TATER Azure Runbooks
Deploy Azure Automation runbooks for scheduled compliance scanning, endpoint vulnerability assessment, and automated remediation.
Overview
TATER uses Azure Automation Account runbooks for hands-free scheduled scanning. Four runbooks handle different workloads:
| Runbook | Runtime | Schedule | Purpose |
|---|---|---|---|
| Scan-M365Cloud | PS 5.1 | Weekly (Sun 2 AM) | M365 cloud compliance scan |
| Scan-Endpoints | PS 5.1 | Daily (3 AM) | MDE + Intune vulnerability scan |
| Run-Remediation | PS 7.2 | On-demand | Primary remediation runbook |
| Run-Remediation-EXO | PS 5.1 | On-demand | Exchange/Defender remediation |
Prerequisites
- Azure Subscription with Automation Account
- Entra ID app registration with required permissions (see Registered Apps)
- Azure Key Vault with authentication certificate
- Managed Identity enabled on the Automation Account
- Storage Account for remediation scripts (if using remediation)
Required PowerShell Modules
The Automation Account must have all of the following modules installed for the PS 5.1 runtime before the cloud scan will run correctly. Install in the order listed — each group depends on the one above it.
| Module | Purpose | Note |
|---|---|---|
Az.Accounts | Azure authentication | Install first — others depend on it |
Az.Storage | Download control scripts from blob storage | |
Az.KeyVault | Retrieve certificate from Key Vault | |
Az.Automation | Parent→child runbook delegation | Required for remediation |
Microsoft.Graph.Authentication | Graph API auth | Install before other Graph modules |
Microsoft.Graph.* (6 sub-modules) | Users, Groups, Reports, Applications, DirectoryManagement, SignIns | |
ExchangeOnlineManagement | Exchange Online + Security & Compliance | ~80 controls depend on this |
MicrosoftTeams | Teams policy queries | Teams Cs* cmdlets require delegated auth — ~36 controls skip |
PnP.PowerShell | SharePoint Online (modern module) | |
Microsoft.Online.SharePoint.PowerShell | SharePoint Online (legacy Get-SPOTenant cmdlets) | Required for SPO_001–SPO_015 controls |
Each module takes 5–10 minutes to install. Install Az.Accounts first and wait for it to show Succeeded before proceeding. See AZURE_RUNBOOK_GUIDE.md §3.3 for the automated install script.
Automation Variables
Configure these variables in your Automation Account:
| Variable | Purpose |
|---|---|
AppClientId | App registration client ID |
KeyVaultName | Key Vault name for certificate |
CertName | Certificate name in Key Vault |
TenantDomain | Tenant domain (e.g., contoso.onmicrosoft.com) |
TenantId | Azure AD tenant ID |
ApiBaseUrl | TATER API base URL |
ApiKey | API key for scan upload authentication |
OrganizationId | TATER organization ID |
Managed Identity Permissions
Azure RBAC
- Automation Operator: Required for
Start-AzAutomationRunbook(parent/child delegation) - Storage Blob Data Reader: Required for remediation script downloads
Microsoft Graph Permissions
Same permissions as the app registration. See Graph API Permissions.
Cloud Scan Runbook
The Scan-M365Cloud runbook authenticates to M365 services using the certificate from Key Vault, evaluates control scripts against your tenant, and uploads results to the TATER API.
Import Graph sub-modules BEFORE connecting Exchange Online. If EXO is connected first, its assembly bindings may conflict with Graph modules.
Endpoint Scan Runbook
The Scan-Endpoints runbook queries MDE API and Intune for device inventory, vulnerabilities, software, and CISA KEV data. Key technical details:
- Uses
Invoke-RestMethoddirectly (notInvoke-MgGraphRequestwhich is unavailable in PS 5.1 sandbox) - MDE API requires a separate OAuth token with
api.securitycenter.microsoft.comscope - Queries vulnerabilities per-machine (not bulk) to avoid memory limits (~400MB sandbox)
- Deduplicates CVEs across all devices
Remediation Runbooks
Two-runbook architecture for automated remediation:
Run-Remediation (PS 7.2)
- Receives webhook trigger from TATER API
- Downloads remediation script from blob storage
- Scans script for Exchange Online cmdlets
- If EXO cmdlets found, delegates to PS 5.1 companion
- Otherwise executes script directly with Graph API token
- Reports status back to TATER API
Run-Remediation-EXO (PS 5.1)
- Called by parent runbook via
Start-AzAutomationRunbook - Connects to Exchange Online using certificate auth
- Executes Exchange/Defender/Security & Compliance remediation scripts
- Returns results to parent for API status update
The ExchangeOnlineManagement module is not compatible with PS 7.2 hosted runtime. Exchange cmdlets must run in the PS 5.1 companion runbook.
Schedules
| Schedule Name | Frequency | Time (ET) | Runbook |
|---|---|---|---|
weekly-m365-scan | Weekly | Sunday 2:00 AM | Scan-M365Cloud |
daily-endpoint-scan | Daily | 3:00 AM | Scan-Endpoints |
Troubleshooting
Teams Cs* cmdlets require delegated authentication and cannot be automated in runbooks. Approximately 36 Teams controls permanently return SKIP status. This is a known limitation.
The Automation Account's Managed Identity needs the Automation Operator role on itself for parent-to-child runbook delegation.
The tenant-wide MDE vulnerabilities endpoint can cause out-of-memory in the ~400MB sandbox. The Scan-Endpoints runbook uses per-machine queries with deduplication instead.
The az automation runbook replace-content CLI sometimes caches old content. Use the Azure REST API directly for reliable PS 7.2 runbook updates.