Azure Automation Hybrid Woker permission automatically removed

Question

Azure Automation Hybrid Woker permission automatically removed

Carlo Berchtold 20

We are experiencing a recurring issue with two installed instances of the Azure Automation Hybrid Worker extension. For several months, both extensions have exhibited the same behavior: approximately twice per month, the custom credential permissions are inexplicably removed from the following paths:

C:\ProgramData\AzureConnectedMachineAgent\Tokens — Read access
C:\Packages\Plugins\Microsoft.Azure.Automation.HybridWorker.HybridWorkerForWindows — Read and Execute access

The issue results in jobs being suspended.

Initially, we suspected this might be triggered by Windows Updates or extension upgrades, but after some checks, these events do not correlate with the permission resets. The root cause remains unclear, and the behavior appears to be non-deterministic and unrelated to any scheduled system or extension-level changes.

Bharath Y P 1,515 Reputation points Microsoft External Staff Moderator

2025-08-08T17:16:54.42+00:00
Hello Carlo Berchtold,

Welcome to Microsoft Q&A forum!

You're experiencing a recurring issue with two installed instances of the Azure Automation Hybrid Worker extension. Specifically, Custom credential permissions are being removed folder path, This leads to job suspension in Azure Automation. The issue occurs twice per month, non-deterministically, and is not correlated with Windows Updates or extension upgrades.

If extension-based Hybrid Worker is using custom Hybrid Worker credentials, then ensure that following folder permissions are assigned to the custom user to avoid jobs from getting suspended.

Looks like, you already provided the folder permission to the respective folder with Read /

Read and Execute permission.

When a system has UAC/LUA in place, permissions must be granted directly and not through any group membership.

Due to a current limitation, these folder permissions are removed from the C:\ProgramData\AzureConnectedMachineAgent\Tokens folder on Azure Arc-enabled machines when the Azure Connected Machine agent is updated. The current resolution is to reapply these permissions to the folder.

Troubleshoot extension-based Hybrid Runbook Worker issues in Azure Automation | Microsoft Learn

The current resolution is to reapply the folder permissions to C:\ProgramData\AzureConnectedMachineAgent\Tokens when the Azure Connected Machine agent is updated.

You can refer: Permissions for Hybrid worker credentials.

Please let me know if you face any challenge here, I can help you to resolve this issue further.
Carlo Berchtold 20 Reputation points

2025-08-14T05:51:38.0433333+00:00

@Bharath Y P Thanks for your reply. It looks like a known issue.
Bharath Y P 1,515 Reputation points Microsoft External Staff Moderator

2025-08-14T17:16:59.96+00:00

Carlo Berchtold Please let us know if the issue has been resolved, and let us know if you need any further assistance.
Bharath Y P 1,515 Reputation points Microsoft External Staff Moderator

2025-08-19T08:41:59.6633333+00:00

Hello Carlo Berchtold Please let us know if the issue has been resolved, if you need any further assistance please let us know
Carlo Berchtold 20 Reputation points

2025-08-21T12:32:38.7666667+00:00

Not really a great way. I hope Microsoft will fix this in the near future because monthly our Scripts are stop working and there is no real solution as it seems..

But I think there is nothing else to do than just wait and hope for an updated on this.

Answer accepted by question author

0 additional answers

Your answer

Bharath Y P 1,515 Reputation points Microsoft External Staff Moderator

2025-08-08T17:16:54.42+00:00

Hello Carlo Berchtold,

Welcome to Microsoft Q&A forum!

You're experiencing a recurring issue with two installed instances of the Azure Automation Hybrid Worker extension. Specifically, Custom credential permissions are being removed folder path, This leads to job suspension in Azure Automation. The issue occurs twice per month, non-deterministically, and is not correlated with Windows Updates or extension upgrades.

If extension-based Hybrid Worker is using custom Hybrid Worker credentials, then ensure that following folder permissions are assigned to the custom user to avoid jobs from getting suspended.

Looks like, you already provided the folder permission to the respective folder with Read /

Read and Execute permission.

When a system has UAC/LUA in place, permissions must be granted directly and not through any group membership.

Due to a current limitation, these folder permissions are removed from the C:\ProgramData\AzureConnectedMachineAgent\Tokens folder on Azure Arc-enabled machines when the Azure Connected Machine agent is updated. The current resolution is to reapply these permissions to the folder.

Troubleshoot extension-based Hybrid Runbook Worker issues in Azure Automation | Microsoft Learn

The current resolution is to reapply the folder permissions to C:\ProgramData\AzureConnectedMachineAgent\Tokens when the Azure Connected Machine agent is updated.

You can refer: Permissions for Hybrid worker credentials.

Please let me know if you face any challenge here, I can help you to resolve this issue further.
Carlo Berchtold 20 Reputation points

2025-08-14T05:51:38.0433333+00:00

@Bharath Y P Thanks for your reply. It looks like a known issue.
Bharath Y P 1,515 Reputation points Microsoft External Staff Moderator

2025-08-14T17:16:59.96+00:00

Carlo Berchtold Please let us know if the issue has been resolved, and let us know if you need any further assistance.
Bharath Y P 1,515 Reputation points Microsoft External Staff Moderator

2025-08-19T08:41:59.6633333+00:00

Hello Carlo Berchtold Please let us know if the issue has been resolved, if you need any further assistance please let us know
Carlo Berchtold 20 Reputation points

2025-08-21T12:32:38.7666667+00:00

Not really a great way. I hope Microsoft will fix this in the near future because monthly our Scripts are stop working and there is no real solution as it seems..

But I think there is nothing else to do than just wait and hope for an updated on this.

Answer 1

Mark 80

I was able to get past this using New-AzConnectedMachineRunCommand on Azure Arc connected machines. I just placed a script on the machines(could probably use a shared location if needed) that restored the rights before trying to connect to the hybrid worker. It can take up to 5 minutes to run on a machine, but worth it for me.

New-AzConnectedMachineRunCommand -ResourceGroupName "Resourcegroup" -MachineName "machinename" -Location "eastus" -RunCommandName "TestFile" -SourceScript "Invoke-Command -FilePath C:\Scripts\restorerights.ps1 -ComputerName machinename" -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

Carlo Berchtold 20 Reputation points

2025-10-08T14:41:49.6+00:00

Nice! That really worked for me so far. I need to check it in the upcoming months, but it seems to correct the permissions even though the UAC is enabled. Thanks! 🙏

Share via

Azure Automation Hybrid Woker permission automatically removed

0 additional answers

Your answer