MicrosoftDocs
diff --git a/‎articles/automation/automation-managed-identity-faq.md
Lines changed: 17 additions & 2 deletions b/‎articles/automation/automation-managed-identity-faq.md
Lines changed: 17 additions & 2 deletions
diff --git a/‎articles/automation/media/migrate-run-as-account-managed-identity/add-functionality-expanded.png
51 KB b/‎articles/automation/media/migrate-run-as-account-managed-identity/add-functionality-expanded.png
51 KB
diff --git a/‎articles/automation/media/migrate-run-as-account-managed-identity/add-functionality-inline.png
51 KB b/‎articles/automation/media/migrate-run-as-account-managed-identity/add-functionality-inline.png
51 KB
diff --git a/‎articles/automation/media/migrate-run-as-account-managed-identity/edit-graphical-runbook-expanded.png
74.5 KB b/‎articles/automation/media/migrate-run-as-account-managed-identity/edit-graphical-runbook-expanded.png
74.5 KB
diff --git a/‎articles/automation/media/migrate-run-as-account-managed-identity/edit-graphical-runbook-inline.png
74.5 KB b/‎articles/automation/media/migrate-run-as-account-managed-identity/edit-graphical-runbook-inline.png
74.5 KB
diff --git a/‎articles/automation/migrate-run-as-accounts-managed-identity.md
Lines changed: 37 additions & 4 deletions b/‎articles/automation/migrate-run-as-accounts-managed-identity.md
Lines changed: 37 additions & 4 deletions
@@ -15,14 +15,29 @@ This Microsoft FAQ is a list of commonly asked questions when you're migrating f
 
 ## How long will you support Run As account?
 
-Automation Run As account will be supported for the next one year until **September 30, 2023**. While we continue to support existing users, we recommend all new users to use Managed identities as the preferred way of runbook authentication. Existing users can still create the Run As account, see the  account properties and renew the certificate upon expiration till **May 30, 2023**. After this date, you won't be able to create a Run As account from the Azure portal. You will still be able to create a Run As account through [PowerShell script](/azure/automation/create-run-as-account#create-account-using-powershell) until the supported time of one year.
+Automation Run As account will be supported for the next one year until **September 30, 2023**. While we continue to support existing users, we recommend all new users to use Managed identities as the preferred way of runbook authentication. Existing users can still create the Run As account, see the  account properties and renew the certificate upon expiration till **January 30, 2023**. After this date, you won't be able to create a Run As account from the Azure portal. You will still be able to create a Run As account through [PowerShell script](/azure/automation/create-run-as-account#create-account-using-powershell) until the supported time of one year. You can [use this script](/script) to renew the certificate post **January 30, 2023** until **September 30, 2023**.
+
+
+## Will existing runbooks that use the Run As account be able to authenticate?
+Yes, they will be able to authenticate and there will be no impact to the existing runbooks using Run As account.
+
+## How can I renew the existing Run as accounts post January 30, 2023 when portal support to renew the account to removed?
+You can [use this script](/script) to renew the Run As account certificate post January 30, 2023 until September 30, 2023.
+
+## Can Run As account still be created post September 30, 2023 when Run As account will retire?
+Yes, you can still create the Run As account using the [PowerShell script](/script) However, this would be an unsupported scenario.
+
+## Can Run As accounts still be renewed post September 30, 2023 when Run As account will retire?
+You can [use this script](/script) to renew the Run As account certificate post September 30, 2023 when Run As account will retire. However, it would be an unsupported scenario.
+
+## Will the runbooks that still use the Run As account be able to authenticate even after September 30, 2023?
+Yes, the runbooks will be able to authenticate until the Run As account certificate expires.
 
 ## What is Managed Identity?
 Managed identities provide an automatically managed identity in Azure Active Directory for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications can use managed identities to obtain Azure AD tokens without managing credentials, secrets, certificates or keys. 
 
 For more information about managed identities in Azure AD, see [Managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/overview). 
 
-
 ## What can I do with a Managed identity in Automation accounts? 
 An Azure Automation managed identity from Azure Active Directory (Azure AD) allows your runbook to access other Azure AD-protected resources easily. This identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. Key benefits are:
 - You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
 
@@ -13,9 +13,11 @@ ms.custom: devx-track-azurepowershell
 > [!IMPORTANT]
 > Azure Automation Run As Account will retire on **September 30, 2023**, and there will be no support provided beyond this date. From now through **September 30, 2023**, you can continue to use the Azure Automation Run As Account. However, we recommend you to transition to [managed identities](/automation-security-overview.md#managed-identities) before **September 30, 2023**. See the official announcement here.
 
