Merge pull request #234211 from SnehaSudhirG/12Apr-RunAsDocUpdates

Feedback incorporated for RunAs Accounts

Author: v-regandowner

articles/automation/automation-connections.md

@@ -3,7 +3,7 @@ title: Manage connections in Azure Automation
 description: This article tells how to manage Azure Automation connections to external services or applications and how to work with them in runbooks.
 services: automation
 ms.subservice: shared-capabilities
-ms.date: 12/22/2020
+ms.date: 04/12/2023
 ms.topic: conceptual
 ms.custom: devx-track-azurepowershell
 ---
@@ -27,10 +27,8 @@ When you create a connection, you must specify a connection type. The connection
 Azure Automation makes the following built-in connection types available:
 
 * `Azure` - Represents a connection used to manage classic resources.
-* `AzureServicePrincipal` - Represents a connection used by the Azure Run As account.
-* `AzureClassicCertificate` - Represents a connection used by the classic Azure Run As account.
-
-In most cases, you don't need to create a connection resource because it is created when you create a [Run As account](automation-security-overview.md).
+* `AzureServicePrincipal` - Represents a connection used to manage resources in Azure using a service principal.
+* `AzureClassicCertificate` - This connection type is used to manage resources in Azure that were created using the classic deployment model that doesn't support Service Principal authentication.
 
 ## PowerShell cmdlets to access connections
 
@@ -80,15 +78,15 @@ To create a new connection in the Azure portal:
 
 Create a new connection with Windows PowerShell using the `New-AzAutomationConnection` cmdlet. This cmdlet has a `ConnectionFieldValues` parameter that expects a hashtable defining values for each of the properties defined by the connection type.
 
-You can use the following example commands as an alternative to creating the Run As account from the portal to create a new connection asset.
+You can use the following example commands to create a connection that can be used for authentication using Azure Service Principal.
 
 ```powershell
-$ConnectionAssetName = "AzureRunAsConnection"
+$ConnectionAssetName = "AzureConnection"
 $ConnectionFieldValues = @{"ApplicationId" = $Application.ApplicationId; "TenantId" = $TenantID.TenantId; "CertificateThumbprint" = $Cert.Thumbprint; "SubscriptionId" = $SubscriptionId}
 New-AzAutomationConnection -ResourceGroupName $ResourceGroup -AutomationAccountName $AutomationAccountName -Name $ConnectionAssetName -ConnectionTypeName AzureServicePrincipal -ConnectionFieldValues $ConnectionFieldValues
 ```
 
-When you create your Automation account, it includes several global modules by default, along with the connection type `AzureServicePrincipal` to create the `AzureRunAsConnection` connection asset. If you try to create a new connection asset to connect to a service or application with a different authentication method, the operation fails because the connection type is not already defined in your Automation account. For more information on creating your own connection type for a custom module, see [Add a connection type](#add-a-connection-type).
+If you try to create a new connection asset to connect to a service or application with a different authentication method, the operation fails because the connection type is not already defined in your Automation account. For more information on creating your own connection type for a custom module, see [Add a connection type](#add-a-connection-type).
 
 ## Add a connection type
 
@@ -123,38 +121,38 @@ Retrieve a connection in a runbook or DSC configuration with the internal `Get-A
 
 # [PowerShell](#tab/azure-powershell)
 
-The following example shows how to use the Run As account to authenticate with Azure Resource Manager resources in your runbook. It uses a connection asset representing the Run As account, which references the certificate-based service principal.
+The following example shows how to use a connection to authenticate with Azure Resource Manager resources in your runbook. It uses a connection asset, which references the certificate-based service principal.
 
 ```powershell
-$Conn = Get-AutomationConnection -Name AzureRunAsConnection
+$Conn = Get-AutomationConnection -Name AzureConnection
 Connect-AzAccount -ServicePrincipal -Tenant $Conn.TenantID -ApplicationId $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint
 ```
 
