How to Migrate Azure Runbooks to System Managed Identity?

on

Article About: Steps for migrating Runbooks from Azure Run As Account to System Managed Identity in Azure Automation Account. I have described Automation Account Migration from an existing Run As account to Managed Identity in detail. Let's dive into the steps.

Identify the Automation Accounts which use Run As Account

Open Azure Portal >> Access Automation Accounts >> Select the Resource >> Search and select Run as account from menu.

Sample Screenshot which have an existing Run As Account:

Screenshot of an existing Run As Account in Azure

Sample Screenshot which doesn’t have a Run As Account:

Screenshot which doesn’t have a Run As Accoun

Enable System Managed Identity for an Automation Account and Add Access to Target Azure Subscriptions

Step 1: Open Azure Portal >> Access Automation Accounts >> Select the Resource >> Search and select Identity from menu section.

Step 2: Now select the System assigned tab >> toggle the status to on >> Click on Save >> Click on Yes

Step 3: Now click on Azure Role assignments >> fill up the details >> Click on Save

  • Scope = Subscription
  • Subscription = <your target subscription>
  • Role = Contributor

Once saved you can view the permissions in the same section. Similarly we can add the role assignments for other subscriptions as well.

Identify the existing Runbooks which need to be updated from an existing Run As account to System Managed identity

For example, let's take one of the Azure Automation Account as an example. Go to Runbooks and identity the runbooks. Proceed with next steps.

Step 1: Open the target Runbook >> Click on Edit

Step 2: Find the following script from an existing runbook

$azConn = Get-AutomationConnection -Name 'AzureRunAsConnection'
        
## Add the automation account context to the session
Add-AzureRMAccount `
    -ServicePrincipal `
    -Tenant $azConn.TenantID `
    -ApplicationId $azConn.ApplicationId `
    -CertificateThumbprint $azConn.CertificateThumbprint
Run as account PowerShell Script

Step 3: Replace the above script with script below

try{
   "Logging in to Azure..."
   Connect-AzAccount -Identity
}
catch {
   Write-Error -Message $_.Exception
   throw $_.Exception
}
Run As Account to System Managed Identity Code

Step 4: Once you are done with the changes, Click on Save and Publish.

Step 5: Verify and Confirm the runbook jobs.

Run As Account to System Managed Identity Migration Status

Delete Azure Run As Account from Automation Account

Open Azure Portal >> Access Automation Accounts >> Select the target Automation Account Resource >> Search and select Run as account from the left menu >> Click on Active/Expired Run As Account >> Copy Azure Active Directory Application Display Name  (Will further use this to identity to access role assignments on subscriptions if not deleted at subscription scope) >> Click on Delete >> Verify the deletion.