ScriptRunner 2020R2 – Full Azure Integration, Azure Queries and the new ScriptRunner Portal

Starting with this release, direct integration with Azure allows ScriptRunner’s popular query functionality to be extended to Azure AD, Azure resources, and Azure data. With the new Query Type Azure (Fig. 1), a very powerful tool is now available to design use cases for M365, Azure AD and Azure Cloud.

Fig. 1: The new Query Type Azure is now available for selection

To simplify usability for many use cases, the following options are available as templates:

• Azure User Query: Queries user objects of all types
• Azure Group Query: Queries group objects of all types
• Azure Group Members Query: Queries group members
• Azure Member of Query: Queries group memberships

The following can be used for customizable queries:

• Microsoft Graph Query
• Azure Resource Graph Query
• Azure Data Explorer Query

An Azure query will be used to determine all rooms that can be addressed as resources in Exchange Online. In the use case, ad-hoc statistics on the occupancy of specific rooms are to be made available as an HTML report.

In the following, we will only consider the query for room selection. An Azure user query is used for this, which maps Exchange Online resources such as rooms as user objects. To control the query on room objects, a simple property filter on the Azure AD User Property DisplayName is used here.

Figure 2: Querying objects whose DisplayName contains ‘room’

Testing the query is done as usual. If “-JSON-” was selected as the Value parameter in the query, the result set will contain a list of rooms as JSON objects. The value of the JSON object can be displayed via mouse-over. Further use of the JSON object is done with the new Feature PowerShell Splatting (see section “PowerShell Splatting feature”).

In this example, we want to search for all Azure AD groups that have the ‘mailEnabled’ property. For this case, the example uses an ODATA filter.
Note: Azure AD queries are case-sensitive!

Fig. 3: Filtering Azure AD groups with the ‘mailEnabled’ property

In this use case, first a selection of an Azure AD group should be made and then the members of the group should be listed to be able to select one or more. The requirement is best solved with a cascaded query.

The Azure Group Query returns a list of all groups (with filters if necessary, as in Fig. 3). As parameter Value, the Object-Ids of the groups are required, since this ID variably controls the subsequent query to resolve the group into members (Fig. 4).

Fig. 4: Cascadable Azure Query where first a group is selected and then its members are listed as choices.

The Azure Query to resolve the group returns a list of the group members along with the members’ property sets as a JSON object (Fig. 5)

Fig. 5: The list of group members of their property sets are delivered as JSON object

The connection of both queries is done in the Action on the parameter page according to the already known scheme.

Fig. 6: In the form of the ScriptRunner Action, the query results are available as a selection

You can read more about Microsoft Graph and Azure resource queries in the blog post ScriptRunner, Azure and M365 – a perfect trio.

We created the new ScriptRunner Portal to improve UX and CX. It unifies the previous ScriptRunner Web Apps for help desk and end users, as well as new features for administrators.

The portal replaces the ScriptRunner Delegate App and the ScriptRunner Self-Service App. Customers can install the new portal as part of the update to this release and switch users to the unified URL to access it.

The portal is divided into functional modules (Fig. 7) and supports logging in with Azure AD user accounts. If MFA is enabled, the second factor of authentication is also requested during login.

Fig. 7: Overview of the modules of the new ScriptRunner Portal in the Admin View

The entry into the portal as well as the available functions depend on the affiliation of a security group or an account to a ScriptRunner role.

Help desk and end users immediately start in the function module for running scripts. In addition, a help desk user has access to the reporting module.

Administrators have additional options in both of these modules. For example, the Action tiles can be directly customized in color and icon.

The new statistics module (Fig. 8) makes it possible to make the benefits of ScriptRunner transparent.

Fig. 8: The new statistics module in ScriptRunner Portal

You can read more information and details about the new portal in the blog post The new role-based ScriptRunner Portal.

With the Portal Widget, our customers can seamlessly integrate ScriptRunner Actions into a wide variety of applications and use the full functionality of validation and queries.

This allows “invisible” contextual use of ScriptRunner automated tasks in other applications. Thus, a ScriptRunner Action can be placed in the intranet for end users directly in the place that is related to it in terms of content (Fig. 9).

