images and page edits

Author: Ankita Dutta

articles/site-recovery/how-to-migrate-run-as-accounts-managed-identity.md

@@ -5,19 +5,18 @@ author: ankitaduttaMSFT
 ms.service: site-recovery
 ms.author: ankitadutta
 ms.topic: how-to 
-ms.date: 01/19/2023
+ms.date: 02/21/2023
 ---
 
-# Manage identities 
+# Migrate from a Run As account to Managed Identities 
 
 > [!IMPORTANT]
 > - Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](/articles/automation/automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](/articles/automation/migrate-run-as-accounts-managed-identity?tabs=run-as-account#sample-scripts).
 > - Delaying the feature has a direct impact on our support burden, as it would cause upgrades of mobility agent to fail.
 
 This article shows you how to migrate a Managed Identities for Azure Site Recovery applications. Azure Automation Accounts are used by Azure Site Recovery customers to auto-update the agents of their protected virtual machines. Site Recovery creates Azure Automation Run As Accounts when you enable replication via the IaaS VM Blade and Recovery Services Vault. 
 
-On Azure, managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource 
-in Azure Active Directory (Azure AD) and using it to obtain Azure AD tokens. 
+On Azure, managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure Active Directory (Azure AD) and using it to obtain Azure AD tokens. 
 
 ## Prerequisites
 
@@ -33,32 +32,88 @@ Before you migrate from a Run As account to a managed identity:
 1. Assign the same role to the managed identity to access the Azure resources that match the Run As account. Follow the steps in [Check the role assignment for the Azure Automation Run As account](../automation/manage-run-as-account.md#check-role-assignment-for-azure-automation-run-as-account).
 
    Ensure that you don't assign high-privilege permissions like contributor or owner to the Run As account. Follow the role-based access control (RBAC) guidelines to limit the permissions from the default contributor permissions assigned to a Run As account by using [this script](../automation/manage-run-as-account.md#limit-run-as-account-permissions). 
+
+## Benefits of managed identities
+
+Here are some of the benefits of using managed identities:
+
+- You don't need to manage credentials. Credentials aren’t even accessible to you.
+- You can use managed identities to authenticate to any resource that supports [Azure AD authentication](../authentication/overview-authentication.md), including your own applications.
+- Managed identities can be used at no extra cost.
+
+> [!NOTE]
+> Managed identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI).
+
+## Migrate from an existing Run As account to a managed identity
 
-## Configure managed identities 
+### Configure managed identities 
 
 You can configure your managed identities through:
 
 - Azure portal
 - Azure CLI
 - your Azure Resource Manager (ARM) template
 
-When a managed identity is added, deleted, or modified on a running container app, the app doesn't automatically restart and a new revision isn't created.
-
 > [!NOTE]
 > For more information about migration cadence and the support timeline for Run As account creation and certificate renewal, see the [frequently asked questions](../automation/automation-managed-identity-faq.md).
 
-> [!NOTE]
-> When adding a managed identity to a container app deployed before April 11, 2022, you must create a new revision.
-
-## Migrate from an existing Run As account to a managed identity
 
 ### Portal experience
 
--
+**To migrate your Azure Automation account authentication type from a Run As to a managed identity authentication, follow these steps:**
+
+1. In the [Azure portal](https://portal.azure.com), navigate and select the recovery services vault that you want to migrate.
+
+1. On the homepage of your recovery services vault page, do the following:
+    1. On the left pane, under the **Manage** section, select **Site Recovery infrastructure**.
+        :::image type="content" source="./media/how-to-migrate-from-run-as-to-managed-identities/manage-section.png" alt-text="Screenshot of the **Site Recovery infrastructure** page.":::
+    1. Under the **For Azure virtual machines** section, select **Extension update settings**.
+     This page details the authentication type for the automation account that is being used to manage the Site Recovery extensions.
+
+    1. On this page, select the **Migrate** option to migrate the authentication type for your automation accounts to use Managed Identities. 
+        
+        :::image type="content" source="./media/how-to-migrate-from-run-as-to-managed-identities/extension-update-settings.png" alt-text="Screenshot of the Create Recovery Services vault page.":::
+
+1. After the successful migration of your automation account, the authentication type for the linked account details on the **Extension update settings** page is updated.
+
+When you successfully migrate from a Run As to a Managed Identities account, the following changes are reflected on the Automation Run As Accounts :
+
+-	System Assigned Managed Identity is enabled for the account (if not already enabled).
+-	The **Contributor** role permission is  assigned to the Recovery Services vault’s subscription.
+-	The script that updates the mobility agent to use Managed Identity based authentication is updated.
+
+
+### Link an existing managed identity account to vault
+
+You can link an existing managed identity Automation account to your Recovery Services vault. To do so, follow these steps:
+
+#### Enable the managed identity for the vault
+
+1. Go to your selected managed identity automation account. Under under **Account settings**, select **Identity**.
+
+   :::image type="content" source="./media/how-to-migrate-from-run-as-to-managed-identities/mi-automation-account.png" alt-text="Screenshot that shows the identity settings page.":::
+
+1. Under the **System assigned** section, change the **Status** to **On** and select **Save**.
+
+   An Object ID is generated. The vault is now registered with Azure Active
+   Directory.
+    :::image type="content" source="./media/hybrid-how-to-enable-replication-private-endpoints/enable-managed-identity-in-vault.png" alt-text="Screenshot that shows the system identity settings page.":::
+
+1. Navigate back to your recovery services vault. On the left pane, select the **Access control (IAM)** option.
+    :::image type="content" source="./media/how-to-migrate-from-run-as-to-managed-identities/add-mi-iam.png" alt-text="Screenshot that shows IAM settings page.":::
+1. Select **Add** > **Add role assignment** > **Contributor** to open the **Add role assignment** page.
+1. On the **Add role assignment** page, ensure that the **Managed identity** option is selected.
+1. Select the **Select members** option. This opens the **Select managed identities** pane. On this pane do the following:
+    1. In the **Select** field, paste the name of the managed identity automation account.
+    1. In the **Managed identity** field, select **All system-assigned managed identities**.
+    1. Select the **Select** option.
+        :::image type="content" source="./media/how-to-migrate-from-run-as-to-managed-identities/select-mi.png" alt-text="Screenshot that shows select managed identity settings page.":::
+1. Select **Review + assign**.
+
 
 ### Azure CLI sample scripts
 
-The following examples of runbook scripts fetch the Resource Manager resources by using the Run As account (service principal) and the managed identity.
+The following examples of runbook scripts fetch the Resource Manager resources by using the Run As account (service principal) and the managed identity. You would notice the difference in runbook code at the beginning of the runbook, where it authenticates against the resource.
 
 # [Run As account](#tab/run-as-account)
 
@@ -166,9 +221,6 @@ foreach ($ResourceGroup in $ResourceGroups)
 
 Learn more about:
 - [Managed identities](../active-directory/managed-identities-azure-resources/overview).
-- [Using a system-assigned managed identity for an Azure Automation account](../automation/enable-managed-identity-for-automation).
-- [Using a user-assigned managed identity for an Azure Automation account](../automation/add-user-assigned-identity).
-- [Connecting from your application to resources without handling credentials](../active-directory/managed-identities-azure-resources/overview-for-developers?tabs=portal%2Cdotnet)
 - [Implementing managed identities for Microsoft Azure Resources](https://www.pluralsight.com/courses/microsoft-azure-resources-managed-identities-implementing).
 - [FAQ for migrating from a Run As account to a managed identity](../automation/automation-managed-identity-faq).
 - [FAQ for Managed Identities](../active-directory/managed-identities-azure-resources/managed-identities-faq.md)