Using Managed Identities in Azure Automation Accounts (preview)

Published Apr 19 2021 03:00 AM 6,234 Views
Microsoft

Whether it's to repeat common tasks or to automatically respond to a trigger, IT Pros look to automation to help streamline their work and improve their response times. In Azure, runbooks stored in Azure Automation accounts need to use credentials of an identity that they will run their actions as, if they are acting on a Azure resource. Azure Resource Manager checks that identity against to ensure it has permission to the resource before the actions are executed. Lets look at the new managed identities for Azure Automation (preview) and how they're better than the previous Run As accounts.

 

Run As accounts

Previously, we've used an Azure Automation "Run As" account for this execution identity. When you create an Azure Automation Run As account, it creates:

  1. An Azure AD application with a self-signed certificate
  2. A service principal account in Azure Active Directory for that application
  3. And assigns the Contributor role to that service principal account in your subscription.
  4. It also creates an Automation certificate asset to hold the certificate's private key, and an Automation connection asset which holds the application ID, tenant ID, subscription ID and certificate thumbprint.

That's a bit of complexity there, all to provide a secure identity. Also, that self-signed certificate will expire one year after creation and will need to be renewed.

 

System-assigned Managed Identity

Now in preview, Azure Automation supports using a system-assigned managed identity instead. This managed identity works with any Azure service that supports AD authentication and can be used in Hybrid jobs on Azure and non-Azure VMs with the Hybrid Runbook Worker. It removes the need for renewing certificates and you dont need to specify the Run As connection object in your runbook code.

 

Enabling managed identity in an Azure Automation account

In an existing automation account, in the Account Settings section you'll find the Identity blade and the option to turn on a system assigned identity.
Adding a system-assigned managed identity to your Azure Automation account - Identity blade inside the Azure PortalAdding a system-assigned managed identity to your Azure Automation account - Identity blade inside the Azure Portal


Once created, it will show the managed identity's Object ID and you can add role assignments at the subscription or resource group level, or to key vault, storage or SQL
Azure Automation account enabled with a system-assigned managed identityAzure Automation account enabled with a system-assigned managed identity

 

Now that your managed identity has been created and has a role that allows it to access your target resources, you can update your runbooks to use the Connect-AzAccount PowerShell cmdlet to call the managed identity:

Connect-AzAccount -Identity

View more sample runbooks here using managed identity.

Feedback

As always, we love your feedback but especially for features in preview as we seek to improve them. What do you think? Is this a better way of providing your automation runbooks with an identity? Would you change over your existing Azure Automation accounts? Let us know in the comments!

 

Learn more:

Azure Automation account authentication overview

Manage an Azure Automation Run As account

Manage runbooks in Azure Automation

Enable a managed identity for your Azure Automation account (preview)

What are managed identities for Azure resources?

 

3 Comments
Occasional Visitor

It is great that Azure Automation has now the ability to leverage a System Managed Identity.

I do have two questions.

I found examples on how to connect the AZ and AzureAD modules but I was wondering how to connect to MSGraph by using the Intune Powershell SDK using the SMI.

Is this possible at the moment and if so how would I do that?

And is there an estimated ETA on User Managed Identity support?

 

Thanks again.

 

Martijn Verheijen

Senior Member

Its really great to see the managed identities can be used for Azure Automation. Could you please also suggest the steps for providing the API access and Role assignment for Managed Identities using PowerShell?  Will this be only through PowerShell or through GUI in later releases? 

Respected Contributor

@Sonia Cuff Can these be used with O365 services?

