Merge pull request #227411 from SnehaSudhirG/15Feb-MigrateRunAs-MI

v-dirichards · web-flow · commit 1c0fa28cbc62 · 2023-02-15T11:19:44.000-06:00
added info on migration support
diff --git a/articles/automation/TOC.yml b/articles/automation/TOC.yml
@@ -86,12 +86,8 @@
               href: disable-managed-identity-for-automation.md
             - name: Remove user-assigned managed identity
               href: remove-user-assigned-identity.md
-            - name: Migrate Run As account to managed identity
-              href: migrate-run-as-accounts-managed-identity.md  
             - name: Troubleshoot managed identity
-              href: troubleshoot/managed-identity.md
-            - name: FAQ on Migration to managed identity
-              href: automation-managed-identity-faq.md 
+              href: troubleshoot/managed-identity.md 
         - name: Run As account
           items:
             - name: Create Run As account
@@ -100,6 +96,10 @@
               href: delete-run-as-account.md
             - name: Manage Run As account
               href: manage-runas-account.md
+            - name: Migrate Run As account to managed identity
+              href: migrate-run-as-accounts-managed-identity.md
+            - name: FAQ on Migration to managed identity
+              href: automation-managed-identity-faq.md
         - name: Use Automation extension for Visual Studio Code
           href: how-to/runbook-authoring-extension-for-vscode.md
         - name: Configure authentication with Amazon Web Services
diff --git a/articles/automation/automation-managed-identity-faq.md b/articles/automation/automation-managed-identity-faq.md
@@ -1,5 +1,5 @@
 ---
-title: Azure Automation migration to managed identity FAQ
+title: Azure Automation migration to managed identities FAQ
 description: This article gives answers to frequently asked questions when you're migrating from a Run As account to a managed identity.
 services: automation
 ms.subservice: process-automation
@@ -9,32 +9,25 @@ ms.custom: devx-track-azurepowershell
 #Customer intent: As an implementer, I want answers to various questions.
 ---
 
-#  FAQ for migrating from a Run As account to a managed identity 
+#  FAQ for migrating from a Run As account to managed identities
 
-The following FAQ can help you migrate from a Run As account to a managed identity in Azure Automation. If you have any other questions about the capabilities, post them on the [discussion forum](https://aka.ms/retirement-announcement-automation-runbook-start-using-managed-identities). When a question is frequently asked, we add it to this article so that it benefits everyone.
+The following FAQ can help you migrate from a Run As account to a Managed identity in Azure Automation. If you have any other questions about the capabilities, post them on the [discussion forum](https://aka.ms/retirement-announcement-automation-runbook-start-using-managed-identities). When a question is frequently asked, we add it to this article so that it benefits everyone.
 
 ## How long will you support a Run As account?
  
-Automation Run As accounts will be supported until *September 30, 2023*. Although we continue to support existing users, we recommend that all new users use managed identities for runbook authentication. 
-
-Existing users can still create a Run As account. You can go to the account properties and renew a certificate upon expiration until *January 30, 2023*. After that date, you won't be able to create a Run As account from the Azure portal. 
-
-You'll still be able to create a Run As account through a [PowerShell script](./create-run-as-account.md#create-account-using-powershell) until support ends. You can [use this script](https://github.com/azureautomation/runbooks/blob/master/Utility/AzRunAs/RunAsAccountAssessAndRenew.ps1) to renew the certificate after *January 30, 2023*, until *September 30, 2023*. This script will assess the Automation account that has configured Run As accounts and renew the certificate if you choose to do so. On confirmation, the script will renew the key credentials of the Azure Active Directory (Azure AD) app and upload new a self-signed certificate to the Azure AD app.
+Automation Run As accounts will be supported until *30 September 2023*. Moreover, starting 01 April 2023, creation of **new** Run As accounts in Azure Automation will not be possible. Renewing of certificates for existing Run As accounts would be possible only till the end of support.
 
