Posts Create Your Own PowerShell APIs for Azure Governance with Azure Function App

Create Your Own PowerShell APIs for Azure Governance with Azure Function App

Custom PowerShell API for Azure Governance - AzureIs.Fun

As an Azure administrator, you likely spend a lot of time performing routine tasks related to Azure governance. These tasks can be time-consuming and repetitive, but they are critical to ensuring the security, compliance, and performance of your Azure environment. Fortunately, you can automate many of these tasks using PowerShell, and even expose your PowerShell scripts as a web API using Azure Function App.

Here are few examples of what you can do:

You can have these actions ready and available from your favorite shell, but you can also integrate them with a part of other workflows, or have them initiated via voice command if you wish (check this blog post: How to perform tasks in Microsoft Azure with Voice Assistants (Cortana, Alexa, Google, Siri

In this blog post, we will walk through the steps to create your own PowerShell API and use it for daily tasks related to Azure Governance.

Creating Azure Function App

The secret ingredience is Function App, we can use it to run and publish our PowerShell code.

To create it, navigate to the Azure Portal and click on “Create a resource” > “Compute” > “Function App”. Fill in the required details, such as the resource group, app name, and as a runtime stack select PowerShell.

Create Azure Function App

Create PowerShell Function

Once the function app is created, click on “Functions” and then click on the “+ New Function” button to create a new function.

To expose it as an HTTP API we need to add HTTP trigger. In this example I am creating a simple script to list all VMs in scope and therefore I gave it descriptive name.

For this example, I am going to edit my code in the browser, but for more compliated examples and production use, you can easily integrate this with VS Code or with GitHub.

Create PowerShell Function

Upload your PowerShell script

WHen you click on your newly created Function and go to Code + Test, you will see the run.ps1 file is already there.

We are going to keep the main structure of that file, and add our code:

Configure dependencies

Before we can run this code, we need to resolve a couple of things:

Install modules

This may vary depending on your script. You will notice that my samle script is using AZ PowerShell module. Before being able to use it, we need to add it to our Function App.

This module can be uploaded as a file, or it can be added to the list of Requirements. To do that go to App Files, select requirements.psd1 an add your module there. While you are there also check your host.json and make sure that ‘managedDependency’ is ‘enabled’.

Import Modules to Azure Finction App

This might take a while before it works. You can easily check if the module is loaded by adding this to your script:

$(Get-Module -ListAvailable | Select-Object Name, Path)


Another thing that we need to do is to allow our Function App to authenticate to our Azure PowerShell.

This process is the same as with other Azure services. You can use Managed Identity, or read credentials from KeyVault. This can be configured directly in your script or in profile.ps1 file.

You will also need to select subscription and set context. You can loop all subscriptions, or select prefered subscription like this:

#Get Az Subscription and Set Context
$SubscriptionName = "Microsoft Azure Sponsorship"
Get-AzSubscription -SubscriptionName $SubscriptionName | Set-AzContext

Invoke your API

Now it is time to test our script. This simple script is expecting parameter RGName, so we can limit the list of VMs to that specific RG. We can also ignore the parameter and get the list of all VMs in subscription instead.

Easiest way to invoke the script is Invoke-WebRequest command.

#This URL does not contain parameter RGName:
$URLNoRGName =<yourCode>
Invoke-WebRequest $URLNoRGName

#This URL contains RG Name parameter, and script will check only for VMs in that RG:
$URLWithRGName =<yourCode>
Invoke-WebRequest $URLWithRGName

This will return json output that should look something like this:

    "ResourceGroupName": "RG-Test-AzureAPI",
    "Name": "VM-Test1"
    "ResourceGroupName": "RG-Test2",
    "Name": "VM-Test2"

There are few more ways how and what can trigger this Function App, and that opens many ways to use it.

Here are a few ideas how to integrate this kind of APIs with our daily workflow:

  • make longer running tasks to run on schedule, and then let your API work with collected/calculated results
  • include it in your scripts or web apps
  • call it on demand to perform tasks or get information. you can easily do it from any device, and you don’t need your modules or other dependencies installed
  • integrate it with Stream Deck or Voice Assistants


By creating your own PowerShell API with Azure Function App is a powerful tool for automating Azure governance tasks and streamlining your workflow. By leveraging the power of PowerShell and Azure Function App’s HTTP trigger, you can easily expose your PowerShell scripts as a web API that can be called from anywhere, at any time. Whether you’re managing Azure policies, retrieving Azure resource data, or automating Azure workflows, a custom PowerShell API on Azure Function App can help you get the job done faster and more efficiently. With the step-by-step guide and code example provided in this article, you can start building your own custom PowerShell API for Azure governance today.

I hope this was helpful. Stay tuned for more script examples that I will be posting soon.

Vukasin Terzic

Updated Mar 12, 2023 2023-03-12T19:45:04+01:00
This post is licensed under CC BY 4.0