%3CLINGO-SUB%20id%3D%22lingo-sub-2277737%22%20slang%3D%22en-US%22%3EUsing%20Managed%20Identities%20in%20Azure%20Automation%20Accounts%20(preview)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2277737%22%20slang%3D%22en-US%22%3E%3CP%3EWhether%20it's%20to%20repeat%20common%20tasks%20or%20to%20automatically%20respond%20to%20a%20trigger%2C%20IT%20Pros%20look%20to%20automation%20to%20help%20streamline%20their%20work%20and%20improve%20their%20response%20times.%20In%20Azure%2C%20runbooks%20stored%20in%20Azure%20Automation%20accounts%20need%20to%20use%20credentials%20of%20an%20identity%20that%20they%20will%20run%20their%20actions%20as%2C%20if%20they%20are%20acting%20on%20a%20Azure%20resource.%20Azure%20Resource%20Manager%20checks%20that%20identity%20against%20to%20ensure%20it%20has%20permission%20to%20the%20resource%20before%20the%20actions%20are%20executed.%20Lets%20look%20at%20the%20new%20managed%20identities%20for%20Azure%20Automation%20(preview)%20and%20how%20they're%20better%20than%20the%20previous%20Run%20As%20accounts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--493653541%22%20id%3D%22toc-hId--492847172%22%20id%3D%22toc-hId--492847172%22%20id%3D%22toc-hId--492847172%22%20id%3D%22toc-hId--492847172%22%20id%3D%22toc-hId--492847172%22%20id%3D%22toc-hId--492847172%22%20id%3D%22toc-hId--492847172%22%20id%3D%22toc-hId--492847172%22%20id%3D%22toc-hId--492847172%22%3ERun%20As%20accounts%3C%2FH2%3E%0A%3CP%3EPreviously%2C%20we've%20used%20an%20Azure%20Automation%20%22Run%20As%22%20account%20for%20this%20execution%20identity.%20When%20you%20create%20an%20Azure%20Automation%20Run%20As%20account%2C%20it%20creates%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EAn%20Azure%20AD%20application%20with%20a%20self-signed%20certificate%3C%2FLI%3E%0A%3CLI%3EA%20service%20principal%20account%20in%20Azure%20Active%20Directory%20for%20that%20application%3C%2FLI%3E%0A%3CLI%3EAnd%20assigns%20the%20Contributor%20role%20to%20that%20service%20principal%20account%20in%20your%20subscription.%3C%2FLI%3E%0A%3CLI%3EIt%20also%20creates%20an%20Automation%20certificate%20asset%20to%20hold%20the%20certificate's%20private%20key%2C%20and%20an%20Automation%20connection%20asset%20which%20holds%20the%20application%20ID%2C%20tenant%20ID%2C%20subscription%20ID%20and%20certificate%20thumbprint.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EThat's%20a%20bit%20of%20complexity%20there%2C%20all%20to%20provide%20a%20secure%20identity.%20Also%2C%20that%20self-signed%20certificate%20will%20expire%20one%20year%20after%20creation%20and%20will%20need%20to%20be%20renewed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1993859292%22%20id%3D%22toc-hId-1994665661%22%20id%3D%22toc-hId-1994665661%22%20id%3D%22toc-hId-1994665661%22%20id%3D%22toc-hId-1994665661%22%20id%3D%22toc-hId-1994665661%22%20id%3D%22toc-hId-1994665661%22%20id%3D%22toc-hId-1994665661%22%20id%3D%22toc-hId-1994665661%22%20id%3D%22toc-hId-1994665661%22%3ESystem-assigned%20Managed%20Identity%3C%2FH2%3E%0A%3CP%3ENow%20in%20preview%2C%20Azure%20Automation%20supports%20using%20a%20system-assigned%20managed%20identity%20instead.%20This%20managed%20identity%20works%20with%20any%20Azure%20service%20that%20supports%20AD%20authentication%20and%20can%20be%20used%20in%20Hybrid%20jobs%20on%20Azure%20and%20non-Azure%20VMs%20with%20the%20Hybrid%20Runbook%20Worker.%20It%20removes%20the%20need%20for%20renewing%20certificates%20and%20you%20dont%20need%20to%20specify%20the%20Run%20As%20connection%20object%20in%20your%20runbook%20code.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1610546530%22%20id%3D%22toc-hId--1609740161%22%20id%3D%22toc-hId--1609740161%22%20id%3D%22toc-hId--1609740161%22%20id%3D%22toc-hId--1609740161%22%20id%3D%22toc-hId--1609740161%22%20id%3D%22toc-hId--1609740161%22%20id%3D%22toc-hId--1609740161%22%20id%3D%22toc-hId--1609740161%22%20id%3D%22toc-hId--1609740161%22%3EEnabling%20managed%20identity%20in%20an%20Azure%20Automation%20account%3C%2FH3%3E%0A%3CP%3EIn%20an%20existing%20automation%20account%2C%20in%20the%20Account%20Settings%20section%20you'll%20find%20the%20Identity%20blade%20and%20the%20option%20to%20turn%20on%20a%20system%20assigned%20identity.%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Automat-Account-Managed-Identity-Status.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F273686i380B2BA99DE73D66%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Automat-Account-Managed-Identity-Status.png%22%20alt%3D%22Adding%20a%20system-assigned%20managed%20identity%20to%20your%20Azure%20Automation%20account%20-%20Identity%20blade%20inside%20the%20Azure%20Portal%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAdding%20a%20system-assigned%20managed%20identity%20to%20your%20Azure%20Automation%20account%20-%20Identity%20blade%20inside%20the%20Azure%20Portal%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EOnce%20created%2C%20it%20will%20show%20the%20managed%20identity's%20Object%20ID%20and%20you%20can%20add%20role%20assignments%20at%20the%20subscription%20or%20resource%20group%20level%2C%20or%20to%20key%20vault%2C%20storage%20or%20SQL%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Automate-Account-Managed-Identity-ObjectID.