 ## Will existing runbooks that use the Run As account be able to authenticate?
-Yes, they'll be able to authenticate. There will be no impact to existing runbooks that use a Run As account.
-
-## How can I renew an existing Run As account after January 30, 2023, when portal support to renew the account is removed?
-You can [use this script](https://github.com/azureautomation/runbooks/blob/master/Utility/AzRunAs/RunAsAccountAssessAndRenew.ps1) to renew the Run As account certificate after January 30, 2023, until September 30, 2023.
+Yes, they'll be able to authenticate. There will be no impact to existing runbooks that use a Run As account. After 30 September 2023, all runbook executions using RunAs accounts, including Classic Run As accounts wouldn't be supported. Hence, you must migrate all runbooks to use Managed identities before that date.
 
-## Can Run As accounts still be created after September 30, 2023, when Run As accounts will retire?
-Yes, you can still create Run As accounts by using the [PowerShell script](../automation/create-run-as-account.md#create-account-using-powershell). However, this will be an unsupported scenario.
-
-## Can Run As accounts still be renewed after September 30, 2023, when Run As account will retire?
-You can use [this script](https://github.com/azureautomation/runbooks/blob/master/Utility/AzRunAs/RunAsAccountAssessAndRenew.ps1) to renew the Run As account certificate after September 30, 2023, when Run As accounts will retire. However, it will be an unsupported scenario.
+## My Run as account will expire soon, how can I renew it?
+If your Run As account certificate is going to expire soon, it's a good time to start using Managed identities for authentication instead of renewing the certificate. However, if you still want to renew it, you would be able to do it through the portal only till 30 September 2023.
 
+## Can I create new Run As accounts?
+From 1 April 2023, creation of new Run As accounts wouldn't be possible. We strongly recommend that you start using Managed identities for authentication instead of creating new Run As accounts.
+ 
 ## Will runbooks that still use the Run As account be able to authenticate after September 30, 2023?
-Yes, the runbooks will be able to authenticate until the Run As account certificate expires.
+Yes, the runbooks will be able to authenticate until the Run As account certificate expires. After 30 September 2023, all runbook executions using RunAs accounts wouldn't be supported.
 
 ## What is a managed identity?
 Applications use managed identities in Azure AD when they're connecting to resources that support Azure AD authentication. Applications can use managed identities to obtain Azure AD tokens without managing credentials, secrets, certificates, or keys. 
@@ -57,9 +50,6 @@ Run As accounts also have a management overhead that involves creating a service
 ## Can a managed identity be used for both cloud and hybrid jobs?
 Azure Automation supports [system-assigned managed identities](./automation-security-overview.md#managed-identities) for both cloud and hybrid jobs. Currently, Azure Automation [user-assigned managed identities](./automation-security-overview.md) can be used for cloud jobs only and can't be used for jobs that run on a hybrid worker.
 
-## Can I use a Run As account for new Automation account?
-Yes, but only in a scenario where managed identities aren't supported for specific on-premises resources. We'll allow the creation of a Run As account through a [PowerShell script](./create-run-as-account.md#create-account-using-powershell).
-
 ## How can I migrate from an existing Run As account to a managed identity?
 Follow the steps in [Migrate an existing Run As account to a managed identity](./migrate-run-as-accounts-managed-identity.md).
 
diff --git a/articles/automation/migrate-run-as-accounts-managed-identity.md b/articles/automation/migrate-run-as-accounts-managed-identity.md
@@ -1,19 +1,19 @@
 ---
-title: Migrate from a Run As account to a managed identity
-description: This article describes how to migrate from a Run As account to a managed identity in Azure Automation.
+title: Migrate from a Run As account to Managed identities
+description: This article describes how to migrate from a Run As account to managed identities in Azure Automation.
 services: automation
 ms.subservice: process-automation
-ms.date: 02/11/2023
+ms.date: 02/15/2023
 ms.topic: conceptual 
 ms.custom: devx-track-azurepowershell
 ---
 
-# Migrate from an existing Run As account to a managed identity
+# Migrate from an existing Run As account to Managed identities
 
