Merge pull request #224244 from ankitaduttaMSFT/18/1-ASR-managedi-identities

ASR managed identities for automation accounts

Author: ttorble

articles/resource-mover/media/tutorial-move-region-virtual-machines/get-started.png

@@ -6,7 +6,7 @@ author: ankitaduttaMSFT
 manager: rochakm
 ms.service: site-recovery
 ms.topic: article
-ms.date: 07/23/2020
+ms.date: 03/24/2023
 ms.author: ankitadutta
 ms.custom: engagement-fy23
 ---
@@ -57,19 +57,21 @@ When you enable replication for a VM either starting [from the VM view](azure-to
 
    To manage the extension manually, select **Off**.
 
+    > [!IMPORTANT]
+    > When you choose **Allow Site Recovery to manage**, the setting is applied to all VMs in the vault.
+
 1. Select **Save**.
 
 :::image type="content" source="./media/azure-to-azure-autoupdate/vault-toggle.png" alt-text="Extension update settings":::
 
-> [!IMPORTANT]
-> When you choose **Allow Site Recovery to manage**, the setting is applied to all VMs in the vault.
 
 > [!NOTE]
 > Either option notifies you of the automation account used for managing updates. If you're using this feature in a vault for the first time, a new automation account is created by default. Alternately, you can customize the setting, and choose an existing automation account. Once defined, all subsequent actions to enable replication in the same vault will use that selected automation account. Currently, the drop-down menu will only list automation accounts that are in the same Resource Group as the vault.
 
+**For a custom automation account, use the following script:**
+
 > [!IMPORTANT]
-> The following script needs to be run in the context of an automation account.
-For a custom automation account, use the following script:
+> Run the following script in the context of an automation account. This script leverages System Assigned Managed Identities as its authentication type.
 
 ```azurepowershell
 param(
@@ -85,13 +87,13 @@ param(
 $SiteRecoveryRunbookName = "Modify-AutoUpdateForVaultForPatner"
 $TaskId = [guid]::NewGuid().ToString()
 $SubscriptionId = "00000000-0000-0000-0000-000000000000"
-$AsrApiVersion = "2018-01-10"
-$RunAsConnectionName = "AzureRunAsConnection"
+$AsrApiVersion = "2021-12-01"
 $ArmEndPoint = "https://management.azure.com"
 $AadAuthority = "https://login.windows.net/"
 $AadAudience = "https://management.core.windows.net/"
 $AzureEnvironment = "AzureCloud"
 $Timeout = "160"
+$AuthenticationType = "SystemAssignedIdentity"
 function Throw-TerminatingErrorMessage
 {
         Param
@@ -230,25 +232,19 @@ function Invoke-InternalWebRequest($Uri, $Headers, $Method, $Body, $ContentType,
         }
     }while($true)
 }
-function Get-Header([ref]$Header, $AadAudience, $AadAuthority, $RunAsConnectionName){
+function Get-Header([ref]$Header, $AadAudience){
     try
     {
-        $RunAsConnection = Get-AutomationConnection -Name $RunAsConnectionName
-        $TenantId = $RunAsConnection.TenantId
-        $ApplicationId = $RunAsConnection.ApplicationId
-        $CertificateThumbprint = $RunAsConnection.CertificateThumbprint
-        $Path = "cert:\CurrentUser\My\{0}" -f $CertificateThumbprint
-        $Secret = Get-ChildItem -Path $Path
-        $ClientCredential = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.ClientAssertionCertificate(
-                $ApplicationId,
-                $Secret)
-        # Trim the forward slash from the AadAuthority if it exist.
-        $AadAuthority = $AadAuthority.TrimEnd("/")
-        $AuthContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(
-            "{0}/{1}" -f $AadAuthority, $TenantId )
-        $AuthenticationResult = $authContext.AcquireToken($AadAudience, $Clientcredential)