+See the [frequently asked questions](/automation/automation-managed-identity.md) for more information about migration cadence and support timeline for Run As account creation and certificate renewal.
+
  Run As accounts in Azure Automation provide authentication for managing Azure Resource Manager resources or resources deployed on the classic deployment model. Whenever a Run As account is created, an Azure AD application is registered, and a self-signed certificate will be generated which will be valid for one year. This adds an overhead of renewing the certificate every year before it expires to prevent the Automation account to stop working. 
 
-Automation accounts can now be configured to use [Managed Identity](/automation/automation-security-overview#managed-identities) which is the default option when an Automation account is created. With this feature, Automation account can authenticate to Azure resources without the need to exchange any credentials, hence removing the overhead of renewing the certificate or managing the service principal.
+Automation accounts can now be configured to use [Managed Identity](/automation/automation-security-overview.md#managed-identities) which is the default option when an Automation account is created. With this feature, Automation account can authenticate to Azure resources without the need to exchange any credentials, hence removing the overhead of renewing the certificate or managing the service principal.
 
 Managed identity can be [system assigned]( /automation/enable-managed-identity-or-automation) or [user assigned](/automation/add-user-assigned-identity). However, when a new Automation account is created, a system assigned managed identity is enabled.
 
@@ -154,8 +156,42 @@ foreach ($ResourceGroup in $ResourceGroups)
 ```
 ---
 
+## Graphical runbooks
+
+You can test the managed identity to verify if the Graphical runbook is working as expected by creating a copy of your production runbook to use the managed identity and updating your test graphical runbook code to authenticate by using the managed identity. You can add this functionality to a graphical runbook by adding `Connect-AzAccount` cmdlet.
+
+To ensure that a graphical runbook that uses Run As account use managed identities, you must replace, Run As connection that uses `AzureRunAsConnection`
+and connection asset that internally uses PowerShell `Get-AutomationConnection` cmdlet.
+
+:::image type="content" source="./media/migrate-run-as-account-managed-identity/edit-graphical-runbook-inline.png" alt-text="Screenshot of edit graphical runbook." lightbox="./media/migrate-run-as-account-managed-identity/edit-graphical-expanded.png":::
+
+
+Activity to connect to Azure that uses `Connect-AzAccount` to add the authenticated Run As account for use in the runbook with `Connect-AzAccount` activity from the `Az.Accounts` cmdlet that uses the PowerShell code to connect to identity.
+
+:::image type="content" source="./media/migrate-run-as-account-managed-identity/add-functionality-inline.png" alt-text="Screenshot of add functionality to graphical runbook." lightbox="./media/migrate-run-as-account-managed-identity/add-functionality-expanded.png":::
+
+
+```powershell-interactive
+try 
+{ 
+    Write-Output ("Logging in to Azure...") 
+    Connect-AzAccount -Identity 
+} 
+catch { 
+    Write-Error -Message $_.Exception 
+    throw $_.Exception 
+} 
+```
+
+For example, in the runbook `Start Azure V2 VMs` in the runbook gallery, you must replace `Get Run As Connection` and `Connect to Azure` activities with `Connect-AzAccount` cmdlet activity.
+
+For more information, see sample runbook name *AzureAutomationTutorialWithIdentityGraphical* that you created with the Automation account.
+
+
 ## Next steps
 
+- Review the Frequently asked questions for [Migrating to Managed Identities](automation-managed-identity-faq.md).
+
 - If your runbooks aren't completing successfully, review [Troubleshoot Azure Automation managed identity issues](troubleshoot/managed-identity.md).
 
 - Learn more about system assigned managed identity, see [Using a system-assigned managed identity for an Azure Automation account](enable-managed-identity-for-automation.md)
@@ -164,7 +200,4 @@ foreach ($ResourceGroup in $ResourceGroups)
 
 - For an overview of Azure Automation account security, see [Automation account authentication overview](automation-security-overview.md).
 
-- Review the Frequently asked questions for [Migrating to Managed Identities](automation-managed-identity-faq.md).
-
-