Introduction
Azure Automation Run As accounts will retire September 30, 2023. No more worrying about expired Run As Account certificates breaking your automation, we’ve all been there, right? 🙂
It’s important to enable Managed Identities before retirement and to edit your existing Runbook authentication methods to Managed Identity because your runbacks wil not work anymore after this date.
Identify Automation Accounts using a RunAs account
I created a small script which show’s all Automation Accounts with RunAs accounts configured
## Check if automation accounts have run as accounts configured $automationaccounts = Get-AzAutomationAccount foreach ($automationaccount in $automationaccounts) { Get-AzAutomationConnection -AutomationAccountName $automationaccount.AutomationAccountName -ResourceGroupName $automationaccount.ResourceGroupName }
Create a Managed Identity for your Automation Account
First we need to create a new Managed Identity. We can choose two flavours, a System Assigned Managed Identity or a User Assigned Managed Identity. A System Assigned Managed identity is tied to a Resource, a User Assigned Managed Identity can be shared across multiple Resources.
Enabling a Managed Identity it pretty straightforward. In the Automation Account blade navigate to ‘Identity’ and set ‘Status’ to ‘On’
Your Managed Identity needs access to the resources you want your Runbooks to manage. You can use the Object (Service Principal) ID or Automation Account name to assign permissions through the IAM blades just like you’d do with User Accounts.
Edit your Runbook authentication methods using Managed Identities
Open your Runbooks to check if they’re using RunAs accounts as authentication method. Don’t forget to make a copy just in case. The code should look something like below.
# Get the connection "AzureRunAsConnection " $connectionName = 'AzureRunAsConnection' $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName "Logging in to Azure..." Add-AzAccount ` -ServicePrincipal ` -TenantId $servicePrincipalConnection.TenantId ` -ApplicationId $servicePrincipalConnection.ApplicationId ` -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
If you’re using a System Assigned Managed Identity you can replace it with;
Connect-AzAccount -Identity
If you’re using a User Assigned Managed identity you can replace it with;
$identity = Get-AzUserAssignedIdentity -ResourceGroupName <myResourceGroup> -Name <myUserAssignedIdentity> Connect-AzAccount -Identity -AccountId $identity.ClientId
Again, don’t forget to assign the correct permissions to your Managed Identity or your runbook will fail.
Thanks! Really helpful