 > [!IMPORTANT]
-> Azure Automation Run As accounts will retire on *September 30, 2023*. Microsoft won't provide support beyond that date. From now through *September 30, 2023*, you can continue to use Azure Automation Run As accounts. However, we recommend that you transition to [managed identities](../automation/automation-security-overview.md#managed-identities) before *September 30, 2023*.
->
-> For more information about migration cadence and the support timeline for Run As account creation and certificate renewal, see the [frequently asked questions](automation-managed-identity-faq.md).
+> Azure Automation Run As accounts will retire on *30 September 2023* and completely move to [Managed Identities](automation-security-overview.md#managed-identities). All runbook executions using RunAs accounts, including Classic Run As accounts wouldn't be supported after this date. Starting 01 April 2023, the creation of **new** Run As accounts in Azure Automation will not be possible.
+
+For more information about migration cadence and the support timeline for Run As account creation and certificate renewal, see the [frequently asked questions](automation-managed-identity-faq.md).
 
 Run As accounts in Azure Automation provide authentication for managing resources deployed through Azure Resource Manager or the classic deployment model. Whenever a Run As account is created, an Azure AD application is registered, and a self-signed certificate is generated. The certificate is valid for one year. Renewing the certificate every year before it expires keeps the Automation account working but adds overhead. 
 
@@ -38,7 +38,8 @@ Before you migrate from a Run As account or Classic Run As account to a managed
 
    For example, if the Automation account is required only to start or stop an Azure VM, then the permissions assigned to the Run As account need to be only for starting or stopping the VM. Similarly, assign read-only permissions if a runbook is reading from Azure Blob Storage. For more information, see [Azure Automation security guidelines](../automation/automation-security-guidelines.md#authentication-certificate-and-identities). 
 
-1. If you are using Classic Run As accounts, ensure that you have [migrated](../virtual-machines/classic-vm-deprecation.md) resources deployed through classic deployment model to Azure Resource Manager.
+1. If you're using Classic Run As accounts, ensure that you have [migrated](../virtual-machines/classic-vm-deprecation.md) resources deployed through classic deployment model to Azure Resource Manager.
+1. Use [this script](https://github.com/azureautomation/runbooks/blob/master/Utility/AzRunAs/Check-AutomationRunAsAccountRoleAssignments.ps1) to find out which Automation accounts are using a Run As account. If your Azure Automation accounts contain a Run As account, it will have the built-in contributor role assigned to it by default. You can use the script to check the Azure Automation Run As accounts and determine if their role assignment is the default one or if it has been changed to a different role definition.
 
 ## Migrate from an Automation Run As account to a managed identity
 
@@ -50,7 +51,7 @@ To migrate from an Automation Run As account or Classic Run As account to a mana
 
     For managed identity support, use the `Connect-AzAccount` cmdlet. To learn more about this cmdlet, see [Connect-AzAccount](/powershell/module/az.accounts/Connect-AzAccount?branch=main&view=azps-8.3.0) in the PowerShell reference.
 
-    - If you're using Az modules, update to the latest version by following the steps in the [Update Azure PowerShell modules](./automation-update-azure-modules.md?branch=main#update-az-modules) article. 
+    - If you're using `Az` modules, update to the latest version by following the steps in the [Update Azure PowerShell modules](./automation-update-azure-modules.md?branch=main#update-az-modules) article. 
     - If you're using AzureRM modules, update `AzureRM.Profile` to the latest version and replace it by using the `Add-AzureRMAccount` cmdlet with `Connect-AzureRMAccount –Identity`.
     