 # [Python](#tab/python2)
 
-The following example shows how to authenticate using the Run As connection in a Python 2 and 3 runbook.
+The following example shows how to authenticate using connection in a Python 2 and 3 runbook.
 
 ```python
 """ Tutorial to show how to authenticate against Azure resource manager resources """
 import azure.mgmt.resource
 import automationassets
 
-def get_automation_runas_credential(runas_connection):
+def get_automation_credential(azure_connection):
     """ Returns credentials to authenticate against Azure resource manager """
     from OpenSSL import crypto
     from msrestazure import azure_active_directory
     import adal
 
-    # Get the Azure Automation Run As service principal certificate
-    cert = automationassets.get_automation_certificate("AzureRunAsCertificate")
+    # Get the Azure Automation service principal certificate
+    cert = automationassets.get_automation_certificate("MyCertificate")
     pks12_cert = crypto.load_pkcs12(cert)
     pem_pkey = crypto.dump_privatekey(
         crypto.FILETYPE_PEM, pks12_cert.get_privatekey())
 
-    # Get Run As connection information for the Azure Automation service principal
-    application_id = runas_connection["ApplicationId"]
-    thumbprint = runas_connection["CertificateThumbprint"]
-    tenant_id = runas_connection["TenantId"]
+    # Get information for the Azure Automation service principal
+    application_id = my_connection["ApplicationId"]
+    thumbprint = my_connection["CertificateThumbprint"]
+    tenant_id = my_connection["TenantId"]
 
     # Authenticate with service principal certificate
     resource = "https://management.core.windows.net/"
@@ -169,10 +167,10 @@ def get_automation_runas_credential(runas_connection):
     )
 
 
-# Authenticate to Azure using the Azure Automation Run As service principal
-runas_connection = automationassets.get_automation_connection(
-    "AzureRunAsConnection")
-azure_credential = get_automation_runas_credential(runas_connection)
+# Authenticate to Azure using the Azure Automation service principal
+azure_connection = automationassets.get_automation_connection(
+    "AzureConnection")
+azure_credential = get_automation_credential(azure_connection)
 ```
 
 ---
@@ -183,7 +181,7 @@ You can add an activity for the internal `Get-AutomationConnection` cmdlet to a
 
 ![add to canvas](media/automation-connections/connection-add-canvas.png)
 
-The following image shows an example of using a connection object in a graphical runbook. This example uses the `Constant value` data set for the `Get RunAs Connection` activity, which uses a connection object for authentication. A [pipeline link](automation-graphical-authoring-intro.md#use-links-for-workflow) is used here since the `ServicePrincipalCertificate` parameter set is expecting a single object.
+The following image shows an example of using a connection object in a graphical runbook. 
 
 ![get connections](media/automation-connections/automation-get-connection-object.png)
 

articles/automation/automation-powershell-workflow.md

@@ -3,7 +3,7 @@ title: Learn PowerShell Workflow for Azure Automation
 description: This article teaches you the differences between PowerShell Workflow and PowerShell and concepts applicable to Automation runbooks.
 services: automation
 ms.subservice: process-automation
-ms.date: 10/16/2022
+ms.date: 04/12/2023
 ms.topic: conceptual 
 ms.custom: devx-track-azurepowershell
 ---
@@ -153,7 +153,7 @@ For more information on using InlineScript, see [Running Windows PowerShell Comm
 
 One advantage of Windows PowerShell Workflows is the ability to perform a set of commands in parallel instead of sequentially as with a typical script.
 
-You can use the `Parallel` keyword to create a script block with multiple commands that run concurrently. This uses the following syntax shown below. In this case, Activity1 and Activity2 starts at the same time. Activity3 starts only after both Activity1 and Activity2 have completed.
+You can use the `Parallel` keyword to create a script block with multiple commands that run concurrently. This uses the following syntax shown below. In this case, Activity1 and Activity2 start at the same time. Activity3 starts only after both Activity1 and Activity2 have completed.
 
 ```powershell
 Parallel
@@ -286,7 +286,7 @@ workflow CreateTestVms
 ```
 
 > [!NOTE]
-> For non-graphical PowerShell runbooks, `Add-AzAccount` and `Add-AzureRMAccount` are aliases for [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount). You can use these cmdlets or you can [update your modules](automation-update-azure-modules.md) in your Automation account to the latest versions. You might need to update your modules even if you have just created a new Automation account. Use of these cmdlets is not required if you are authenticating using a Run As account configured with a service principal.
+> For non-graphical PowerShell runbooks, `Add-AzAccount` and `Add-AzureRMAccount` are aliases for [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount). You can use these cmdlets or you can [update your modules](automation-update-azure-modules.md) in your Automation account to the latest versions. You might need to update your modules even if you have just created a new Automation account.
 
 For more information about checkpoints, see [Adding Checkpoints to a Script Workflow](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj574114(v=ws.11)).
 

articles/automation/media/automation-connections/automation-get-connection-object.png

@@ -3,7 +3,7 @@ title: Create an Azure Automation account using a Resource Manager template
 titleSuffix: Azure Automation
 description: This article shows how to create an Automation account by using the Azure Resource Manager template.
 services: automation
-ms.date: 08/27/2021
+ms.date: 04/12/2023
 ms.topic: conceptual
 ms.workload: infrastructure-services
 ms.custom: mvc, subject-armqs, mode-arm, devx-track-arm-template
@@ -22,9 +22,6 @@ The sample template does the following steps:
 * Links the Automation account to the Log Analytics workspace.
 * Adds sample Automation runbooks to the account.
 
