Jan 08 2021
- last edited on
May 24 2021
Hoping someone can help me. I have a global admin account which runs a powershell script weekly from an Azure VM on an internal network with no public IP. I would like to restrict this account to only be authorised to run from this internal VM, which I have tried to do using a CAP with a location based restriction on the internal subnet. The issue I face is when the script runs Azure assigns it a cloud IP, which is outside of the internal subnet, to carry out its tasks. I have no way of predicting this IP address so am unable to use CAP to restrict it.
Does anyone have any work arounds and are there alternative ways to run powershell scripts other than using an elevasted user account account on a VM.
Jan 08 2021 08:24 AM
Jan 12 2021 05:15 AM
As Thijs mentioned, I would stay away from scripts running as GA.
And is this VM only for this script? Maybe consider moving this script to a Workbook and schedule, or if you need logs etc, maybe an Azure Function. Then there is no worry about IP and blocking this script from ever "leaving" Azure.
Of course, depends on what the script does, but if it needs GA, it sounds like it runs towards Azure services.
Jan 14 2021 12:42 AM
Hi both, thanks for your input. I have done some further investigation and it looks like we may be able to use an automation account for this task. I agree I also dont like using any account with GA for any task if it can be avoided. I'll see how we get on with this new direction and if it doesnt work, will look at what you have recommended