Merge pull request #112474 from MGoedtel/task7073260

task7073260

Author: Jak-MS

articles/automation/TOC.yml

@@ -26,6 +26,8 @@
       href: learn/automation-tutorial-runbook-textual-python2.md
 - name: Concepts
   items:
+    - name: Automation account authentication overview
+      href: automation-security-overview.md
     - name: Runbook execution overview
       href: automation-runbook-execution.md
     - name: Hybrid Runbook Worker overview
@@ -48,6 +50,8 @@
           href: automation-create-standalone-account.md
         - name: Create Automation account with Resource Manager template
           href: automation-create-account-template.md
+        - name: Configure authentication with Amazon Web Services
+          href: automation-config-aws-account.md
         - name: Manage an Automation Run As account
           href: manage-runas-account.md
         - name: Manage role permissions and security
@@ -248,8 +252,6 @@
           href: automation-create-alert-triggered-runbook.md
         - name: Manage Office 365 services
           href: manage-office-365.md
-        - name: Authenticate runbooks with Amazon Web Services
-          href: automation-config-aws-account.md
         - name: Deploy AWS VM with Automation runbook
           href: automation-scenario-aws-deployment.md
         - name: Deploy Resource Manager template with runbook

articles/automation/automation-config-aws-account.md

@@ -4,7 +4,7 @@ description: This article describes how to create and validate an AWS credential
 keywords: aws authentication, configure aws
 services: automation
 ms.subservice: process-automation
-ms.date: 04/17/2018
+ms.date: 04/23/2020
 ms.topic: conceptual
 ---
 # Authenticate Azure Automation runbooks with Amazon Web Services
@@ -14,7 +14,7 @@ Automating common tasks with resources in Amazon Web Services (AWS) can be accom
 * An AWS subscription and a set of credentials. Specifically your AWS Access Key and Secret Key. For more information, review the article [Using AWS Credentials](https://docs.aws.amazon.com/powershell/latest/userguide/specifying-your-aws-credentials.html).
 * An Azure subscription and Automation account.
 
-To authenticate with AWS, you must specify a set of AWS credentials to authenticate your runbooks running from Azure Automation. If you already have an Automation account created and you want to use that to authenticate with AWS, you can follow the steps in the following section: If you want to dedicate an account for runbooks targeting AWS resources, you should first create a new [Automation account](automation-offering-get-started.md) (skip the option to create a service principal) and use the following steps:
+To authenticate with AWS, you must specify a set of AWS credentials to authenticate your runbooks running from Azure Automation. If you already have an Automation account created and you want to use that to authenticate with AWS, you can follow the steps in the following section. If you want to dedicate an account for runbooks targeting AWS resources, you should first create a new [Automation account](automation-create-standalone-account.md) and skip the step to create a Run As account. After creating the account, follow the steps below to complete the configuration.
 
 ## Configure Automation account
 

articles/automation/automation-security-overview.md

@@ -4,40 +4,34 @@ description: This article provides an overview of Automation security and the di
 keywords: automation security, secure automation; automation authentication
 services: automation
 ms.subservice: process-automation
-ms.date: 03/19/2018
+ms.date: 04/23/2020
 ms.topic: conceptual
-ROBOTS: NOINDEX
 ---
 
-# Introduction to authentication in Azure Automation  
-Azure Automation allows you to automate tasks against resources in Azure, on-premises, and with other cloud providers such as Amazon Web Services (AWS).  In order for a runbook to perform its required actions, it must have permissions to securely access the resources with the minimal rights required within the subscription.
+# Introduction to authentication in Azure Automation
 
-This article will cover the various authentication scenarios supported by Azure Automation and will show you how to get started based on the environment or environments you need to manage.  
+Azure Automation allows you to automate tasks against resources in Azure, on-premises, and with other cloud providers such as Amazon Web Services (AWS). In order for a runbook to perform its required actions, it must have permissions to securely access the resources with the minimal rights required within the subscription.
+
+This article will cover the various authentication scenarios supported by Azure Automation and how to get started based on the environment or environments you need to manage.  
 
 ## Automation Account overview
-When you start Azure Automation for the first time, you must create at least one Automation account. Automation accounts allow you to isolate your Automation resources (runbooks, assets, configurations) from the resources contained in other Automation accounts. You can use Automation accounts to separate resources into separate logical environments. For example, you might use one account for development, another for production, and another for your on-premises environment.  An Azure Automation account is different from your Microsoft account or accounts created in your Azure subscription.
+
+When you start Azure Automation for the first time, you must create at least one Automation account. Automation accounts allow you to isolate your Automation resources (runbooks, assets, configurations) from the resources contained in other Automation accounts. You can use Automation accounts to separate resources into separate logical environments. For example, you might use one account for development, another for production, and another for your on-premises environment. An Azure Automation account is different from your Microsoft account or accounts created in your Azure subscription.
 
