GUIDE, Orchestrator, SCORCH

Connecting Orchestrator 2016 to Microsoft Azure

With System Center Orchestrator you can create, configure and automatize many things. In Microsoft Azure there are available runbook activities that can be used once you have successfully created a connection between your Orchestrator and Microsoft Azure.





  • A certificate used by Orchestrator to access Microsoft Azure
  • Configure Microsoft Azure to trust the Orchestrator certificate



Creating a self signed certificate in Orchestrator

To start off we will need to create a self-signed certificate used by Orchestrator to access Microsoft Azure.


  1. On our Orchestrator server, click on Start and type IIS, our search should now find the Internet Information Services (IIS) Manager, click to open it.Azure_scorch01
  2. We should now have your Internet Information Services (IIS) Manager open.Azure_scorch02
  3. Now select the Orchestrator server connection which can be found in the left pane.Azure_scorch031.png
  4. We should now see many different features on the middle of your IIS Manager, double click on Server Certificates.Azure_scorch061
  5. Now in the pane on the right side, click on Create Self-Signed Certificate to continue.Azure_scorch81
  6. We will now specify a name for our certificate and make sure it is stored in the Personal certificate store, click OK once done.Azure_scorch91
  7. Our self-signed certificate should now be shown in the IIS Manager.Azure_scorch101

Exporting the self signed certificates

Now that we have created the self-signed certificates we will need to export two copies of it.

  • The first copy of the self-signed certificate will not include the private key, as it will be used in Microsoft Azure to make the certificate trusted.
  • The second copy of the self-signed certificate will include the private key, it will be used by Orchestrator to communicate with Microsoft Azure.


Exporting the self signed certificate without private key

  1. Make sure that we are on the Orchestrator server, now right click on  start and choose Run in the list of options.Azure_scorch1
  2. Run window will open up, type mmc  in the Open field and click OK.Azure_scorch2
  3. We should now have the Microsoft Management Console (mmc) in front of you.Azure_scorch3
  4. Now go to File and choose Add/Remove Snap-in…Azure_scorch4
  5. An Add or Remove Snap-ins window will appear.Azure_scorch44
  6. Select Certificates under the Available snap-ins which is found in the left pane, then click Add >Azure_scorch9
  7. Now click OK to continue, we will be asked which account we want to the snap-in to manage.Azure_scorch6
  8. Select the Computer account and click Next.Azure_scorch7
  9. We will now be asked yet again which computer you want the snap-in to manage, go with the default option here, Local computer.Azure_scorch8
  10. We should now see the Certificates (Local Computer) snap-in in your MMC console.Azure_scorch10
  11. Expand Certificates (Local Computer) which can be found in the left pane.Azure_scorch102
  12. Next expand Personal and select Certificates, we should see the certificate we created previously.Azure_scorch103
  13. To export the certificate right click the certificate, go to All Tasks and click Export.Azure_scorch104
  14. A Certificate Export Wizard will open, click Next to continue with the certificate exporting.Azure_scorch105.png
  15. We will export the first certificate without a private key, make sure the
    No, do not export the private key check box is checked, click Next to continue.Azure_scorch106
  16. We will go with the default file format, DER encoded binary X.509 (.CER), click Next to continue.Azure_scorch107
  17. In the next window, select a location where the certificate will be saved and a name for it. In this guide I will save it to C:\Certificates\

  18. We should now see the save path and file name in your Certificate Export Wizard, click Next to continue.Azure_scorch110
  19. We will now see a summary of your certificate export, click Finish to export your certificate.Azure_scorch111
  20. Once the exporting is completed we will see a window saying The export was successful, click OK to finish.Azure_scorch112
    Note: Don’t close the MMC window as we will be needing it the next step.


Exporting the self signed certificate with private key

We just exported the Orchestrator self-signed certificate without a private key, now we will export the same certificate with a private key.

