connection "AzureRunAsConnection "
        $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName         

        Connect-AzAccount `
            -ServicePrincipal `
            -TenantId $servicePrincipalConnection.TenantId `
            -ApplicationId $servicePrincipalConnection.ApplicationId `
            -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 
    }
    catch {
        if (!$servicePrincipalConnection)
        {
            $ErrorMessage = "Connection $connectionName not found."
            throw $ErrorMessage
        } else{
            Write-Error -Message $_.Exception
            throw $_.Exception
        }
    }

    Remove-AzWebApp -ResourceGroupName "<group-name>" -Name "joywebapp1234" -Force
}

enter image description here

Check the result in the portal:

enter image description here

Upvotes: 2

Joey Cai
Joey Cai

Reputation: 20067

To create or update a Run As account, you must have specific privileges and permissions. An Application administrator in Azure Active Directory and an Owner in a subscription can complete all the tasks. Use Remove-AzAutomationConnection to remove an Automation connection.

For more details, you could refer to this article about Run As account permissions.

Upvotes: 0

Related Questions