-> [!NOTE]
-> Creation of the Automation Run As account is not supported when you're using an ARM template. To create a Run As account manually from the portal or with PowerShell, see [Create Run As account](create-run-as-account.md).
-
 If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
 
 ## Prerequisites

articles/automation/quickstart-create-automation-account-template.md

@@ -2,7 +2,7 @@
 title: Quickstart - Create an Azure Automation account using the portal
 description: This quickstart helps you to create a new Automation account using Azure portal.
 services: automation
-ms.date: 10/26/2021
+ms.date: 04/12/2023
 ms.topic: quickstart
 ms.subservice: process-automation
 ms.custom: mvc, mode-ui

articles/automation/quickstarts/create-azure-automation-account-portal.md

@@ -4,7 +4,7 @@ description: This article helps you get started configuring an Azure VM with Des
 services: automation
 ms.subservice: dsc
 keywords: dsc, configuration, automation
-ms.date: 09/01/2021
+ms.date: 04/12/2023
 ms.topic: quickstart
 ms.custom: mvc, mode-other
 ---
@@ -18,7 +18,6 @@ By enabling Azure Automation State Configuration, you can manage and monitor the
 To complete this quickstart, you need:
 
 * An Azure subscription. If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/).
-* An Azure Automation account. For instructions on creating an Azure Automation Run As account, see [Azure Run As Account](../manage-runas-account.md).
 * An Azure Resource Manager virtual machine running Red Hat Enterprise Linux, CentOS, or Oracle Linux. For instructions on creating a VM, see [Create your first Linux virtual machine in the Azure portal](../../virtual-machines/linux/quick-create-portal.md)
 
 ## Sign in to Azure
@@ -33,7 +32,7 @@ There are many different methods to enable a machine for Automation State Config
 1. From the left pane of the Automation account, select **State configuration (DSC)**.
 2. Click **Add** to open the **VM select** page.
 3. Find the virtual machine for which to enable DSC. You can use the search field and filter options to find a specific virtual machine.
-4. Click on the virtual machine, and then click **Connect**
+4. Click on the virtual machine, and then click **Connect**.
 5. Select the DSC settings appropriate for the virtual machine. If you have already prepared a configuration, you can specify it as `Node Configuration Name`. You can set the [configuration mode](/powershell/dsc/managing-nodes/metaConfig) to control the configuration behavior for the machine.
 6. Click **OK**. While the DSC extension is deployed to the virtual machine, the status reported is `Connecting`.
 

articles/automation/quickstarts/dsc-configuration.md

@@ -3,7 +3,7 @@ title: Use source control integration in Azure Automation
 description: This article tells you how to synchronize Azure Automation source control with other repositories.
 services: automation
 ms.subservice: process-automation
-ms.date: 11/22/2021
+ms.date: 04/12/2023
 ms.topic: conceptual 
 ms.custom: devx-track-azurepowershell
 ---
@@ -36,7 +36,10 @@ Azure Automation supports three types of source control:
 >
 > :::image type="content" source="./media/source-control-integration/user-assigned-managed-identity.png" alt-text="Screenshot that displays the user-assigned Managed Identity."::: 
 > 
-> If you have both a Run As account and managed identity enabled, then managed identity is given preference. If you want to use a Run As account instead, you can [create an Automation variable](./shared-resources/variables.md) of BOOLEAN type named `AUTOMATION_SC_USE_RUNAS` with a value of `true`.
+> If you have both a Run As account and managed identity enabled, then managed identity is given preference.
+
+> [!Important]
+> Azure Automation Run As Account will retire on **September 30, 2023** and will be replaced with Managed Identities. Before that date, you need to [migrate from a Run As account to Managed identities](migrate-run-as-accounts-managed-identity.md).
 
 > [!NOTE]
 > According to [this](/azure/devops/organizations/accounts/change-application-access-policies?view=azure-devops#application-connection-policies) Azure DevOps documentation, **Third-party application access via OAuth** policy is defaulted to **off** for all new organizations. So if you try to configure source control in Azure Automation with **Azure Devops (Git)** as source control type without enabling **Third-party application access via OAuth** under Policies tile of Organization Settings in Azure DevOps then you might get **SourceControl securityToken is invalid** error. Hence to avoid this error, make sure you first enable **Third-party application access via OAuth** under Policies tile of Organization Settings in Azure DevOps.