How to Build an Azure Automation Lab

Hello fellow IT industry professionals! I'm Preston K. Parsard, and I'm truly excited to bring you some awesome  opportunities, so to start, let's consider these scenarios:

1. You're an IT professional and to stay competitive, relevant and enhance your ability to manage large volumes of resources, you would like to quickly develop one or more of the following skills.

You also don't want to worry about the details of building this lab yourself from scratch.

2. Maybe you're more of an IT or business decision maker instead and would like to offer opportunities for your technical staff to quickly provision an on-demand training environment without having to invest in any capital expenditures. Furthermore, you want to allow your staff to deprovision those resources just as easily when required to reduce operational expenses.

3. What about if you're a trainer for any or all the training topics mentioned above and need a convenient way to provide an individual lab environment for each attendee in your class, where each sand-box is customized and segregated for all participants?

If you fit any of these roles and intentions, your responsibilities, including tracking and updating the configuration of this type of solution may soon become a little easier now. After all, what if your automated lab building solution was already documented as some sort of declarative (i.e. infrastructure as…) code? What if all you had to do was run a script and enter a few parameters to trigger and cascade a set of templates to provision your lab for you?

Azure Automation Lab


This project is meant for training or demonstration only and should not be construed as suitable for production purposes. Although it may be cloned, enhanced and customized to a production solution using recommended architectural patterns, the effort required for those enhancements will be at your or your organizations own discretion and responsibility.

Please see the Azure Reference Architectures for guidance on production level planning and design projects.  

This article briefly outlines the project without focusing on the specific details, which are available in the file referenced in the project link in the references section at the end.

Welcome to the 0026-azure--plus-dsc-lab project! Ok, I admit that's a little long, so we can just call it Project 0026 for short.

This solution will deploy a new lab environment fairly quickly once you review the training goals and meet the requirements. The process includes downloading a script, running it and supplying a few parameters. After that, you can do something else, like go to lunch, then come back later to find the completed deployment in about an hour. I do realize that some of you may first want to pause and review the source code before running it. I get that and completely recommend that lookbeforeyouleap approach anyway. The total solution is probably about 4,000 lines of code, mostly based on Java Script Object Notation (JSON) ARM templates, Desired State Configuration and PowerShell scripts. After you or your favorite IT or folks review Project 0026 and you're comfortable, then subsequent deployments can be initiated in about the same time it takes daylight from the sun to reach the earth. Reference:


So let's cover what we'll need to actually make this work now.

  1. An Azure subscription
  2. A web browser
  3. An Internet connection
  4. Windows PowerShell Version 5.1
  5. Membership in the local Administrators group on the machine on which you will execute the PowerShell script.
  6. During script execution, you will be asked to upgrade the legacy AzureRM PowerShell modules to the newer Az versions and a link to a reference that explains how and why this is necessary. Don't worry if you've already upgraded to the Az modules on your system. In that case you can still answer the prompt with “Y”, “y”, “YES” or “yes” to continue and it will just pull the latest version of the Az modules down for you.
  7. A password that must be at least 12 characters in length and meet complexity requirements, i.e. 3 out of 4 of upper case, lower case, numeric and special characters.
  8. Cost: The resource cost for this solution will vary depending on the type of subscription you have. For demos, you can decide to delete the entire resource group and resources once finished, or schedule virtual machine shutdowns at night or during the weekends. See links item 6 in the references section at the end for more information about the pricing calculator.

 Lab Infrastructure

The environment will consist of a total of 10 servers; 9 Windows and 1 , and some supporting resources such as:

  1. A storage account to record diagnostic events.
  2. An automation account to, well…even automate some more stuff like runbooks later if desired.
  3. A log analytics workspace to configure advanced logging and monitoring.
  4. A recovery services vault to backup and restore data or entire VMs.

The VM roles that will be deployed are:

Domain Controllers

Three Windows 2019 Data Center Core domain controllers, where only 1 will be promoted to a domain controller named Both & are only member servers until you promote them.

