You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> Azure Automation Run As Account will retire on **September 30, 2023**, and there will be no support provided beyond this date. From now through **September 30, 2023**, you can continue to use the Azure Automation Run As Account. However, we recommend you to transition to [managed identities](../automation/automation-security-overview.md#managed-identities) before **September 30, 2023**.
15
15
16
-
See the [frequently asked questions](../automation/automation-managed-identity-faq.md) for more information about migration cadence and support timeline for Run As account creation and certificate renewal.
16
+
See the [Frequently asked questions](automation-managed-identity-faq.md) for more information about migration cadence and support timeline for Run As account creation and certificate renewal.
17
17
18
-
Run As accounts in Azure Automation provide authentication for managing Azure Resource Manager resources or resources deployed on the classic deployment model.Whenever a Run As account is created, an Azure AD application is registered, and a self-signed certificate will be generated which will be valid for one year. This adds an overhead of renewing the certificate every year before it expires to prevent the Automation account to stop working.
18
+
Run As accounts in Azure Automation provide authentication for managing Azure Resource Manager resources or resources deployed on the classic deployment model.Whenever a Run As account is created, an Azure AD application is registered, and a self-signed certificate will be generated which will be valid for one year. This adds an overhead of renewing the certificate every year before it expires to prevent the Automation account to stop working.
19
19
20
-
Automation accounts can now be configured to use [Managed Identity](../automation/automation-security-overview.md#managed-identities) which is the default option when an Automation account is created. With this feature, Automation account can authenticate to Azure resources without the need to exchange any credentials, hence removing the overhead of renewing the certificate or managing the service principal.
20
+
Automation accounts can now be configured to use [Managed identities](automation-security-overview.md#managed-identities) which is the default option when an Automation account is created. With this feature, Automation account can authenticate to Azure resources without the need to exchange any credentials, hence removing the overhead of renewing the certificate or managing the service principal.
21
21
22
-
Managed identity can be [system assigned](../automation/enable-managed-identity-for-automation.md) or [user assigned](../automation/add-user-assigned-identity.md). However, when a new Automation account is created, a system assigned managed identity is enabled.
22
+
Managed identity can be [system assigned](enable-managed-identity-for-automation.md)
23
+
or [user assigned](add-user-assigned-identity.md). However, when a new Automation account is created, a system assigned managed identity is enabled.
23
24
24
25
## Prerequisites
25
26
@@ -30,12 +31,10 @@ Ensure the following to migrate from the Run As account to Managed identities:
30
31
> [!NOTE]
31
32
> - User-assigned identities are supported for cloud jobs only. It isn't possible to use the Automation Account's User Managed Identity on a Hybrid Runbook Worker. To use hybrid jobs, you must create a System-assigned identities.
32
33
> - There are two ways to use the Managed Identities in Hybrid Runbook Worker scripts. Either the System-assigned Managed Identity for the Automation account **OR** VM Managed Identity for an Azure VM running as a Hybrid Runbook Worker.
33
-
> - Both the VM's User-assigned Managed Identity or the VM's system assigned Managed Identity will **NOT** work in an Automation account that is configured with an Automation account Managed Identity. When you enable the Automation account Managed Identity, you can only use the Automation Account System-Assigned Managed Identity and not the VM Managed Identity. For more information, see [Use runbook authentication with managed identities](../automation/automation-hrw-run-runbooks.md#runbook-auth-managed-identities).
34
-
35
-
1. Assign same role to the managed identity to access the Azure resources matching the Run As account. Follow the steps in [Check role assignment for Azure Automation Run As account](../automation/manage-run-as-account.md#check-role-assignment-for-azure-automation-run-as-account).
36
-
Ensure that you don't assign high privilege permissions like Contributor, Owner and so on to Run as account. Follow the RBAC guidelines to limit the permissions from the default Contributor permissions assigned to Run As account using this [script](../automation/manage-run-as-account.md#limit-run-as-account-permissions)
37
-
34
+
> - Both the VM's User-assigned Managed Identity or the VM's system assigned Managed Identity will **NOT** work in an Automation account that is configured with an Automation account Managed Identity. When you enable the Automation account Managed Identity, you can only use the Automation Account System-Assigned Managed Identity and not the VM Managed Identity. For more information, see [Use runbook authentication with managed identities](automation-hrw-run-runbooks.md)
38
35
36
+
1. Assign same role to the managed identity to access the Azure resources matching the Run As account. Follow the steps in [Check role assignment for Azure Automation Run As account](manage-run-as-account.md#check-role-assignment-for-azure-automation-run-as-account). Ensure that you don't assign high privilege permissions like Contributor, Owner and so on to Run as account. Follow the RBAC guidelines to limit the permissions from the default Contributor permissions assigned to Run As account using this [script](manage-run-as-account.md#limit-run-as-account-permissions)
37
+
39
38
For example, if the Automation account is only required to start or stop an Azure VM, then the permissions assigned to the Run As account needs to be only for starting or stopping the VM. Similarly, assign read-only permissions if a runbook is reading from blob storage. Read more about [Azure Automation security guidelines](../automation/automation-security-guidelines.md#authentication-certificate-and-identities).
40
39
41
40
## Migrate from Automation Run As account to Managed Identity
@@ -44,10 +43,10 @@ To migrate from an Automation Run As account to a Managed Identity for your runb
44
43
45
44
1. Change the runbook code to use managed identity. We recommend that you test the managed identity to verify if the runbook works as expected by creating a copy of your production runbook to use managed identity. Update your test runbook code to authenticate by using the managed identities. This ensures that you don't override the AzureRunAsConnection in your production runbook and break the existing Automation. After you are sure that the runbook code executes as expected using the Managed Identities, update your production runbook to use managed identities.
46
45
47
-
For Managed Identity support, use the Az cmdlet Connect-AzAccount cmdlet. use the Az cmdlet `Connect-AzAccount` cmdlet. See [Connect-AzAccount](https://learn.microsoft.com/powershell/module/az.accounts/Connect-AzAccount?branch=main&view=azps-8.3.0) in the PowerShell reference.
46
+
For Managed Identity support, use the Az cmdlet Connect-AzAccount cmdlet. use the Az cmdlet `Connect-AzAccount` cmdlet. See [Connect-AzAccount](https://learn.microsoft.com/powershell/module/az.accounts/Connect-AzAccount?branch=main&view=azps-8.3.0) in the PowerShell reference.
48
47
49
48
- If you are using Az modules, update to the latest version following the steps in the [Update Azure PowerShell modules](https://learn.microsoft.com/azure/automation/automation-update-azure-modules?branch=main#update-az-modules)
50
-
- If you are using AzureRM modules, Update `AzureRM.Profile` to latest version and replace using `Add-AzureRMAccount` cmdlet with `Connect-AzureRMAccount –Identity`.
49
+
-If you are using AzureRM modules, Update `AzureRM.Profile` to latest version and replace using `Add-AzureRMAccount` cmdlet with`Connect-AzureRMAccount –Identity`.
51
50
52
51
Follow the sample scripts below to know the change required to the runbook code to use Managed Identities
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments