Use managed identity for authentication
March 21, 2025 ยท View on GitHub
SYNOPSIS
Ensure Managed Identity is used for authentication.
DESCRIPTION
Azure automation can use Managed Identities to authenticate to Azure resources without storing credentials.
Using managed identities have the following benefits:
- Using a managed identity instead of the Automation Run As account simplifies management. You don't have to renew the certificate used by a Run As account.
- Managed Identities can be used without any additional cost.
- You don't have to specify the Run As connection object in your runbook code. You can access resources using your Automation Account's Managed Identity from a runbook.
RECOMMENDATION
Consider configure a managed identity for each Automation Account.
EXAMPLES
Configure with Azure template
To deploy Automation Accounts that pass this rule:
- Set
identity.typetoSystemAssignedorUserAssigned. - If
identity.typeisUserAssigned, reference the identity withidentity.userAssignedIdentities.
For example:
{
"type": "Microsoft.Automation/automationAccounts",
"apiVersion": "2021-06-22",
"name": "[parameters('automation_account_name')]",
"location": "australiaeast",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"disableLocalAuth": false,
"sku": {
"name": "Basic"
},
"encryption": {
"keySource": "Microsoft.Automation",
"identity": {}
}
}
}
Configure with Bicep
To deploy Automation Accounts that pass this rule:
- Set
identity.typetoSystemAssignedorUserAssigned. - If
identity.typeisUserAssigned, reference the identity withidentity.userAssignedIdentities.
For example:
resource automation_account_name_resource 'Microsoft.Automation/automationAccounts@2021-06-22' = {
name: automation_account_name
location: 'australiaeast'
identity: {
type: 'SystemAssigned'
}
properties: {
disableLocalAuth: false
sku: {
name: 'Basic'
}
encryption: {
keySource: 'Microsoft.Automation'
identity: {}
}
}
}