Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
Azure Automation Hybrid Woker permission automatically removed
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 54%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Carlo Berchtold
0
Reputation points
We are experiencing a recurring issue with two installed instances of the Azure Automation Hybrid Worker extension. For several months, both extensions have exhibited the same behavior: approximately twice per month, the custom credential permissions are inexplicably removed from the following paths:
-
C:\ProgramData\AzureConnectedMachineAgent\Tokens— Read access -
C:\Packages\Plugins\Microsoft.Azure.Automation.HybridWorker.HybridWorkerForWindows— Read and Execute access
The issue results in jobs being suspended.
Initially, we suspected this might be triggered by Windows Updates or extension upgrades, but after some checks, these events do not correlate with the permission resets. The root cause remains unclear, and the behavior appears to be non-deterministic and unrelated to any scheduled system or extension-level changes.
Azure Automation
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 68%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBY%3C/text%3E%3C/svg%3E)
Bharath Y P 80 Reputation points Microsoft External Staff Moderator2025-08-08T17:16:54.42+00:00 Hello Carlo Berchtold,
Welcome to Microsoft Q&A forum!
You're experiencing a recurring issue with two installed instances of the Azure Automation Hybrid Worker extension. Specifically, Custom credential permissions are being removed folder path, This leads to job suspension in Azure Automation. The issue occurs twice per month, non-deterministically, and is not correlated with Windows Updates or extension upgrades.
If extension-based Hybrid Worker is using custom Hybrid Worker credentials, then ensure that following folder permissions are assigned to the custom user to avoid jobs from getting suspended.
Looks like, you already provided the folder permission to the respective folder with Read /
Read and Execute permission.
- When a system has UAC/LUA in place, permissions must be granted directly and not through any group membership.
- Due to a current limitation, these folder permissions are removed from the C:\ProgramData\AzureConnectedMachineAgent\Tokens folder on Azure Arc-enabled machines when the Azure Connected Machine agent is updated. The current resolution is to reapply these permissions to the folder.
Troubleshoot extension-based Hybrid Runbook Worker issues in Azure Automation | Microsoft Learn
The current resolution is to reapply the folder permissions to C:\ProgramData\AzureConnectedMachineAgent\Tokens when the Azure Connected Machine agent is updated.
You can refer: Permissions for Hybrid worker credentials.
Please let me know if you face any challenge here, I can help you to resolve this issue further.
Sign in to comment
Sign in to answer