Microsoft Fabric Capacity Automation Scripts

This repository contains PowerShell scripts for automating Microsoft Fabric capacity management using Azure Automation. The solution provides automated pause and resume functionality for Fabric capacities based on schedule tags, helping optimize costs by ensuring capacities only run when needed.

Overview

The automation solution consists of four main PowerShell scripts that work together to create a complete Fabric capacity management system:

1. Create-AutomationAccount.ps1 - Creates and configures an Azure Automation Account
2. Create-CustomRBACRole.ps1 - Creates custom RBAC roles and assigns permissions
3. Upload-RunbookCode.ps1 - Uploads the Pause-Resume script to the automation account
4. Pause-Resume.ps1 - The main automation script that manages capacity operations

Architecture

Azure Automation Account
├── Managed Identity (System-assigned)
├── Custom RBAC Role (Fabric Capacity Manager)
├── PowerShell 7.2 Runbook (FabricCapacityPauseResume)
└── Schedule Tags on Fabric Capacities
    ├── OnTime: Hour to resume capacity (0-23)
    ├── OffTime: Hour to pause capacity (0-23)
    └── OnDays: Bitmask for active days (1=Sunday, 2=Monday, etc.)

Prerequisites

• Azure PowerShell modules: Az.Automation, Az.Accounts, Az.Resources
• Azure subscription with appropriate permissions to:
  • Create Automation Accounts
  • Create custom RBAC roles
  • Assign roles to managed identities
  • Manage Microsoft Fabric capacities
• Microsoft Fabric F SKU capacities with proper tags

Scripts Documentation

1. Create-AutomationAccount.ps1

Purpose: Creates and configures an Azure Automation Account with system-assigned managed identity for running Fabric capacity automation.

Key Features:

• Creates automation account with system-assigned managed identity
• Configures account settings for optimal performance
• Validates prerequisites and dependencies
• Modular function-based architecture with comprehensive error handling
• Supports dry-run mode for testing

Example Usage:

# Basic automation account creation
.\Create-AutomationAccount.ps1 -ResourceGroupName "rg-automation" -AutomationAccountName "aa-fabric-mgmt" -Location "East US"

# With specific subscription and dry run
.\Create-AutomationAccount.ps1 -SubscriptionId "12345678-1234-1234-1234-123456789012" -ResourceGroupName "rg-automation" -AutomationAccountName "aa-fabric-mgmt" -Location "East US" -DryRun

# Install required modules and create account
.\Create-AutomationAccount.ps1 -ResourceGroupName "rg-automation" -AutomationAccountName "aa-fabric-mgmt" -Location "East US" -InstallModules

Outputs:

• Azure Automation Account with system-assigned managed identity
• Managed Identity Object ID (needed for RBAC assignment)
• Account configuration details
• The ManagedIdentityObjectId output from this script is needed for the next script

---

2. Create-CustomRBACRole.ps1

Purpose: Creates a custom RBAC role with Microsoft Fabric capacity management permissions and assigns it to the automation account's managed identity.

Key Features:

• Creates custom role with specific Fabric capacity permissions
• Supports multiple assignment scopes (subscription, resource group, specific capacities)
• Validates managed identity before assignment
• Comprehensive logging and error handling
• Dry-run mode for testing role assignments

Permissions Granted:

• Microsoft.Fabric/capacities/read - Read capacity properties
• Microsoft.Fabric/capacities/write - Modify capacity settings
• Microsoft.Fabric/capacities/suspend/action - Pause/suspend capacity
• Microsoft.Fabric/capacities/resume/action - Resume capacity operations

Example Usage:

# Grant permissions at subscription level
.\Create-CustomRBACRole.ps1 -ManagedIdentityObjectId "12345678-1234-1234-1234-123456789012" -RoleName "FabricCapacityManager"

# Grant permissions to specific resource groups
.\Create-CustomRBACRole.ps1 -ManagedIdentityObjectId "12345678-1234-1234-1234-123456789012" -RoleName "FabricCapacityManager" -ResourceGroups "rg-fabric-dev,rg-fabric-prod"

# Grant permissions to specific capacities
.\Create-CustomRBACRole.ps1 -ManagedIdentityObjectId "12345678-1234-1234-1234-123456789012" -RoleName "FabricCapacityManager" -CapacityNames "fabric-capacity-dev,fabric-capacity-prod"

# Dry run to preview changes
.\Create-CustomRBACRole.ps1 -ManagedIdentityObjectId "12345678-1234-1234-1234-123456789012" -RoleName "FabricCapacityManager" -DryRun

Outputs:

• Custom RBAC role definition
• Role assignments to specified scopes
• Assignment validation and confirmation

---

3. Upload-RunbookCode.ps1

Purpose: Uploads the Pause-Resume.ps1 script content to an Azure Automation runbook and configures it for execution.

