Share via

azure automation: create user\groups in on-promise AD with runbook

Arif Usman 496 Reputation points
2025-07-29T02:14:03.8333333+00:00

Hi folks,

I have a hybrid identity setup with on-premises Active Directory synchronized to Azure AD via Azure AD Connect. I'm exploring options to automate the creation of users and groups in the on-prem AD using Azure Automation Runbooks.

Specifically, I’m trying to understand what methods are available to interact with on-prem AD from Azure Automation. I've come across some YouTube videos demonstrating hybrid runbook workers using Azure Arc-enabled servers and an on-prem AD service account.

A few questions:

If I have a domain-joined VM in Azure (joined to on-prem AD via VPN or ExpressRoute), can this VM function as an Azure Arc-enabled hybrid worker?

Is using a hybrid runbook worker the most efficient and secure way to manage on-prem AD objects from Azure?

Are there alternative architectures or best practices recommended for this use case?

Just trying to connect the dots and identify the most reliable and maintainable option moving forward.

Thanks in advance!

Best regards,

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 22,576 Reputation points Volunteer Moderator
    2025-07-30T15:50:10.33+00:00

    Hello Arif Usman,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you would like to use azure automation to create user\groups in on-premise AD with runbook.

    Regarding your scenarios and questions:

    If I have a domain-joined VM in Azure (joined to on-prem AD via VPN or ExpressRoute), can this VM function as an Azure Arc-enabled hybrid worker?

    Yes, and here’s how: https://learn.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker

    Is using a hybrid runbook worker the most efficient and secure way to manage on-prem AD objects from Azure?

    Yes, especially the extension-based HRW.

    Check this link: https://practical365.com/how-to-manage-on-premises-infrastructure-using-azure-automation-hybrid-worker/ it helps you in hybrid runbook worker the most efficient and secure method.

    Are there alternative architectures or best practices recommended for this use case?

    I will recommend these Architectures:

    1. Azure Automation Account
    2. Extension-based Hybrid Runbook Worker on Azure VM
    3. Azure Key Vault for storing AD service account credentials
    4. Azure Monitor / Log Analytics for logging and alerting

    For best practices:

    • Use PowerShell runbooks with ActiveDirectory module.
    • Secure credentials using Managed Identity or Key Vault.
    • Monitor execution via Azure Monitor and Log Analytics Workspace as stated in the link above.

    Finally, avoid the followings:

    • Agent-based HRW (retired).
    • Exposing AD via public APIs.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.