     To understand the changes to the runbook code that are required before you can use managed identities, use the [sample scripts](#sample-scripts).
@@ -59,49 +60,7 @@ To migrate from an Automation Run As account or Classic Run As account to a mana
 
 ## Sample scripts
 
-The following examples of runbook scripts fetch the Resource Manager resources by using the Run As account (service principal) and the managed identity.
-
-# [Run As account](#tab/run-as-account)
-
-```powershell-interactive
-  $connectionName = "AzureRunAsConnection"
-  try
-  {
-      # Get the connection "AzureRunAsConnection"
-      $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName         
-
-      "Logging in to Azure..."
-      Add-AzureRmAccount `
-          -ServicePrincipal `
-          -TenantId $servicePrincipalConnection.TenantId `
-          -ApplicationId $servicePrincipalConnection.ApplicationId `
-          -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 
-  }
-  catch {
-      if (!$servicePrincipalConnection)
-      {
-          $ErrorMessage = "Connection $connectionName not found."
-          throw $ErrorMessage
-      } else{
-          Write-Error -Message $_.Exception
-          throw $_.Exception
-      }
-  }
-
-  #Get all Resource Manager resources from all resource groups
-  $ResourceGroups = Get-AzureRmResourceGroup 
-
-  foreach ($ResourceGroup in $ResourceGroups)
-  {    
-      Write-Output ("Showing resources in resource group " + $ResourceGroup.ResourceGroupName)
-      $Resources = Find-AzureRmResource -ResourceGroupNameContains $ResourceGroup.ResourceGroupName | Select ResourceName, ResourceType
-      ForEach ($Resource in $Resources)
-      {
-          Write-Output ($Resource.ResourceName + " of type " +  $Resource.ResourceType)
-      }
-      Write-Output ("")
-  } 
-  ```
+The following examples of runbook scripts fetch the Resource Manager resources by using the Run As account (service principal) and the managed identity. You would notice the difference in runbook code at the beginning of the runbook, where it authenticates against the resource. 
 
 # [System-assigned managed identity](#tab/sa-managed-identity)
 
@@ -161,6 +120,48 @@ foreach ($ResourceGroup in $ResourceGroups)
     Write-Output ("") 
 }
 ```
+# [Run As account](#tab/run-as-account)
+
+```powershell-interactive
+  $connectionName = "AzureRunAsConnection"
+  try
+  {
+      # Get the connection "AzureRunAsConnection"
+      $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName         
+
+      "Logging in to Azure..."
+      Add-AzureRmAccount `
+          -ServicePrincipal `
+          -TenantId $servicePrincipalConnection.TenantId `
+          -ApplicationId $servicePrincipalConnection.ApplicationId `
+          -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 
+  }
+  catch {
+      if (!$servicePrincipalConnection)
+      {
+          $ErrorMessage = "Connection $connectionName not found."
+          throw $ErrorMessage
+      } else{
+          Write-Error -Message $_.Exception
+          throw $_.Exception
+      }
+  }
+
+  #Get all Resource Manager resources from all resource groups
+  $ResourceGroups = Get-AzureRmResourceGroup 
+
+  foreach ($ResourceGroup in $ResourceGroups)
+  {    
+      Write-Output ("Showing resources in resource group " + $ResourceGroup.ResourceGroupName)
+      $Resources = Find-AzureRmResource -ResourceGroupNameContains $ResourceGroup.ResourceGroupName | Select ResourceName, ResourceType
+      ForEach ($Resource in $Resources)
+      {
+          Write-Output ($Resource.ResourceName + " of type " +  $Resource.ResourceType)
+      }
+      Write-Output ("")
+  } 
+  ```
+
 ---
 
 ## Graphical runbooks
@@ -175,7 +176,7 @@ foreach ($ResourceGroup in $ResourceGroups)
 
     :::image type="content" source="./media/migrate-run-as-account-managed-identity/activity-parameter-configuration.png" alt-text="Screenshot that shows examining the parameters used by a cmdlet.":::
 
-    For use with the Run As account, the cmdlet will use the `ServicePrinicipalCertificate` parameter set to `ApplicationId`. `CertificateThumbprint` will be from `RunAsAccountConnection`.
+    For use with the Run As account, the cmdlet uses the `ServicePrinicipalCertificate` parameter set to `ApplicationId`. `CertificateThumbprint` will be from `RunAsAccountConnection`.
 
     :::image type="content" source="./media/migrate-run-as-account-managed-identity/parameter-sets-inline.png" alt-text="Screenshot that shows parameter sets." lightbox="./media/migrate-run-as-account-managed-identity/parameter-sets-expanded.png":::
  
