Restrict Azure Automation Runbooks

Question

Hi,

We have an Azure AD app registration that has read access to an Azure Automation parent resource group and we want to know if there is a way to give that account Automation Job Operator rights but not the ability to run every single runbook in the Automation account. So in other words, we would like to only give this account the ability to start a select few runbooks in the account.

We found the following article and it shows how you can give the "Automation Runbook Operator" role to a principal and if that is done, they will only see that specific runbook in the view. However, we found that even if we do this, the account - specifically the app registration - can still run any runbook in the automation account.

Is this an issue that this is an app registration? Is there a way to set runbook permissions only or apply a deny permission on the runbooks that I don't want to expose to the app registration?

Here is the link to the article that says we can limit the runbook access to specific runbooks. Just to re-iterate, we have attempted the code snippet on the app registration account and it can still launch all other runbooks.

https://learn.microsoft.com/en-us/azure/automation/automation-role-based-access-control#configure-azure-rbac-for-runbooks

Answer 1

Hi, Jesus

Unfortunately not - even with a Custom role - it will be all of that type of resource, in that scope (ie Resource Group/Subscription), and you are unable to set Access Control to the Runbooks themselves.

Theres no Deny action.

I attempted to move a Runbook into a seperate Resource Group, but the Azure Automation account needs to be moved as well - so you could end up having a seperate Azure Automation account for those specific runbook rights.