Migrate Run As Accounts to Managed Identity


Azure Automation Run As accounts will retire September 30, 2023. No more worrying about expired Run As Account certificates breaking your automation, we’ve all been there, right? 🙂

It’s important to enable Managed Identities before retirement and to edit your existing Runbook authentication methods to Managed Identity because your runbacks wil not work anymore after this date.

Identify Automation Accounts using a RunAs account

I created a small script which show’s all Automation Accounts with RunAs accounts configured

## Check if automation accounts have run as accounts configured
$automationaccounts = Get-AzAutomationAccount
foreach ($automationaccount in $automationaccounts)
    Get-AzAutomationConnection -AutomationAccountName $automationaccount.AutomationAccountName -ResourceGroupName $automationaccount.ResourceGroupName

Create a Managed Identity for your Automation Account

First we need to create a new Managed Identity. We can choose two flavours, a System Assigned Managed Identity or a User Assigned Managed Identity. A System Assigned Managed identity is tied to a Resource, a User Assigned Managed Identity can be shared across multiple Resources.

Enabling a Managed Identity it pretty straightforward. In the Automation Account blade navigate to ‘Identity’ and set ‘Status’ to ‘On’

Your Managed Identity needs access to the resources you want your Runbooks to manage. You can use the Object (Service Principal) ID or Automation Account name to assign permissions through the IAM blades just like you’d do with User Accounts.

Edit your Runbook authentication methods using Managed Identities

Open your Runbooks to check if they’re using RunAs accounts as authentication method. Don’t forget to make a copy just in case. The code should look something like below.

    # Get the connection "AzureRunAsConnection "
    $connectionName = 'AzureRunAsConnection'
    $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName         

    "Logging in to Azure..."
    Add-AzAccount `
        -ServicePrincipal `
        -TenantId $servicePrincipalConnection.TenantId `
        -ApplicationId $servicePrincipalConnection.ApplicationId `
        -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 

If you’re using a System Assigned Managed Identity you can replace it with;

Connect-AzAccount -Identity

If you’re using a User Assigned Managed identity you can replace it with;

$identity = Get-AzUserAssignedIdentity -ResourceGroupName <myResourceGroup> -Name <myUserAssignedIdentity> 
Connect-AzAccount -Identity -AccountId $identity.ClientId 

Again, don’t forget to assign the correct permissions to your Managed Identity or your runbook will fail.


Related Posts

One thought on “Migrate Run As Accounts to Managed Identity

Leave a Reply

Your email address will not be published. Required fields are marked *