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F273687iA409919A71A4B725%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Automate-Account-Managed-Identity-ObjectID.png%22%20alt%3D%22Azure%20Automation%20account%20enabled%20with%20a%20system-assigned%20managed%20identity%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAzure%20Automation%20account%20enabled%20with%20a%20system-assigned%20managed%20identity%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20that%20your%20managed%20identity%20has%20been%20created%20and%20has%20a%20role%20that%20allows%20it%20to%20access%20your%20target%20resources%2C%20you%20can%20update%20your%20runbooks%20to%20use%20the%20Connect-AzAccount%20PowerShell%20cmdlet%20to%20call%20the%20managed%20identity%3A%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EConnect-AzAccount%20-Identity%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3EView%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fautomation%2Fenable-managed-identity-for-automation%3FWT.mc_id%3Dmodinfra-24776-socuff%23sample-runbooks-using-managed-identity%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Emore%20sample%20runbooks%20here%20using%20managed%20identity.%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1621049634%22%20id%3D%22toc-hId--1620243265%22%20id%3D%22toc-hId--1620243265%22%20id%3D%22toc-hId--1620243265%22%20id%3D%22toc-hId--1620243265%22%20id%3D%22toc-hId--1620243265%22%20id%3D%22toc-hId--1620243265%22%20id%3D%22toc-hId--1620243265%22%20id%3D%22toc-hId--1620243265%22%20id%3D%22toc-hId--1620243265%22%3EFeedback%3C%2FH2%3E%0A%3CP%3EAs%20always%2C%20we%20love%20your%20feedback%20but%20especially%20for%20features%20in%20preview%20as%20we%20seek%20to%20improve%20them.%20What%20do%20you%20think%3F%20Is%20this%20a%20better%20way%20of%20providing%20your%20automation%20runbooks%20with%20an%20identity%3F%20Would%20you%20change%20over%20your%20existing%20Azure%20Automation%20accounts%3F%20Let%20us%20know%20in%20the%20comments!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-866463199%22%20id%3D%22toc-hId-867269568%22%20id%3D%22toc-hId-867269568%22%20id%3D%22toc-hId-867269568%22%20id%3D%22toc-hId-867269568%22%20id%3D%22toc-hId-867269568%22%20id%3D%22toc-hId-867269568%22%20id%3D%22toc-hId-867269568%22%20id%3D%22toc-hId-867269568%22%20id%3D%22toc-hId-867269568%22%3ELearn%20more%3A%3C%2FH2%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fautomation%2Fautomation-security-overview%3FWT.mc_id%3Dmodinfra-24776-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Automation%20account%20authentication%20overview%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fautomation%2Fmanage-runas-account%3FWT.mc_id%3DPortal-Microsoft_Azure_Automation%23permissions%3FWT.mc_id%3Dmodinfra-24776-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EManage%20an%20Azure%20Automation%20Run%20As%20account%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fautomation%2Fmanage-runbooks%3FWT.mc_id%3Dmodinfra-24776-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EManage%20runbooks%20in%20Azure%20Automation%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fautomation%2Fenable-managed-identity-for-automation%3FWT.mc_id%3Dmodinfra-24776-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EEnable%20a%20managed%20identity%20for%20your%20Azure%20Automation%20account%20(preview)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Foverview%3FWT.mc_id%3Dmodinfra-24776-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EWhat%20are%20managed%20identities%20for%20Azure%20resources%3F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2277737%22%20slang%3D%22en-US%22%3E%3CP%3ELearn%20how%20Managed%20Identities%20can%20replace%20Run%20As%20accounts%20in%20Azure%20Automation%2C%20with%20this%20new%20preview%20feature.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2277737%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESonia%20Cuff%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2437892%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Managed%20Identities%20in%20Azure%20Automation%20Accounts%20(preview)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2437892%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20is%20great%20that%20Azure%20Automation%20has%20now%20the%20ability%20to%20leverage%20a%20System%20Managed%20Identity.%3C%2FP%3E%3CP%3EI%20do%20have%20two%20questions.%3C%2FP%3E%3CP%3EI%20found%20examples%20on%20how%20to%20connect%20the%20AZ%20and%20AzureAD%20modules%20but%20I%20was%20wondering%20how%20to%20connect%20to%20MSGraph%20by%20using%20the%20Intune%20Powershell%20SDK%20using%20the%20SMI.%3C%2FP%3E%3CP%3EIs%20this%20possible%20at%20the%20moment%20and%20if%20so%20how%20would%20I%20do%20that%3F%3C%2FP%3E%3CP%3EAnd%20is%20there%20an%20estimated%20ETA%20on%20User%20Managed%20Identity%20support%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMartijn%20Verheijen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2541308%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Managed%20Identities%20in%20Azure%20Automation%20Accounts%20(preview)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2541308%22%20slang%3D%22en-US%22%3E%3CP%3EIts%20really%20great%20to%20see%20the%20managed%20identities%20can%20be%20used%20for%20Azure%20Automation.%20Could%20you%20please%20also%20suggest%20the%20steps%20for%20providing%20the%20API%20access%20and%20Role%20assignment%20for%20Managed%20Identities%20using%20PowerShell%3F%26nbsp%3B%20Will%20this%20be%20only%20through%20PowerShell%20or%20through%20GUI%20in%20later%20releases%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2745932%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Managed%20Identities%20in%20Azure%20Automation%20Accounts%20(preview)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2745932%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170596%22%20target%3D%22_blank%22%3E%40Sonia%20Cuff%3C%2FA%3E%26nbsp%3BCan%20these%20be%20used%20with%20O365%20services%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Apr 19 2021 03:00 AM
Updated by: