Azure Automation Account and Private Endpoints

John Parker 26 Reputation points
2022-10-04T18:12:10.03+00:00

In our tenant, we have an Automation account with a few runbooks that connect to Exchange Online and run powershell scripts to block Exchange Online Powershell, except for a few users and modify calendar permissions. Recently we received an alert from our eSentire Azure alerting service telling us that the Automation account should be restricted with a private endpoint os that public network access is disabled.

Would setting up a private endpoint block the runbooks from connecting to Exchange Online? I haven't been able to find anything in Microsoft's documentation about how private endpoints can affect connectivity to M365 resources like Exchange Online.

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,114 questions
Accepted answer
  1. Maxim Sergeev 6,566 Reputation points Microsoft Employee
    2022-10-05T17:00:44.273+00:00

    Hi there,

    Exchange Online is not Azure.
    Azure Private Link endpoints are referred to Azure services only.

    On the other hand, Azure IP range is quite dynamic, and Azure changes the public IPs regularly. https://www.microsoft.com/en-us/download/details.aspx?id=56519

    In you case, it seems better to:

    • create an Azure VM with a public IP address
    • allow the IP address in your whitelist in Exchange Online,
    • register the VM as a Hybrid Worker Server
    • trigger all runbooks in the Hybrid Worker Server

    https://learn.microsoft.com/en-us/azure/automation/extension-based-hybrid-runbook-worker-install?tabs=windows%2Carm-template

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. John Parker 26 Reputation points
    2022-10-05T17:09:07.877+00:00

    Thank you for the insight! It sounds like we might be better off scrapping the runbooks if it would involve setting up a VM just for these 2 runbooks.