Document Details

Add User Assigned Identity
Home / Scan 41 / Add User Assigned Identity
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ powershell_heavy
⚠️ windows_tools
⚠️ missing_linux_example
⚠️ windows_first
Summary:
The documentation page demonstrates a strong Windows and PowerShell bias. All command-line examples are provided exclusively in PowerShell, with no Bash, Azure CLI, or Linux-native shell equivalents. The use of Windows-style paths (e.g., 'path\file.json'), reliance on PowerShell-specific cmdlets (e.g., Connect-AzAccount, Invoke-RestMethod), and the absence of Linux or cross-platform CLI examples make it difficult for Linux users to follow the instructions. Even REST API and ARM template deployment steps are shown only with PowerShell, and there is no mention of Azure CLI or Bash scripting. The only non-PowerShell example is a Python snippet, but it is limited and does not cover the full workflow.
Recommendations:
  • Provide equivalent examples using Azure CLI (az) commands for all PowerShell cmdlets, especially for authentication, resource management, and REST API invocation.
  • Include Bash shell script examples for Linux users, particularly for file paths and environment variable usage.
  • Use cross-platform file path conventions (e.g., forward slashes or environment-agnostic variables) in examples.
  • Explicitly mention that all PowerShell examples can be run on PowerShell Core (pwsh) on Linux/macOS, or provide alternatives where necessary.
  • For REST API and ARM template deployment, show how to use curl or az deployment group create in addition to PowerShell.
  • Add a section or callouts for Linux/macOS users, highlighting any differences or prerequisites.
  • Ensure that the documentation does not assume a Windows environment by default, and balance the order of examples (e.g., present Azure CLI or Bash before or alongside PowerShell).
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-07-12 23:44 #41 in_progress ❌ Biased
2025-07-12 00:58 #8 cancelled ✅ Clean
2025-07-10 05:06 #7 processing ✅ Clean
2025-07-09 23:22 #6 cancelled ✅ Clean

Flagged Code Snippets

$subscriptionID = "subscriptionID" $resourceGroup = "resourceGroupName" $automationAccount = "automationAccountName" $userAssignedOne = "userAssignedIdentityOne" $userAssignedTwo = "userAssignedIdentityTwo"
# Sign in to your Azure subscription $sub = Get-AzSubscription -ErrorAction SilentlyContinue if(-not($sub)) { Connect-AzAccount } # If you have multiple subscriptions, set the one to use # Select-AzSubscription -SubscriptionId "<SUBSCRIPTIONID>"
$templateFile = "path\template_ua.json"
New-AzResourceGroupDeployment ` -Name "UserAssignedDeployment" ` -ResourceGroupName $resourceGroup ` -TemplateFile $templateFile ` -automationAccountName $automationAccount ` -userAssignedOne $userAssignedOne ` -userAssignedTwo $userAssignedTwo
New-AzRoleAssignment ` -ObjectId <automation-Identity-object-id> ` -Scope "/subscriptions/<subscription-id>" ` -RoleDefinitionName "Contributor"
Write-Output "Connecting to azure via  Connect-AzAccount -Identity -AccountId <ClientId of USI>"  Connect-AzAccount -Identity -AccountId <ClientId of USI> Write-Output "Successfully connected with Automation account's Managed Identity"  Write-Output "Trying to fetch value from key vault using User Assigned Managed identity. Make sure you have given correct access to Managed Identity"  $secret = Get-AzKeyVaultSecret -VaultName '<KVname>' -Name '<KeyName>'  $ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secret.SecretValue)  try {    $secretValueText = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)      Write-Output $secretValueText  } finally {      [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)  }
$output = Set-AzAutomationAccount ` -ResourceGroupName $resourceGroup ` -Name $automationAccount ` -AssignUserIdentity "/subscriptions/$subscriptionID/resourcegroups/$resourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$userAssignedOne", ` "/subscriptions/$subscriptionID/resourcegroups/$resourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$userAssignedTwo" $output
$output = Set-AzAutomationAccount ` -ResourceGroupName $resourceGroup ` -Name $automationAccount ` -AssignUserIdentity "/subscriptions/$subscriptionID/resourcegroups/$resourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$userAssignedOne", ` "/subscriptions/$subscriptionID/resourcegroups/$resourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$userAssignedTwo" ` -AssignSystemIdentity $output
# build URI $URI = "https://management.azure.com/subscriptions/$subscriptionID/resourceGroups/$resourceGroup/providers/Microsoft.Automation/automationAccounts/$automationAccount`?api-version=2020-01-13-preview" # build body $body = Get-Content $file # obtain access token $azContext = Get-AzContext $azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile $profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($azProfile) $token = $profileClient.AcquireAccessToken($azContext.Subscription.TenantId) $authHeader = @{ 'Content-Type'='application/json' 'Authorization'='Bearer ' + $token.AccessToken } # Invoke the REST API $response = Invoke-RestMethod -Uri $URI -Method PATCH -Headers $authHeader -Body $body # Review output $response.identity | ConvertTo-Json
(Get-AzAutomationAccount ` -ResourceGroupName $resourceGroup ` -Name $automationAccount).Identity | ConvertTo-Json
# Ensures you do not inherit an AzContext in your runbook Disable-AzContextAutosave -Scope Process # Connect to Azure with user-assigned managed identity $AzureContext = (Connect-AzAccount -Identity -AccountId <user-assigned-identity-ClientId>).context # set and store context $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext
$file = "path\body_ua.json"
$resource= "?resource=https://management.azure.com/" $client_id="&client_id=<ClientId of USI>" $url = $env:IDENTITY_ENDPOINT + $resource + $client_id $Headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"  $Headers.Add("Metadata", "True") $headers.Add("X-IDENTITY-HEADER", $env:IDENTITY_HEADER) $accessToken = Invoke-RestMethod -Uri $url -Method 'GET' -Headers $Headers Write-Output $accessToken.access_token
$url = $env:IDENTITY_ENDPOINT $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Metadata", "True") $headers.Add("X-IDENTITY-HEADER", $env:IDENTITY_HEADER) $body = @{'resource'='https://management.azure.com/' 'client_id'='<ClientId of USI>'} $accessToken = Invoke-RestMethod $url -Method 'POST' -Headers $headers -ContentType 'application/x-www-form-urlencoded' -Body $body Write-Output $accessToken.access_token