         $Header.Value['Content-Type'] = 'application\json'
-        $Header.Value['Authorization'] = $AuthenticationResult.CreateAuthorizationHeader()
+        Write-InformationTracing ("The Authentication Type is system Assigned Identity based.")
+        $endpoint = $env:IDENTITY_ENDPOINT
+        $endpoint  
+        $Headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" 
+        $Headers.Add("X-IDENTITY-HEADER", $env:IDENTITY_HEADER) 
+        $Headers.Add("Metadata", "True")   
+        $authenticationResult = Invoke-RestMethod -Method Get -Headers $Headers -Uri ($endpoint +'?resource=' +$AadAudience)
+        $accessToken = $authenticationResult.access_token
+        $Header.Value['Authorization'] = "Bearer " + $accessToken
         $Header.Value["x-ms-client-request-id"] = $TaskId + "/" + (New-Guid).ToString() + "-" + (Get-Date).ToString("u")
     }
     catch
@@ -265,7 +261,7 @@ function Get-ProtectionContainerToBeModified([ref] $ContainerMappingList)
         Write-InformationTracing ("Get protection container mappings : {0}." -f $VaultResourceId)
         $ContainerMappingListUrl = $ArmEndPoint + $VaultResourceId + "/replicationProtectionContainerMappings" + "?api-version=" + $AsrApiVersion
         Write-InformationTracing ("Getting the bearer token and the header.")
-        Get-Header ([ref]$Header) $AadAudience $AadAuthority $RunAsConnectionName
+        Get-Header ([ref]$Header) $AadAudience
         $Result = @()
         Invoke-InternalRestMethod -Uri $ContainerMappingListUrl -Headers $header -Result ([ref]$Result)
         $ContainerMappings = $Result[0]
@@ -321,8 +317,6 @@ $Inputs = ("Tracing inputs VaultResourceId: {0}, Timeout: {1}, AutoUpdateAction:
 Write-Tracing -Message $Inputs -Level Informational -DisplayMessageToUser
 $CloudConfig = ("Tracing cloud configuration ArmEndPoint: {0}, AadAuthority: {1}, AadAudience: {2}." -f $ArmEndPoint, $AadAuthority, $AadAudience)
 Write-Tracing -Message $CloudConfig -Level Informational -DisplayMessageToUser
-$AutomationConfig = ("Tracing automation configuration RunAsConnectionName: {0}." -f $RunAsConnectionName)
-Write-Tracing -Message $AutomationConfig -Level Informational -DisplayMessageToUser
 ValidateInput
 $SubscriptionId = Initialize-SubscriptionId
 Get-ProtectionContainerToBeModified ([ref]$ContainerMappingList)
@@ -332,6 +326,7 @@ $Input = @{
         "instanceType" = "A2A"
         "agentAutoUpdateStatus" = $AutoUpdateAction
         "automationAccountArmId" = $AutomationAccountArmId
+        "automationAccountAuthenticationType" = $AuthenticationType
     }
   }
 }
@@ -349,7 +344,7 @@ try
     {
     try {
             $UpdateUrl = $ArmEndPoint + $Mapping + "?api-version=" + $AsrApiVersion
-            Get-Header ([ref]$Header) $AadAudience $AadAuthority $RunAsConnectionName
+            Get-Header ([ref]$Header) $AadAudience
             $Result = @()
             Invoke-InternalWebRequest -Uri $UpdateUrl -Headers $Header -Method 'PATCH' `
                 -Body $InputJson  -ContentType "application/json" -Result ([ref]$Result)
@@ -385,7 +380,7 @@ try
         {
             try
             {
-                Get-Header ([ref]$Header) $AadAudience $AadAuthority $RunAsConnectionName
+                Get-Header ([ref]$Header) $AadAudience
                 $Result = Invoke-RestMethod -Uri $JobAsyncUrl -Headers $header
                 $JobState = $Result.Status
                 if($JobState -ieq "InProgress")
@@ -450,6 +445,7 @@ elseif($JobsCompletedSuccessList.Count -ne $ContainerMappingList.Count)
     Throw-TerminatingErrorMessage -Message $ErrorMessage
 }
 Write-Tracing -Level Succeeded -Message ("Modify cloud pairing completed.") -DisplayMessageToUser
+
 ```
 
