I always like to create some automation tasks to replace the tedious manual click job. This can be very helpful for customers with large environment. In this blog, I want to share the Azure Runbook which I made to run at the Azure background and automatically back up the VMs with [email protected]{backup = ‘true’}. This can standardize the VM backup with certain backup policy and automatically audit the environment and make sure to back up the required computing VM resources.
In order to run the runbook, add below modules into your Azure automation account environment:

  • RecoveryServices Version 4.1.4
  • RecoveryServices.backup Version 4.3.0

Below is the Runbook PS script file:
[code language=”powershell”]
#define login
function Login() {
$connectionName = “AzureRunAsConnection”
Write-Verbose “Acquiring service principal for connection ‘$connectionName'” -Verbose
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
Write-Verbose “Logging in to Azure…” -Verbose
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint | Out-Null
catch {
if (!$servicePrincipalConnection)
$ErrorMessage = “Connection $connectionName not found.”
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
#define global variables
$rsVaultName = “myRsVault”
$rgName = “edmond-guo-rg”
$location = “Australia Southeast”
$keyvault = “edkeyvault1”
$vmrg = “VMs”
$backupvms = (Get-AzureRmResource -Tag @{ backup=”true”} -ResourceGroupName edmond-guo-rg -ResourceType Microsoft.Compute/virtualMachines).Name
# Register the Recovery Services provider and create a resource group
Register-AzureRmResourceProvider -ProviderNamespace “Microsoft.RecoveryServices”
# Create a Recovery Services Vault and set its storage redundancy type
New-AzureRmRecoveryServicesVault `
-Name $rsVaultName `
-ResourceGroupName $rgName `
-Location $location
$vault1 = Get-AzureRmRecoveryServicesVault –Name $rsVaultName
Set-AzureRmRecoveryServicesBackupProperties -Vault $vault1 -BackupStorageRedundancy LocallyRedundant
# Set Recovery Services Vault context and create protection policy
Get-AzureRmRecoveryServicesVault -Name $rsVaultName | Set-AzureRmRecoveryServicesVaultContext
$schPol = Get-AzureRmRecoveryServicesBackupSchedulePolicyObject -WorkloadType “AzureVM”
$retPol = Get-AzureRmRecoveryServicesBackupRetentionPolicyObject -WorkloadType “AzureVM”
foreach($backupvm in $backupvms)
# Provide permissions to Azure Backup to access key vault and enable backup on the VM
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyvault -ResourceGroupName $rgName -PermissionsToKeys backup,get,list -PermissionsToSecrets backup,get,list -ServicePrincipalName 17078714-cbca-45c7-b486-5d9035fae0b5
$pol = Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name “NewPolicy”
Enable-AzureRmRecoveryServicesBackupProtection -Policy $pol -Name $backupvm -ResourceGroupName $vmrg
# Modify protection policy
$retPol = Get-AzureRmRecoveryServicesBackupRetentionPolicyObject -WorkloadType “AzureVM”
$retPol.DailySchedule.DurationCountInDays = 365
$pol = Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name “NewPolicy”
Set-AzureRmRecoveryServicesBackupProtectionPolicy -Policy $pol -RetentionPolicy $RetPol
# Trigger a backup and monitor backup job
$namedContainer = Get-AzureRmRecoveryServicesBackupContainer -ContainerType “AzureVM” -Status “Registered” -FriendlyName $backupvm
$item = Get-AzureRmRecoveryServicesBackupItem -Container $namedContainer -WorkloadType “AzureVM”
$job = Backup-AzureRmRecoveryServicesBackupItem -Item $item
$joblist = Get-AzureRmRecoveryservicesBackupJob –Status “InProgress”
Wait-AzureRmRecoveryServicesBackupJob `
-Job $joblist[0] `
-Timeout 43200
So this runbook job will run every day at 5AM and taking the VM snapshot and save the VM backup images in your Backup Vault which is defined in the script.
Hopefully this runbook script can help you with the day to day operations task. 😉