If you use Azure Automation account to automate activities, actions or process, you know that it (used to) use RunAs account for authentication.
Well, on September 30, 2023, the RunAs capability will be retired and replaced by Managed Identity (know more about managed identity https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview/).
If you don’t act before September 30, your runbooks will stop working.
If you have existing Automation account, you need to migrate them from RunAs to Managed Identity (MI)
New automation account already uses Managed Identity – you can define system or user MI during the creation process.
- User-assigned identities are supported for cloud jobs only. It isn’t possible to use the Automation account’s user-managed identity on a hybrid runbook worker. To use hybrid jobs, you must create system-assigned identities
- There are two ways to use managed identities in hybrid runbook worker scripts: either the system-assigned managed identity for the Automation account or the virtual machine (VM) managed identity for an Azure VM running as a hybrid runbook worker
- The VM’s user-assigned managed identity and the VM’s system-assigned managed identity will not work in an Automation account that’s configured with an Automation account’s managed identity. When you enable the Automation account’s managed identity, you can use only the Automation account’s system-assigned managed identity and not the VM managed identity. For more information, see https://learn.microsoft.com/en-us/azure/automation/automation-hrw-run-runbooks/
You can find if you have any existing Automation Account running with RunAs thanks to this script https://github.com/azureautomation/runbooks/blob/master/Utility/AzRunAs/Check-AutomationRunAsAccountRoleAssignments.ps1
To migrate your existing Automation Accounts from RunAs to MI, follow the below process:
- Create a managed identity – choose between system or user based on your need and the notes above
- Assign the same role to the managed identity than the RunAs account – see https://learn.microsoft.com/en-us/azure/automation/manage-run-as-account#check-role-assignment-for-azure-automation-run-as-account
- Update your runbooks to use the managed identity
- Delete the RunAs account after confirming everything is working
To avoid service disruption, you can create a copy of your runbooks and update them to use the managed identity before executing the migration steps.
Sample code to authenticate using Managed Identity:
- System-assigned managed identity
- User-assigned managed identity
$identity = Get-AzUserAssignedIdentity -ResourceGroupName <myResourceGroup> -Name <myUserAssignedIdentity> Connect-AzAccount -Identity -AccountId $identity.ClientId