1874741b

dagiro · dagiro · commit 82c71c01ef77 · 2021-09-29T09:11:28.000-07:00
diff --git a/articles/automation/TOC.yml b/articles/automation/TOC.yml
@@ -31,8 +31,6 @@
   items:
     - name: Automation account authentication overview
       href: automation-security-overview.md
-    - name: Context switching in Automation
-      href: context-switching.md
     - name: Runbook execution overview
       href: automation-runbook-execution.md
     - name: Hybrid Runbook Worker overview
@@ -64,6 +62,8 @@
           href: automation-create-standalone-account.md
         - name: Create Automation account - Resource Manager template
           href: quickstart-create-automation-account-template.md
+        - name: Disable local authentication
+          href: disable-local-authentication.md
         - name: Managed identity
           items:
             - name: Using system-assigned managed identity
diff --git a/articles/automation/disable-local-authentication.md b/articles/automation/disable-local-authentication.md
@@ -0,0 +1,41 @@
+---
+title: Disable local authentication in Azure Automation
+description: This article describes disabling local authentication in Azure Automation.
+services: automation
+ms.subservice: process-automation
+ms.date: 09/28/2021
+ms.topic: how-to
+#Customer intent: As an administrator, I want disable local authentication so that I can enhance security.
+---
+
+# Disable local authentication in Automation
+
+Azure Automation provides Microsoft Azure Active Directory (Azure AD) authentication support for all Automation service public endpoints. This critical security enhancement removes certificate dependencies and gives organizations control to disable local authentication methods. This feature provides you with seamless integration when centralized control and management of identities and resource credentials through Azure AD is required.
+
+Azure Automation provides an optional feature to "Disable local authentication" at the Automation account level using the Azure policy [Configure Azure Automation account to disable local authentication](../automation/policy-reference.md#azure-automation). By default, this flag is set to false at the account, so you can use both local authentication and Azure AD authentication. If you choose to disable local authentication, then the Automation service only accepts Azure AD based authentication.
+
+In the Azure portal, you may receive a warning message on the landing page for the selected Automation account if authentication is disabled. To confirm if the local authentication policy is enabled, use the PowerShell cmdlet [Get-AzAutomationAccount](/powershell/module/az.automation/get-azautomationaccount) and check property `DisableLocalAuth`. A value of `true` means local authentication is disabled.
+
+Disabling local authentication doesn't take effect immediately. Allow a few minutes for the service to block future authentication requests.
+ 
+## Re-enable local authentication
+
+To re-enable local authentication, execute the PowerShell cmdlet `Set-AzAutomationAccount` with the parameter `-DisableLocalAuth false`.  Allow a few minutes for the service to accept the change to allow local authentication requests. 
+
+## Compatibility
+
+The following table describes the behaviors or features that are prevented from working by disabling local authentication.
+
+|Scenario | Alternative |
+|---|---|
+|Starting a runbook using a webhook. | Start a runbook job using Azure Resource Manager template, which uses Azure AD authentication. |
+|Using Automation Desired State Configuration.| Use [Azure Policy Guest configuration](/governance/policy/concepts/guest-configuration).  |
+|Using agent-based Hybrid Runbook Workers.| Use [extension-based Hybrid Runbook Workers (Preview)](./extension-based-hrw-install.md).|
+
+## Limitations
+
+Update Management patching will not work when local authentication is disabled.
+
+
+## Next steps
+- [Azure Automation account authentication overview](./automation-security-overview.md)
