How to authenticate PowerShell cmdlets in Runbooks with managed identities?

Iron Contributor

Hi there.


This is regarding Azure Automation Runbooks.

I'm attempting to replace AzureRunAs connections with user/system managed identities.

One problem I ran into with this is that I have no idea how to get the PowerShell cmdlet's used

in those Runbooks to authenticate.

For example for a Runbook that relies on the ExchangeOnline cmdlet's I was able to use the

AzureRunAs connections credentials via Get-AutomationConnection –Name "AzureRunAsConnection".

Since this AzureRunAs connection is also an App Registration in Azure, I could assign API

permissions to them, like for ExchangeOnline. The AzureRunAs connection also comes with

a certificate that I could make use of for authentication purposes.

On way I thought I could achieve this is for example with:

Connect-ExchangeOnline -ManagedIdentity -Organization <tenant> -ManagedIdentityAccountId <id>

So to summarize, my question is: How should I authenticate PowerShell cmdlet's without

AzureRunAs connections in Runbooks?

Thanks for your help.

2 Replies
You can authenticate PowerShell cmdlets without AzureRunAs connections in Runbooks by using managed identities in Azure Automation. You can create a PowerShell runbook in Azure Automation that uses a managed identity, rather than the Run As account to interact with resources. You can assign permissions to the managed identities to allow them to stop and start a virtual machine. You can also create credential assets and use them in a runbook or DSC configuration. The cmdlets in the following table create and manage Automation credentials with PowerShell: Get-AzAutomationCredential, New-AzAutomationCredential, Remove-AzAutomationCredential, and Set-AzAutomationCredential. The Get-AutomationPSCredential cmdlet gets a PSCredential object that you can use with a cmdlet that requires a credential.

Have a look here

Let me know how it goes !!