In this blog, we will be learning about migrating from an existing 'Run As Accounts' to Managed identities.
Sign in to the Azure portal with an account that’s a member of the subscription Administrator role or a Co-Administrator of the subscription.
The managed identities are of two types system assigned or user assigned.
Steps to be followed to migrate an existing 'Run As Accounts' to Managed identities:
Step 1: Identify the 'Run as accounts' getting expired.
Step 2: Check current role assignments for 'Run as account'.
Click on Run As Account from the screen above, it will show properties of it and at the bottom it will list out the roles.
Step 3: Create System Assigned Managed Identity.
Now we need to create the Managed Identity to migrate to. Go to the Automation Account and select Identity in the left navigation. It will allow to create a new System assigned, or User assigned managed identity.
Create a new System assigned managed identity. Click On and save it, Azure will automatically create the managed identity.
Once it finishes creating the managed identity, we can see the Object ID. Now, we can begin assigning permissions.
Step 4: Assign permissions to Managed Identity.
Click on Azure Role Assignments on the newly created managed identity. Add the same permissions (Step 2) as existing RunAs account had.
Once finished, we can see the role assignments assigned to the new managed identity (it will take some time to display roles assigned).
Step 5: Update credentials
Go to the Automation Account and select Credentials in the left navigation.
Select and update the Password and Confirm Password with App Secret value.
(Open App Registrations and create new client secret. Copy the client secret value and use it above)
Select Save.
⊛ Note
No need to do any changes in the Runbook code to use managed identities.
Step 6: Delete the 'Run As Account'
The final task is to clean up the RunAs resources. Go to the 'Automation Account' > 'Run As Accounts' and then click Delete.
Once finished, we will see that our existing automation account no longer has any Run As Accounts tied to it. It will also be deleted from the Azure Active Directory (AAD).
Refer Microsoft documentation for more
https://learn.microsoft.com/en-us/azure/automation/migrate-run-as-accounts-managed-identity
I hope this will help all of you! 🧲
Feel free to provide feedback.
