Use managed identity for authentication

March 21, 2025 ยท View on GitHub

SYNOPSIS

Ensure Managed Identity is used for authentication.

DESCRIPTION

Azure automation can use Managed Identities to authenticate to Azure resources without storing credentials.

Using managed identities have the following benefits:

  • Using a managed identity instead of the Automation Run As account simplifies management. You don't have to renew the certificate used by a Run As account.
  • Managed Identities can be used without any additional cost.
  • You don't have to specify the Run As connection object in your runbook code. You can access resources using your Automation Account's Managed Identity from a runbook.

RECOMMENDATION

Consider configure a managed identity for each Automation Account.

EXAMPLES

Configure with Azure template

To deploy Automation Accounts that pass this rule:

  • Set identity.type to SystemAssigned or UserAssigned.
  • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

{
    "type": "Microsoft.Automation/automationAccounts",
    "apiVersion": "2021-06-22",
    "name": "[parameters('automation_account_name')]",
    "location": "australiaeast",
    "identity": {
        "type": "SystemAssigned"
    },
    "properties": {
        "disableLocalAuth": false,
        "sku": {
            "name": "Basic"
        },
        "encryption": {
            "keySource": "Microsoft.Automation",
            "identity": {}
        }
    }
}

Configure with Bicep

To deploy Automation Accounts that pass this rule:

  • Set identity.type to SystemAssigned or UserAssigned.
  • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

resource automation_account_name_resource 'Microsoft.Automation/automationAccounts@2021-06-22' = {
  name: automation_account_name
  location: 'australiaeast'
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    disableLocalAuth: false
    sku: {
      name: 'Basic'
    }
    encryption: {
      keySource: 'Microsoft.Automation'
      identity: {}
    }
  }
}