  1. We should still have the MMC window open from the previous step.Azure_scorch103
  2. Now right click the Orchestrator certificate, go to All Tasks and choose Export once again.Azure_scorch104
  3. In the Certificate Export Wizard, click Next to continue.Azure_scorch105.png
  4. We will now export the second certificate with a private key, make sure the
    Yes, export the private key check box is checked, click Next to continue.Azure_scorch113
  5. For the second certificate we will only have one file format option, the Personal Information Exchange – PKCS #12 (.PFX). We will not need to include all certificates in the certification path if possible so we can uncheck that,
    click Next to continue.Azure_scorch115
  6. In the next step we will need to protect this certificate by either giving a security principal or a password, we will go with a password.Azure_scorch116
  7. Now check the Password check box and give our certificate a password, click Next once you’ve entered a password and confirmed the password.Azure_scorch117
  8. Select once again a location where the certificate will be saved and give it a name. I will save it again in the C:\Certificates folder.Azure_scorch108Azure_scorch118
  9. We will now see the save path and file name in your Certificate Export Wizard, click Next to continue.Azure_scorch119
  10. We will once more see a summary of your certificate export, click Finish to export our certificate. Wait for the exporting to complete, we will see a window saying The export was successful, click OK to finish.Azure_scorch122


Configuring Microsoft Azure to trust the Orchestrator certificate as a Management certificate

We will now configure Microsoft Azure to trust the Orchestrator self-signed certificate as a so called Management certificate.

  1. Open a web browser and head to:
  2. Sign in to your Microsoft Azure by first entering either your Email, phone or Skype, afterwards enter your password and then click Sign in.DPM_Azure_1
  3. We should now be seeing your Microsoft Azure dashboard.Azure_scorch123
  4. At the bottom of the left pane click on Azure_scorch124
  5. We will now see a window with billing information and your current subscriptions.Azure_scorch126
  6. Now select our subscription in the center of your screen.Azure_scorch127
  7. Now click on Azure_scorch128 which is found in the left pane under Settings, we should now see the Management certificates window.Azure_scorch129
  8. Now we will want to upload our Orchestrator certificate (without private key), to upload click on  Azure_scorch130.png.
  9. An Upload Certificates window will open up on our right side.Azure_scorch131.png
  10. Now click Azure_scorch132.png under .Cer Certificate File to upload your certificate.
  11. A browse window will now open, navigate to the folder where we exported your Orchestrator certificates.Azure_scorch133.png
  12. Select our self-signed Orchestrator certificate that was exported with no private key and click Open.Azure_scorch135
  13. We should now be ready to upload our self-signed Orchestrator certificate, click Azure_scorch137to continue.
  14. The certificate will now be uploaded to Microsoft Azure.Azure_scorch138
  15. Once the certificate has been uploaded successfully you should get the following notification:Azure_scorch139
  16. Our Orchestrator certificate will now be shown under your Management certificates in Microsoft Azure.Azure_scorch140


Configuring a connection between Orchestrator and Microsoft Azure

We will now head on with the last step which will be connecting Orchestrator to Microsoft Azure.

  1. Open the Runbook Designer  runbook_designer console.Azure_scorch141
  2. Now head to Options in the upper left corner of our Runbook Designer console, then click on Windows Azure.Azure_scorch142
  3. A Windows Azure prerequisite configuration window will open up.Azure_scorch143
  4. Since we have no Azure configuration from before, we will want to add a new configuration by clicking Add…Azure_scorch145
  5. First we need to specify a name for our connection.Azure_scorch147
  6. Next we will select the connection type.
  7. Click on the radio button to choose the available connection types, a new Item Selection window will open.Azure_scorch148
  8. Choose Azure Management Configuration Settings and click OK.Azure_scorch149
  9. Now we will fill the properties of our Azure connection.
  10. The Azure Endpoint can be left as it is.
  11. Next insert the password of your Orchestrator certificate (PFX certificate) with a private key.Azure_scorch150
  12. Now in the PFX File Path field click on the radio button and locate our Orchestrator certificate (PFX certificate) with a private key.Azure_scorch151.pngAzure_scorch152
  13. Lastly we will add our Microsoft Azure Subscription ID.
  14. To find our Microsoft Azure subscription ID, go to your Microsoft Azure Portal at
  15. On the left pane click on Azure_scorch124.
  16. We should now see your subscription ID(s) in the center of the Microsoft Azure Portal screen.Azure_scorch126
  17. Select your subscription and copy the Subscription ID, then paste the Subscription ID into the Subscription ID field in the Add Configuration window found in the Runbook Designer.Azure_scorch153
  18. Now click OK to finish adding our Azure connection.Azure_scorch154


We have now successfully set up a connection to Microsoft Azure from your System Center Orchestrator 2016!

 4,157 total views,  2 views today

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.