The widget can be used to expand the functionality of existing self-service portals, to add new functions to business applications and to upgrade ITSM systems.

Because it is so easy to integrate, there are no limits to what you can do, including customizing the styling.

Fig. 9: Application example of the ScriptRunner Portal Widget

Further information and details on the new Portal Widget can be found in the bog article The new role-based ScriptRunner Portal or on the Portal Widget page.

With the integration into Azure AD, enhancements and improvements in the role configuration have been implemented. For example, multiple groups and/or individual accounts can now be assigned to a role group in ScriptRunner.

To do this, simply click the + button at My Claims (Fig. 10). You can now add a group or an account.

Also a new feature is the search function for local groups/accounts, for Active Directory groups and accounts as well as Azure AD groups and accounts.

The Basic Auth option is reserved for use with Web Service Connectors.

Fig. 10: Function for adding new groups or accounts

Connection problems to target systems or cloud services are part of the everyday life of administrators. The causes can be manifold. The problems may stem from the infrastructure between ScriptRunner Server and the target system, such as firewalls, proxies, etc. Also, the target system may not be configured sufficiently (local firewall, remoting) or authentication fails.

Until now, test scripts had to be written and test Actions had to be set up. From this version on ScriptRunner takes over the connection test directly. This way, errors can be narrowed down and fixed faster. Simply select the target system, click on Test in the Action bar and then start test. The live output shows you what is happening.

Fig. 11: Live output of a connection test

In the test run, a remote session is established with the stored credential to the target system and $PSVersion of the target system is returned. The connection is then closed again. The results can be viewed at any time as a PowerShell report.

The WinRM service in Windows offers the possibility to authenticate a PowerShell Remoting Session by means of a certificate. To do this, WinRM must be enabled over HTTPS on the target system and a certificate must be stored there. Details can be found in the Microsoft Documentation.

A corresponding credential is then configured in ScriptRunner. Next, you assign the credential to the target system and use the https option in the remoting settings.

Fig. 12: ScriptRunner Credential for PowerShell Remoting with Certificate-based Authentication using WinRM

This new feature brings several advantages for the design of use cases in ScriptRunner. With a single query, multiple attributes or properties of an object can be determined and passed to the main script.

In this version, scripted queries and Azure queries can be used for this purpose. Thus, complex query cascades can be omitted, the use case becomes clearer for the user and several attributes can be processed more easily in a use case. The complexity in the PowerShell script is reduced because of the direct access to the content.

Scripted queries use a hashtable in the query script to which the results of the query are assigned. Using Azure Queries, the result set is stored in a JSON object.

Whether hashtable or JSON is used in the query, the results are passed encoded to a parameter in the main script to which the query was assigned.

The parameter in the main script must be of type hashtable. The structure of the hashtable follows the individual parameters to be used in the hashtable. The names of the parameters in the hashtable must match the names of the parameters in the query hashtable or JSON object. This will cause ScriptRunner to automatically map the matching values.

Additionally, a read-only attribute can be used for individual parameters of the hashtable. The following sample code shows the usage in the main Action script.

You can find further information on this feature in our Knowledge Base: Return multiple properties with a single Query.

The parameter attribute [Parameter(HelpMessage=”ASRDisplay(Splatting)”)] turns on the feature for the parameter [hashtable] $Address. This parameter $Address must be assigned the appropriate query in the Action configuration.

The other parameters in the hashtable itself define their structure. The parameter names must correspond to the names in the result set.
If an element is now selected from the result set in the UI (here “Peter Heim”), ScriptRunner automatically maps the values for the subsequent parameters.

With the parameter attribute [Parameter(HelpMessage=”ASRDisplay(Readonly)”)] the parameter [string] $Name is used in the UI as not changeable.

The [string] DateofBirth parameter is not given any values because it either does not exist in the result set or there is no name match for the parameter.

The optional use of PowerShell 7 has been extended to more elements in ScriptRunner. Besides Actions, scripted queries can now also use PowerShell 7. The connection test also supports target systems with PowerShell 7.