Key Features:

• Uploads script content to new or existing runbooks
• Attempts to use PowerShell 7.2 runtime when supported
• Validates automation account and script file integrity
• Publishes runbook for immediate execution capability
• Comprehensive error handling and rollback support

Example Usage:

# Basic runbook upload
.\Upload-RunbookCode.ps1 -ResourceGroupName "rg-automation" -AutomationAccountName "aa-fabric-mgmt" -RunbookName "FabricCapacityManager"

# Upload with specific subscription and force overwrite
.\Upload-RunbookCode.ps1 -SubscriptionId "12345678-1234-1234-1234-123456789012" -ResourceGroupName "rg-automation" -AutomationAccountName "aa-fabric-mgmt" -RunbookName "FabricCapacityManager" -Force

# Upload custom script path with dry run
.\Upload-RunbookCode.ps1 -ResourceGroupName "rg-automation" -AutomationAccountName "aa-fabric-mgmt" -PauseResumeScriptPath "C:\Scripts\Pause-Resume.ps1" -DryRun

Outputs:

• Published PowerShell runbook ready for execution
• Runbook configuration details
• Upload success confirmation and summary

---

4. Pause-Resume.ps1

Purpose: The core automation script that manages Microsoft Fabric capacity pause and resume operations based on schedule tags and current time.

Key Features:

• Tag-Based Scheduling: Uses capacity tags to determine when to pause/resume
• Timezone Support: Handles multiple Azure regions with appropriate timezone mapping
• Flexible Resource Scanning: Supports specific resource groups or subscription-wide scanning
• Robust Error Handling: Continues processing other capacities if one fails
• Comprehensive Logging: Detailed operation logging for monitoring and troubleshooting
• Multiple Authentication Modes: (see script for details)
  • Supports managed identity for Azure automation
  • Interactive can be used for local testing

Required Capacity Tags:

• OnTime: Hour to resume capacity (0-23, based on capacity region timezone)
• OffTime: Hour to pause capacity (0-23, based on capacity region timezone)
• OnDays: Bitmask for active days of the week

OnDays Bitmask Values:

Day	Value
Sunday	1
Monday	2
Tuesday	4
Wednesday	8
Thursday	16
Friday	32
Saturday	64

Example Tag Configurations:

# Monday-Friday, 8 AM to 6 PM
OnTime: 8
OffTime: 18
OnDays: 62  # (2+4+8+16+32 = Monday through Friday)

# Monday-Saturday, 7 AM to 10 PM  
OnTime: 7
OffTime: 22
OnDays: 126  # (2+4+8+16+32+64 = Monday through Saturday)

Runtime Parameters:

• ResourceGroups: Comma-separated list of resource groups to scan, or leave empty for all
• SubscriptionId: Target subscription (optional, uses current context if not specified)

Example Capacity Configuration:

{
  "capacity": "fabric-prod-capacity",
  "location": "East US",
  "tags": {
    "OnTime": "8",
    "OffTime": "18", 
    "OnDays": "62",
    "Environment": "Production"
  }
}

Deployment Workflow

Follow these steps to deploy the complete automation solution:

Step 1: Create Automation Account

.\Create-AutomationAccount.ps1 -ResourceGroupName "rg-fabric-automation" -AutomationAccountName "aa-fabric-capacity" -Location "East US"

Step 2: Configure RBAC Permissions

# Use the Managed Identity Object ID from Step 1 output
.\Create-CustomRBACRole.ps1 -ManagedIdentityObjectId "<OBJECT_ID_FROM_STEP_1>" -RoleName "FabricCapacityManager"

Step 3: Upload Runbook Content

.\Upload-RunbookCode.ps1 -ResourceGroupName "rg-fabric-automation" -AutomationAccountName "aa-fabric-capacity" -RunbookName "FabricCapacityPauseResume"

Step 4: Tag Your Fabric Capacities

Add the required tags (OnTime, OffTime, OnDays) to your Microsoft Fabric capacities using the Azure portal, CLI, or PowerShell.

Step 5: Test and Schedule

• Test the runbook manually from the Azure portal
• Create schedules in Azure Automation to run the runbook at regular intervals (recommended: hourly)

Monitoring and Troubleshooting

Logs and Monitoring

• View runbook execution logs in the Azure Automation Account portal
• Monitor job history and output for each execution
• Set up alerts for failed executions

Common Issues

• Permission Errors: Verify RBAC role assignments are correct
• Tag Validation Failures: Ensure all three tags (OnTime, OffTime, OnDays) are present on capacities
• Timezone Issues: Verify capacity regions are supported in the timezone mapping

Testing

• Use dry-run mode in all scripts for safe testing
• Test runbook execution manually before scheduling
• Start with a limited scope (specific resource groups) before subscription-wide deployment

Support and Maintenance

Regular Maintenance

• Monitor automation account job quotas and limits
• Review and update RBAC permissions as needed
• Keep PowerShell modules updated in the automation account

Version Information

• Create-AutomationAccount.ps1: Version 1.0
• Create-CustomRBACRole.ps1: Version 1.0
• Upload-RunbookCode.ps1: Version 1.0
• Pause-Resume.ps1: Version 1.0

License

MIT License

This project is provided as-is for educational and operational purposes. Please review and test thoroughly before deploying in production environments.