 The Automation resources for each Automation account are associated with a single Azure region, but Automation accounts can manage all the resources in your subscription. The main reason to create Automation accounts in different regions would be if you have policies that require data and resources to be isolated to a specific region.
 
-All of the tasks that you perform against resources using Azure Resource Manager and the Azure cmdlets in Azure Automation must authenticate to Azure using Azure Active Directory organizational identity credential-based authentication.  Certificate-based  authentication was the original authentication method with Azure classic, but it was complicated to set up.  Authenticating to Azure with Azure AD user was introduced back in 2014 to not only simplify the process to configure an Authentication account, but also support the ability to non-interactively authenticate to Azure with a single user account that worked with both Azure Resource Manager and classic resources.   
+All of the tasks that you perform against resources using Azure Resource Manager and the Azure cmdlets in Azure Automation must authenticate to Azure using Azure Active Directory organizational identity credential-based authentication. Run As accounts in Azure Automation provide authentication for managing resources in Azure using the Azure cmdlets. When you create a Run As account, it creates a new service principal user in Azure Active Directory (AD) and assigns the Contributor role to this user at the subscription level. For runbooks that use Hybrid Runbook Workers on Azure virtual machines, you can use [managed identities for Azure resources](automation-hrw-run-runbooks.md#managed-identities-for-azure-resources) instead of Run As accounts to authenticate to your Azure resources.
 
-Currently when you create a new Automation account in the Azure portal, it automatically creates:
+The service principal for a Run as Account does not have permissions to read Azure AD by default. If you want to add permissions to read or manage Azure AD, you'll need to grant the permissions on the service principal under **API permissions**. To learn more, see [Add permissions to access web APIs](../active-directory/develop/quickstart-configure-app-access-web-apis.md#add-permissions-to-access-web-apis).
 
-* Run As account which creates a new service principal in Azure Active Directory, a certificate, and assigns the Contributor role-based access control (RBAC), which is used to manage Resource Manager resources using runbooks.
-* Classic Run As account by uploading a management certificate, which is used to manage Azure classic resources using runbooks.  
+Role-based access control is available with Azure Resource Manager to grant permitted actions to an Azure AD user account and Run As account, and authenticate that service principal. Read [Role-based access control in Azure Automation article](automation-role-based-access-control.md) for further information to help develop your model for managing Automation permissions.  
 
-Role-based access control is available with Azure Resource Manager to grant permitted actions to an Azure AD user account and Run As account, and authenticate that service principal.  Please read [Role-based access control in Azure Automation article](automation-role-based-access-control.md) for further information to help develop your model for managing Automation permissions.  
+Runbooks running on a Hybrid Runbook Worker in your data center or against computing services in other cloud environments like AWS, cannot use the same method that is typically used for runbooks authenticating to Azure resources. This is because those resources are running outside of Azure and therefore, requires their own security credentials defined in Automation to authenticate to resources that they access locally. For more information about runbook authentication with runbook workers, see [Authenticate runbooks for Hybrid Runbook Workers](automation-hrw-run-runbooks.md). 
 
-Runbooks running on a Hybrid Runbook Worker in your datacenter or against computing services in AWS cannot use the same method that is typically used for runbooks authenticating to Azure resources.  This is because those resources are running outside of Azure and therefore, requires their own security credentials defined in Automation to authenticate to resources that they access locally.  
+## Next steps
 
-## Authentication methods
-The following table summarizes the different authentication methods for each environment supported by Azure Automation and the article describing how to setup authentication for your runbooks.
+* [Create an Automation account from the Azure portal](automation-create-standalone-account.md).
 
-| Method | Environment | Article |
-| --- | --- | --- |
-| Azure AD User Account |Azure Resource Manager and Azure classic |[Authenticate Runbooks with Azure AD User account](automation-create-aduser-account.md) |
-| Azure Run As Account |Azure Resource Manager |[Authenticate Runbooks with Azure Run As account](automation-sec-configure-azure-runas-account.md) |
-| Azure Classic Run As Account |Azure classic |[Authenticate Runbooks with Azure Run As account](automation-sec-configure-azure-runas-account.md) |
-| Windows Authentication |On-Premises Datacenter |[Authenticate Runbooks for Hybrid Runbook Workers](automation-hybrid-runbook-worker.md) |
-| AWS Credentials |Amazon Web Services |[Authenticate Runbooks with Amazon Web Services (AWS)](automation-config-aws-account.md) |
+* [Create an Automation account using Azure Resource Manager template](automation-create-account-template.md).
 
