Thursday, August 30, 2018

Tips to install Azure Hybrid Runbook Worker

You can use the Hybrid Runbook Worker feature of Azure Automation to run runbooks directly on the computer that's hosting the role and against resources in the environment to manage those local resources. This is useful if you want to automate tasks in other clouds and on-premises environments.

The best way to start a Hybrid Runbook Worker is to read the procedure the instruction from Microsoft first. However, the steps are little difficult to follow, you can use the procedure with detailed information published by Anderson here. After we configured few Hybrid Runbook Workers, we found there are few tricks that need to be aware of in order to configure them quickly. 

1. The first trick is configure Azure Hybrid Runbook Worker will need to create and configure the following resources.
  • Azure automation account
  • Azure resource groups
  • Log Analytics
  • OMS Workspace

All the resources need to be in the same location! Since not all locations are available for the four resources listed above and only few locations are common to all the four resources. My suggestion is to look at the available OMS Workspace first since it has lest available locations and find the common location to create each resource.  I had issue in the last resource creation and I'm not able to find the resource group and had to recreate again from scratch. 

2. The second trick is you can configure the same on-premise VM/server to run as Hybrid Runbook Worker for multiple Azure tenants. For each Azure environment, you need to run the following command to login and it will configure the worker connecting to that Azure.

Login-AzureRmAccount

3. The third trick is to automate the procedure to get all needed information to run PowerShell to create Hybrid Runbook Worker.  

New-OnPremiseHybridWorker.ps1 -AutomationAccountName <NameofAutomationAccount> -AAResourceGroupName <NameofResourceGroup> -OMSResourceGroupName <NameofOResourceGroup> -HybridGroupName <NameofHRWGroup> -SubscriptionId <AzureSubscriptionId> -WorkspaceName <NameOfLogAnalyticsWorkspace>

You can see there are many parameters you need to collection by different PowerShell and it’s tedious to put the right perimeter to pass to the script. Here is the enhanced PowerShell to the one published by Anderson to automate the process. All the parameters are captured by PowerShell and assigned to variable and passed to final script.

# Step 1 - Login
Login-AzureRmAccount

# Step #2 – Get WorkspaceName and OMSResourceGroupName
$NameOfLogAnalyticsWorkspace = Get-AzureRMOperationalInsightsWorkspace | select Name
$NameofOResourceGroup = Get-AzureRMOperationalInsightsWorkspace | select ResourceGroupName

# Step #3 -  Het AutomationAccountName and AAREsourceGroupName
$NameofAutomationAccount = Get-AzureRMAutomationAccount | select AutomationAccountName
$NameofResourceGroup = Get-AzureRMAutomationAccount | select ResourceGroupName

# Step #4 – Get SubscriptionID. Please note this assume you have only one Subscription!
$AzureSubscriptionId = Get-AzureRMSubscription | select SubscriptionId

# Step #5 – Define HybridGroupName you need
$NameofHRWGroup = “QCSBXHybGroup0”

# All parameters are assigned to variables in previous commands for your convenience
New-OnPremiseHybridWorker.ps1 -AutomationAccountName $NameofAutomationAccount -AAResourceGroupName $NameofResourceGroup -OMSResourceGroupName $NameofOResourceGroup -HybridGroupName $NameofHRWGroup -SubscriptionId $AzureSubscriptionId -WorkspaceName $NameOfLogAnalyticsWorkspace


4. The forth trick is you will run into error below when using Azure Credential if you have Azure Automation PowerShell ISE Add-On was also installed on the hybrid worker server.  

AzureAutomationAuthoringToolkit: Warning - Local value for PSCredential asset "onpremCred" not found. When you are using Credential in the PowerShell code like below.
$onpremCred = Get-AutomationPSCredential -Name "onpremCred"

The issue is You can verify Azure Automation Powershell ISE add-on is impacting the call. You can verify if the following package inslatted and you can delete the whole folder.

AzureAutomationAuthoringToolkit folder under C:\Program Files\WindowsPowerShell\Modules

5. The last trick is you monitor Azure Hybrid Runbook Workers from Azure portal. You can go to Portal Azure and click the highlighted "Hybrid Worker" details icon. It will display the hybrid worker server name.

Now you should be able to set up the Azure Hybrid Runbook Workers and manage on-premises resources inside Azure cloud!
Posted by at No comments:
Labels:

Monday, August 27, 2018

How to resolve error "The user does not exist or is not unique." when use Set-SPOUser for SharePoint online?


In order to support daily SharePoint online activities, there is a need to add a group to all SPO site as site collection admin. Before our company come up a site provisioning process that will add the group to each site collection, there are some sites created from SharePoint UI and Groups that do not have that specific group as site collection admin. When we use PowerShell to add that group, we got the following error.

“Set-SPOUser : The user does not exist or is not unique.”

We have same issues in the self-provisioning Azure function PowerShell to add some users to SPO groups like owner group. After debugging the issues, we identified that is related to SharePoint online how to deal with the groups. The group will not have email and here is the way to add them to site collection admin or add into SharePoint group.

You need to find the SID of the group like "c:0t.c|tenant|????????-????-????-????-????????????" from SPO UI. You can first check the permission for that group in SPO and you will find the SID for the group as we discussed in previous blog. Then you can add as site collection admin.

$username = "spoadmin.onmicrosoft.com"
$password = "password"

$secpasswd = ConvertTo-SecureString $password -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ($username, $secpasswd)

Connect-SPOService -Url "https://mycompany-admin.sharepoint.com/" -Credential $creds


$siteUrl = "https://mycompany.sharepoint.com/teams/departmentsite"
$SiteCollectionAdmin = "c:0t.c|tenant|????????-????-????-????-????????????"
Set-SPOUser -site $siteUrl -LoginName $SiteCollectionAdmin -IsSiteCollectionAdmin $True

You can use the group LookupValue value if you need to add to groups. Here is PnP PowerShell example.

Connect-PnPOnline -url $siteUrl -Credentials $creds 

$owner = “group1@mycompany.com”
if($owner.Email -ne $null -and $owner.Email -ne "")
{
       Add-PnPUserToGroup -LoginName $owner.Email -Identity 3
}
else
{
       Add-PnPUserToGroup -LoginName $owner.LookupValue -Identity 3
}

Now you should be able to deal the groups inside SharePoint online using PowerShell.

Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)