In this blog, I will share issue scenarios related to the Azure Automation connector in both Logic App (consumption) and Logic App Standard, along with its causes and resolutions.
Azure Automation Connector is a connector that allows you to manage your Azure Automation resources within Logic Apps. It enables you to create, update, and manage runbooks, schedules, and jobs, as well as retrieve job output and track job status, for more details refer providing document: Azure Automation - Connectors | Microsoft Learn
|
Issue |
If any action of azure automation connector fails with 'unauthorized' error as below:
{'statusCode':'Unauthorized','body': {'code':'ServiceProviderActionFailed','message':'The service provider action failed with error code 'Unauthorized' and error message 'AuthorizationFailed: The client '..' with object id '...' does not have authorization to perform action 'Microsoft.Automation/automationAccounts/jobs/write' over scope '/subscriptions/../resourceGroups/../providers/Microsoft.Automation/automationAccounts/../jobs/.' or the scope is invalid. If access was recently granted, please refresh your credentials. '.'}}
Or
The client '---' with object id '----' does not have authorization to perform action 'Microsoft.Automation/automationAccounts/runbooks/read' over scope '/subscriptions/--/resourceGroups/--/providers/Microsoft.Automation/automationAccounts/--/runbooks/testrunbook' or the scope is invalid. If access was recently granted, please refresh your credentials. More diagnostic information. |
|
Cause |
Lack of permission at automation account |
|
Resolution |
In logic app, when you create a connection for azure automation connector using default oauth/service principal/azure AD authentication, make sure to provide 'Automation contributor' role for that specific user (if user does not have access to an automation account), azure AD/SPN and managed identity accordingly under automation account.
Document on automation contributor role: Manage role permissions and security in Azure Automation | Microsoft Learn
Providing below screenshots are for assigning role to managed identity at automation account:
|
|
Issue |
Azure automation connector action 'Create job' fails with below error: { "code": "BadRequest", "message": "{\"Message\":\"The request is invalid.\",\"ModelState\":{\"job.properties\":[\"The properties field is required.\"]}}" } |
|
Cause |
Runbook name parameter was not provided. |
|
Resolution |
As 'runbook name' parameter is not required parameter, we need to select 'Runbook Name' parameter from 'add new parameter' and specify runbook name to resolve above error.
|
|
Issue |
Azure automation connector action 'Create job' fails with below error:
{ "code": "NotFound", "message": "Runbook not found." } |
|
Cause |
If runbook is not saved or published |
|
Resolution |
To resolve above error, make sure to provide code in runbook-> save the runbook and publish. Refer providing document which talks about creating runbook: Tutorial - Create a PowerShell Workflow runbook in Azure Automation | Microsoft Learn |
|
Issue |
If user wants to fetch runbook and azure automation details from any azure automation connector actions |
|
Cause |
Advisory |
|
Resolution |
Use 'Parse JSON' action to parse the payload/dynamic content of azure automation connector and pick specific fields to use in subsequent actions. |
|
Issue |
When user POST an HTTP request as a REST API with the Invoke-Webrequest command from an Automation runbook to logic app standard, getting below error in runbook history:
Error 403 - Forbidden The web app you have attempted to reach has blocked your access. |
|
Cause |
When logic app standard has inbound access restriction |
|
Resolution |
If you want to allow only public communication from Automation and deny other communications, you can only allow communication from the GuestAndHybridManagement service tag in access restriction of logic app standard: Azure service tags overview | Microsoft Learn |
|
Issue |
Via logic app standard, calling automation runbook with the help of http webhook action however, getting below error though both automation account and logic app standard are in same virtual network.
{ 'statusCode': 401, 'headers': { 'Server': 'Microsoft-HTTPAPI/2.0', 'Date': 'Fri, 06 Oct 2023 13:54:20 GMT', 'Content-Length': '0', 'Content-Type': 'text/plain; charset=utf-8' } }
|
|
Cause |
Private endpoint of automation account missing VNET link |
|
Resolution |
Navigate to the Private DNS Zone (privatelink.azure-automation.net) associated with the Private Endpoint of automation account and add a Virtual Network Link |
|
Issue |
How to identify which logic app has triggered the runbook? |
|
Cause |
Advisory |
|
Resolution |
There is no direct way to find which logic app executed the runbook however, logic app receives the JobId when it invokes the runbook, we can provide that job id
We can also fetch the logic app run details using the expression workflow().run and store it in a persistent (Workspace, DB etc) storage for audits. |
|
Issue |
Why logic app calls runbook twice? |
|
Cause |
If logic app times out while calling the runbook, it would retry, and the runbook gets triggered twice. |
|
Resolution |
To prevent above behavior, set 'retry policy' to none in 'create job' action of azure automation connector. |
|
Issue |
Azure automation connector action 'Get job output' had returned empty result. |
|
Cause |
Automation job will take ~30 seconds to finish the job and generate output. |
|
Resolution |
Automation job will take ~30 seconds to finish the job and generate output. If you query the result by job ID immediately after the "Create Job" action, you will get empty result. In order to retrieve the output, we can add a ~40sec to 1min "Delay" action between create job and get job output. This will guarantee that the job is completed, and the output is generated. |
Published Feb 08, 2024
Version 1.0
Saroja_L_Sattigeri
Microsoft
Microsoft
