danielniccoli · July 9, 2024 10:08
diff --git a/FixHybridWorkerPermissions.ps1 b/FixHybridWorkerPermissions.ps1
 # This script adds the permissions required for Azure Automation Jobs running on a Hybrid Worker under custom credentials
 # Ref: https://learn.microsoft.com/en-us/azure/automation/migrate-existing-agent-based-hybrid-worker-to-extension-based-workers?tabs=bicep-template%2Cwin-hrw#permissions-for-hybrid-worker-credentials

 $identity = "..." # Set the identity used in the custom credential here

 # Do not change anything after this line

 $folder = "C:\Packages\Plugins\Microsoft.Azure.Automation.HybridWorker.HybridWorkerForWindows"
 $fileSystemRights = [System.Security.AccessControl.FileSystemRights]::ReadAndExecute
 $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
 $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None
 $accessControlType = [System.Security.AccessControl.AccessControlType]::Allow
 $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $identity,$fileSystemRights,$inheritanceFlag,$propagationFlag,$accessControlType
 $acl = Get-Acl $folder
 $acl.SetAccessRule($accessRule)
 Set-Acl $folder $acl

 $folder = "C:\ProgramData\AzureConnectedMachineAgent\Tokens"
 $fileSystemRights = [System.Security.AccessControl.FileSystemRights]::Read
 $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
 $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None
 $accessControlType = [System.Security.AccessControl.AccessControlType]::Allow
 $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $identity,$fileSystemRights,$inheritanceFlag,$propagationFlag,$accessControlType
 $acl = Get-Acl $folder
 $acl.SetAccessRule($accessRule)
 Set-Acl $folder $acl
	# This script adds the permissions required for Azure Automation Jobs running on a Hybrid Worker under custom credentials
	# Ref: https://learn.microsoft.com/en-us/azure/automation/migrate-existing-agent-based-hybrid-worker-to-extension-based-workers?tabs=bicep-template%2Cwin-hrw#permissions-for-hybrid-worker-credentials

	$identity = "..." # Set the identity used in the custom credential here

	# Do not change anything after this line

	$folder = "C:\Packages\Plugins\Microsoft.Azure.Automation.HybridWorker.HybridWorkerForWindows"
	$fileSystemRights = [System.Security.AccessControl.FileSystemRights]::ReadAndExecute
	$inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
	$propagationFlag = [System.Security.AccessControl.PropagationFlags]::None
	$accessControlType = [System.Security.AccessControl.AccessControlType]::Allow
	$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $identity,$fileSystemRights,$inheritanceFlag,$propagationFlag,$accessControlType
	$acl = Get-Acl $folder
	$acl.SetAccessRule($accessRule)
	Set-Acl $folder $acl

	$folder = "C:\ProgramData\AzureConnectedMachineAgent\Tokens"
	$fileSystemRights = [System.Security.AccessControl.FileSystemRights]::Read
	$inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
	$propagationFlag = [System.Security.AccessControl.PropagationFlags]::None
	$accessControlType = [System.Security.AccessControl.AccessControlType]::Allow
	$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $identity,$fileSystemRights,$inheritanceFlag,$propagationFlag,$accessControlType
	$acl = Get-Acl $folder
	$acl.SetAccessRule($accessRule)
	Set-Acl $folder $acl