[Internal Error] The Hybrid Worker Extension failed to execute: {"Message":"Authentication failed for private links"}

Kelly Rusk 6 Reputation points

I am using Azure Automation set as private per the recommendation on screen when creating an Azure Automation account. The goal is to run T-SQL against Azure SQL but since Azure Automation does not support a Private Link to Azure SQL yet, I set up a Hybrid Worker group and an Hybrid Worker. It added the Hybrid Worker and seems to be trying to install the extension but upon inspecting the VM (since it is failing to run a simple runbook) I see the following error:

[Internal Error] The Hybrid Worker Extension failed to execute: {"Message":"Authentication failed for private links"}

Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
384 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
952 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AnuragSingh-MSFT 16,246 Reputation points

    Hi @Kelly Rusk

    Welcome to Microsoft Q&A! Thanks for posting the question.

    I understand that you are trying to deploy an extension-based User Hybrid Runbook Worker on Azure Windows VM with Public Access disabled for Azure Automation Account, as shown below:


    From the error posted above, I could think of the following major reasons for its failure (I am also providing a summary of steps to be followed in the later section of this answer to help you configure it again)

    1. The virtual network of VM is different from the Azure Automation Account's private endpoint's virtual network (OR they are not connected).

    2. System assigned identity is not enabled on the Azure VM (which is the designated Hybrid Worker).

    Below are the steps that I took for testing "extension-based user hybrid worker" connection to Azure Automation Account with Public Access Disabled.

    a. Create a Virtual Network in Azure with subnet. Azure Automation Account's private endpoint and Azure VM (Hybrid worker) will connect to this VNET. You can keep the address spaces and subnet addresses as default.

    b. Follow the instruction available here to connect the automation account to private endpoint. (It can take up to 35 minutes for it to take effect):

    c. Create a Windows Virtual Machine and connect it to the the VNET created in Step a. above.

    d. Deploy the extension-based user hybrid worker using the steps available here.

    e. Test your runbook against this hybrid worker. You can examine the following logs in Windows Event Viewer, to check for errors:

    >>. Application logs available under "Windows Logs" in Event Viewer on the Hybrid worker machine. This would contain logs related to installation failures/crashes happening for related process.

    >>. Operational logs available under "Applications and Services Logs --> Microsoft-SMA" in Event Viewer on the Hybrid worker machine. This would contain logs related to the functioning of runbook worker as well execution of runbook jobs.

    >>. As the steps above are for extension-based deployment, you can also examine activity logs in Azure Portal for the VM for any failures.

    Please let me know if you have any questions.

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

    1 person found this answer helpful.