Development/Jump Server

One Windows 2019 Data Center Development/Jump/DSCPull/DSCPush server with the Visual Studio 2019 Community Edition VM image. This will be

Web Servers

Two Windows 2019 Data Center Core servers, initially deployed as standalone servers but which can later be configured after deployment as web servers using something like Desired State Configuration or an imperative PowerShell script. These are named and

Database Servers

Two Windows 2019 Data Center servers (without the SQL image), initially deployed as standalone servers but which can be configured after deployment as SQL 2019 servers, again using either Desired State Configuration or imperative PowerShell. These are and


One CentOS 7 server, which can be used to demonstrate or practice PowerShell 7 or PowerShell DSC for Linux concepts. This is AZRLNX##01.

PKI Server

One Windows 2019 Data Center with a GUI PKI server named This is really just a base Windows VM image that you can also practice configuring as an actually PKI server. Hey, it could be a great exercise to build this with Desired State Configuration, right?

So these are the 10 servers that will be deployed for your lab. Remember that the details are available in the file for the Azure Automation Plus DSC Lab, or better yet, if you're more of a visual learner, with slide animations and demos, here's the video!

Deploying the Solution

PowerShell Method

To deploy this project, you can either download the script or clone the GitHub repository to your desired target directory on your machine or a file share. Make sure to unblock the script Deploy-AzureResourceGroup.ps1 so it will execute if your PowerShell execution policy is set to something like Remote Signed. Next open your PowerShell editor or console such as the Windows PowerShell ISE, PowerShell, Visual Studio Code, Visual Studio 2019 as an administrator and run the script.

Once the script starts, follow these seven simple steps to initiate the deployment:

  1. Acknowledge that the required modules, such as the Az modules will replace the legacy AzureRM modules (if installed), otherwise if the Az modules are already installed, they will just be updated.
  2. to your Azure subscription.
  3. Enter your subscription name when prompted.
  4. Specify a student number from 1-16 that will be used to uniquely identify your Azure resources.
  5. Enter the geographic Azure region to which you want to deploy this solution.
  6. Provide an administrative password for the adm.infra.user account that will be used to build the servers for you.
  7. Wait for the deployment to complete, which ideally should take about 1 hour if all conditions are satisfied.

Azure CLI (bash) Method

You can also use the Azure CLI method if you prefer. An example set of commands and explanatory comments are also provided in the file for this project.

Connecting to your Lab

If you use the PowerShell deployment method, your RDP prompt will open automatically for you to , otherwise using the Azure CLI method will require you to connect to the jump/development VM from the portal at

After Deploying the Template

Ok, so now you have a lab infrastructure to explore. Although we don't provide exactly what excercises to practice or learn, there is a basic outline of recommended training objectives, such as building the Dev server as a Desired State Configuration push/pull server to simulate an on-premises push/pull scenario based in Azure.

I say we above because I anticipate that some of you just can't wait to help me out with this later on by filing issues, recommending featuressubmitting pull requests, and even contributing, right?

Target State Diagram

After the deployment, this is what the end result should look like:

Figure 1: Project 0026 Target State DiagramFigure 1: Project 0026 Target State Diagram


So we've covered some of the benefits of Project 0026, what's required to get started, what's included in the lab infrastructure, as well as a couple of methods that can be used to perform this deployment. Next, we wrapped it up with how to connect once the solution is provisioned, along with some recommended guidance on what skills you can develop and a target state diagram to reference as you learn. Note also that the ARM templates provide configuration as code documentation. This means for those of you who are, like a magnetic compass needle pulled towards the north pole, are more compelled to investigate the details of the JSON files to see what was actually done and how, the Project 0026 world is now your virtual oyster.

I'd really love to hear any feedback you may have on how we can make this project better for everyone. So what else can we do to help make you a hero (cape not included)?

Well that's it for now IT superstars. I say superstars because I believe anyone interested in reducing administrative effort and leveraging open source contributions to accelerate learning can be nothing less than either a current or future star. Am I right?





This article was originally published by Microsoft's Azure Security Blog. You can find the original article here.