+* [Authenticate with Amazon Web Services (AWS)](automation-config-aws-account.md).

articles/automation/how-to/region-mappings.md

@@ -6,14 +6,16 @@ ms.service: automation
 ms.subservice: process-automation
 author: mgoedtel
 ms.author: magoedte
-ms.date: 05/20/2019
+ms.date: 04/23/2020
 ms.topic: conceptual
 manager: carmonm
 ---
 
 # Workspace mappings
 
-When enabling solutions like Update Management, Change Tracking and Inventory, or Start/Stop VMs during off hours, only certain regions are supported for linking a Log Analytics workspace and an Automation account. This mapping only applies to the Automation account and the Log Analytics workspace. The resources reporting to your Automation account or Log Analytics workspace can reside in other regions.
+When enabling Update Management, Change Tracking and Inventory, or Start/Stop VMs during off-hours, only certain regions are supported for linking a Log Analytics workspace and an Automation account in your subscription. This mapping only applies to the Automation account and the Log Analytics workspace. The Log Analytics workspace and Automation account must be in the same subscription, but can be in different resource groups deployed to the same region.
+
+For further information, see [Log Analytics workspace and Automation account](../azure-monitor/insights/solutions.md#log-analytics- workspace-and-automation-account).
 
 ## Supported mappings
 
@@ -44,44 +46,44 @@ The following table shows the supported mappings:
 
 ## Unlink workspace
 
-If you decide that you no longer want to integrate your Automation account with a Log Analytics workspace, you can unlink your account directly from the Azure portal. Before proceeding, you first need to remove the Update Management, Change Tracking and Inventory, and Start/Stop VMs during off hours solutions if you are using them. If you do not remove them, you can't complete the unlinking operation. Review the article for the particular solution you've imported to understand the steps required to remove it.
+If you decide that you no longer want to integrate your Automation account with a Log Analytics workspace, you can unlink your account directly from the Azure portal. Before proceeding, you first need to remove Update Management, Change Tracking and Inventory, and Start/Stop VMs during off-hours if you are using them. If you do not remove them, you can't complete the unlinking operation. Review the article for each that you're enabling in order to understand the steps required to remove it.
 
-After you remove these solutions, you can perform the following steps to unlink your Automation account.
+After you remove them, you can perform the following steps to unlink your Automation account.
 
 > [!NOTE]
-> Some solutions including earlier versions of the Azure SQL monitoring solution might have created automation assets and might need to be removed prior to unlinking the workspace.
+> Some solutions including earlier versions of the Azure SQL monitoring solution might have created Automation assets and might need to be removed prior to unlinking the workspace.
 
 1. From the Azure portal, open your Automation account. On the Automation account page, select **Linked workspace** under **Related Resources**.
 
 2. On the Unlink workspace page, click **Unlink workspace**. You receive a prompt verifying if you wish to continue.
 
 3. While Azure Automation attempts to unlink the account your Log Analytics workspace, you can track the progress under **Notifications** from the menu.
 
-4. If you used the Update Management solution, optionally you might want to remove the following items that are no longer needed after you remove the solution.
+4. If you used Update Management, optionally you might want to remove the following items that are no longer needed after you remove it.
 
     * Update schedules - Each has a name that matches an update deployment that you created.
     * Hybrid worker groups created for the solution -  Each has a name similar to  `machine1.contoso.com_9ceb8108-26c9-4051-b6b3-227600d715c8`.
 
-5. If you used the Start/Stop VMs during off hours solution, you can optionally remove the following items that aren't needed after you remove the solution.
+5. If you used Start/Stop VMs during off-hours, you can optionally remove the following items that aren't needed after you remove it.
 
     * Start and stop VM runbook schedules
     * Start and stop VM runbooks
     * Variables
 
-Alternatively, you can unlink your workspace from your Automation account within the workspace. 
+Alternatively, you can unlink your workspace from your Automation account within the workspace.
 
 1. In the workspace, select **Automation Account** under **Related Resources**. 
 2. On the Automation Account page, select **Unlink account**.
 
 ## Next steps
 
-* Learn how to onboard Update Management and Change Tracking and Inventory solutions:
+* Learn how to onboard Update Management and Change Tracking and Inventory:
 
     * From a [virtual machine](../automation-onboard-solutions-from-vm.md)
     * From your [Automation account](../automation-onboard-solutions-from-automation-account.md)
     * When [browsing multiple machines](../automation-onboard-solutions-from-browse.md)
     * From a [runbook](../automation-onboard-solutions.md)
 
-* Learn how to onboard the Start/Stop VMs during off hours solution:
+* Learn how to onboard the Start/Stop VMs during off-hours:
 
-    * [Deploy Start/Stop VMs during off hours](../automation-solution-vm-management.md)
+    * [Start/Stop VMs during off-hours overview](../automation-solution-vm-management.md)