Branch: master
.GUID 2d76c8e2-666b-445e-9dc7-9fc2484f360a
.AUTHOR Azure Automation Team
.COMPANYNAME Microsoft Corporation
.COPYRIGHT Microsoft Corporation. All rights reserved.
.TAGS Azure, Azure Automation, Tags, VM, Update management, Machine groups, Computer group, Saved search
.EXTERNALMODULEDEPENDENCIES @{ModuleName = 'AzureRM.Profile'; ModuleVersion = '4.6.0'; ModuleName = 'AzureRM.OperationalInsights'; ModuleVersion = '4.3.2';}
-- EDITED BY Jenny Hunter
-- fixed bugs (null error and misspelled variable)
-- CREATED BY Jenny Hunter
-- added sample script to create a Log Analytics machine group based off of a Azure VM tag
#Requires -Module @{ModuleName = 'AzureRM.Profile'; ModuleVersion = '4.6.0';}
#Requires -Module @{ModuleName = 'AzureRM.OperationalInsights'; ModuleVersion = '4.3.2';}
Sample Azure Automation runbook creates a Log Analytics machine group based off of an Azure VM tag.
This sample runbook creates a Log Analytics machine group based off an Azure VM tag and Update management Log Analytics data.
The major steps of the script are outlined below:
1) Connect to the Azure account
2) Set the subscription context
3) Return the list of Azure VM resource IDs for the provided tag
4) Generate the query for the Log Analytics group creation
5) Remove the saved search if it already exists
6) Create the machine group (saved search)
.PARAMETER WorkspaceName
Mandatory. The name of the OMS Workspace to be referenced.
.PARAMETER ResourceGroupName
Mandatory. The name of the resource group to be referenced for the OMS workspace.
.PARAMETER VmSubscriptionId
Mandatory. A string containing the SubscriptionID of the VMs to be queried.
.PARAMETER OmsSubscriptionId
Optional. A string containing the SubscriptionID of the OMS workspace to be used. If no value is provided,
it defaults to the VmSubscriptionId
Mandatory. The value of the Azure VM tag that you wish to define the machine group.
New-MachineGroupByTag -WorkspaceName "ContosoWorkspace" -ResourceGroupName "ContosoResources" -VmSubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -VmTagKey "webservers"
AUTHOR: Jenny Hunter, Azure Automation Team
LASTEDIT: May 29, 2018
EDITBY: Jenny Hunter
Param (
# OMS Workspace
[String] $WorkspaceName,
[String] $ResourceGroupName,
# Azure Subscription
[String] $VmSubscriptionId,
[String] $OmsSubscriptionId,
# Azure Tag
[String] $VmTagValue
# Stop the runbook if any errors occur
$ErrorActionPreference = "Stop"
# Connect to the current Azure account using an Automation account
$Conn = Get-AutomationConnection -Name AzureRunAsConnection
$null = Add-AzureRMAccount -ServicePrincipal -Tenant $Conn.TenantID -ApplicationID $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint
# Select the VM subscription
$null = Select-AzureRmSubscription -SubscriptionId $VmSubscriptionId
# Return group of VM ids that have the given tag
$VmIds = (Get-AzureRmVm -WarningAction SilentlyContinue)| Where-Object {$_.Tags.Values.Contains($VmTagValue)} | Select-Object Id
# Parse the VM resource ids into the appropriate format for the LA query
$VmIdQueryList = ($VmIds.Id | ForEach-Object {"tolower('$_')"}) -join ","
# Define queries
$GroupQuery = "Heartbeat | where Solutions contains 'updates' and tolower(ResourceId) in ($VmIdQueryList) | distinct Computer"
# Set the workspace subscription if needed
if ($OmsSubscriptionId) {
$null = Select-AzureRmSubscription -SubscriptionId $OmsSubscriptionId
Write-Output "Subscription context changed to $OmsSubscriptionId for accessing the workspace"
} else {
$OmsSubscriptionId= $VmSubscriptionId
# Define saved search computer group properties
$SavedSearchId = "updategroup" + $VmTagValue.ToLower()
$DisplayName = "Machine group with tag $VmTagValue"
$ResourceId = "subscriptions/$OmsSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/$WorkspaceName/savedSearches/$SavedSearchId"
$FunctionAlias = "updategroup" + $VmTagValue.ToLower()
# Remove the saved search computer group if it already exists
try {
$null = Remove-AzureRmOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -SavedSearchId $SavedSearchId
} catch {
Write-Output "No previous version of $SavedSearchId was found."
# Create the Saved Search group
$GroupProperties = [PSCustomObject]@{
Tags = @([PSCustomObject]@{Name="Group";Value="Computer"})
$SavedSearchResource = New-AzureRmResource -ResourceId $ResourceId -Properties $GroupProperties -ApiVersion "2017-03-15-preview" -Force
Write-Output "Saved search machine group resource created with a resource Id of " $SavedSearchResource.ResourceId