 ### Manage updates manually
@@ -495,3 +491,8 @@ If you can't enable automatic updates, see the following common errors and recom
 
   > [!NOTE]
   > After you renew the certificate, refresh the page to display the current status.
+
+## Next steps
+
+[Learn more](./how-to-migrate-run-as-accounts-managed-identity.md) on how to migrate the authentication type of the Automation accounts to Managed Identities.
+

articles/site-recovery/azure-to-azure-autoupdate.md

@@ -0,0 +1,110 @@
+---
+title: Migrate from a Run As account to a managed identity
+description: This article describes how to migrate from a Run As account to a managed identity in Azure Site Recovery.
+author: ankitaduttaMSFT
+ms.service: site-recovery
+ms.author: ankitadutta
+ms.topic: how-to 
+ms.date: 02/23/2023
+---
+
+# Migrate from a Run As account to Managed Identities 
+
+> [!IMPORTANT]
+> - Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use managed identities. For more information, see [migrating from an existing Run As accounts to managed identity](/articles/automation/automation-managed-identity-faq.md).
+> - Delaying the feature has a direct impact on our support burden, as it would cause upgrades of mobility agent to fail.
+
+This article shows you how to migrate your runbooks to use a Managed Identities for Azure Site Recovery. Azure Automation Accounts are used by Azure Site Recovery customers to auto-update the agents of their protected virtual machines. Site Recovery creates Azure Automation Run As Accounts when you enable replication via the IaaS VM Blade and Recovery Services Vault. 
+
+On Azure, managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure Active Directory (Azure AD) and using it to obtain Azure AD tokens. 
+
+## Prerequisites
+
+Before you migrate from a Run As account to a managed identity, ensure that you have the appropriate roles to create a system-assigned identity for your automation account and to assign it the Contributor role in the corresponding recovery services vault.
+
+## Benefits of managed identities
+
+Here are some of the benefits of using managed identities:
+
+- **Credentials access** - You don't need to manage credentials.
+- **Simplified authentication** - You can use managed identities to authenticate to any resource that supports Azure AD authentication including your own applications.
+- **Cost effective** - Managed identities can be used at no extra cost.
+-  **Double encryption** - Managed identity is also used to encrypt/decrypt data and metadata using the customer-managed key stored in Azure Key Vault, providing double encryption.
+
+> [!NOTE]
+> Managed identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI).
+
+## Migrate from an existing Run As account to a managed identity
+ 
+### Configure managed identities 
+
+You can configure your managed identities through:
+
+- Azure portal
+- Azure CLI
+- your Azure Resource Manager (ARM) template
+
+> [!NOTE]
+> For more information about migration cadence and the support timeline for Run As account creation and certificate renewal, see the [frequently asked questions](../automation/automation-managed-identity-faq.md).
+
+
+### From Azure portal
+
+**To migrate your Azure Automation account authentication type from a Run As to a managed identity authentication, follow these steps:**
+
+1. In the [Azure portal](https://portal.azure.com), select the recovery services vault for which you want to migrate the runbooks.
+
+1. On the homepage of your recovery services vault page, do the following:
+    1. On the left pane, under **Manage**, select **Site Recovery infrastructure**.
+        :::image type="content" source="./media/how-to-migrate-from-run-as-to-managed-identities/manage-section.png" alt-text="Screenshot of the **Site Recovery infrastructure** page.":::
+    1. Under **For Azure virtual machines**, select **Extension update settings**.
+     This page details the authentication type for the automation account that is being used to manage the Site Recovery extensions.
+
+    1. On this page, select **Migrate** to migrate the authentication type for your automation accounts to use Managed Identities. 
+        
+        :::image type="content" source="./media/how-to-migrate-from-run-as-to-managed-identities/extension-update-settings.png" alt-text="Screenshot of the Create Recovery Services vault page.":::
+
+1. After the successful migration of your automation account, the authentication type for the linked account details on the **Extension update settings** page is updated.
+
+When you successfully migrate from a Run As to a Managed Identities account, the following changes are reflected on the Automation Run As Accounts :
+
+-	System Assigned Managed Identity is enabled for the account (if not already enabled).
+-	The **Contributor** role permission is  assigned to the Recovery Services vault’s subscription.
+-	The script that updates the mobility agent to use Managed Identity based authentication is updated.
+
+
+### Link an existing managed identity account to vault
+
+To link an existing managed identity Automation account to your Recovery Services vault. Follow these steps:
+
+#### Enable the managed identity for the vault
+
+1. Go to the automation account that you have selected. Under **Account settings**, select **Identity**.
+
+   :::image type="content" source="./media/how-to-migrate-from-run-as-to-managed-identities/mi-automation-account.png" alt-text="Screenshot that shows the identity settings page.":::
+
+1. Under the **System assigned**, change the **Status** to **On** and select **Save**.
+
+   An Object ID is generated. The vault is now registered with Azure Active
+   Directory.
+    :::image type="content" source="./media/hybrid-how-to-enable-replication-private-endpoints/enable-managed-identity-in-vault.png" alt-text="Screenshot that shows the system identity settings page.":::
+
+1. Go back to your recovery services vault. On the left pane, select the **Access control (IAM)** option.
+    :::image type="content" source="./media/how-to-migrate-from-run-as-to-managed-identities/add-mi-iam.png" alt-text="Screenshot that shows IAM settings page.":::
+1. Select **Add** > **Add role assignment** > **Contributor** to open the **Add role assignment** page.
+1. On the **Add role assignment** page, ensure to select **Managed identity**.
+1. Select the **Select members**. In the **Select managed identities** pane, do the following:
+    1. In the **Select** field, enter the name of the managed identity automation account.
+    1. In the **Managed identity** field, select **All system-assigned managed identities**.
+    1. Select the **Select** option.
+        :::image type="content" source="./media/how-to-migrate-from-run-as-to-managed-identities/select-mi.png" alt-text="Screenshot that shows select managed identity settings page.":::
+1. Select **Review + assign**.
+
+
+
+## Next steps
+
+Learn more about:
+- [Managed identities](/articles/active-directory/managed-identities-azure-resources/overview.md).
+- [Implementing managed identities for Microsoft Azure Resources](https://www.pluralsight.com/courses/microsoft-azure-resources-managed-identities-implementing).
+