Document Details
Migrate Run As Accounts Managed Identity
❌
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Bias Types:
⚠️
powershell_heavy
⚠️
missing_linux_example
⚠️
windows_tools
⚠️
windows_first
Summary:
The documentation is heavily focused on PowerShell-based automation, with all code samples and migration steps provided exclusively in PowerShell. There are no examples or guidance for users who may use Python, Bash, or other scripting languages commonly found in Linux environments. The documentation assumes the use of Windows-centric tools and patterns (such as PowerShell cmdlets and the Azure PowerShell modules), and does not mention or prioritize cross-platform or Linux-native alternatives. This creates a Windows-first bias and may exclude or confuse Linux users.
Recommendations:
- Provide equivalent sample scripts for Bash (using Azure CLI) and Python (using Azure SDK), especially for authentication and resource management tasks.
- Explicitly mention that Azure Automation supports Python runbooks and Linux Hybrid Runbook Workers, and provide migration guidance for those scenarios.
- Include references to cross-platform tools (e.g., Azure CLI, REST API) alongside PowerShell, and not just as an afterthought.
- When describing steps or tools, avoid assuming PowerShell as the default; instead, offer parallel instructions for Linux/CLI users.
- Add a section or callout for Linux users, highlighting any differences or additional considerations when migrating from Run As accounts to managed identities.
Create pull request
Scan History
| Date | Scan ID | Status | Bias Status |
|---|---|---|---|
| 2025-07-12 23:44 | #41 | in_progress | ❌ Biased |
| 2025-07-12 00:58 | #8 | cancelled | ✅ Clean |
| 2025-07-10 05:06 | #7 | processing | ✅ Clean |
| 2025-07-09 23:22 | #6 | cancelled | ✅ Clean |
Flagged Code Snippets
---
### View client ID of user assigned identity
1. In your Automation account, under **Account Settings**, select **Identity**.
1. In **User assigned** tab, select user assigned identity.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/user-assigned-inline.png" alt-text="Screenshot that shows the navigation path to view client ID." lightbox="./media/migrate-run-as-account-managed-identity/user-assigned-expanded.png":::
1. Go to **Overview**> **Essentials**, to view the **Client ID**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/view-client-id-inline.png" alt-text="Screenshot that shows how to view a client ID." lightbox="./media/migrate-run-as-account-managed-identity/view-client-id-expanded.png":::
## Graphical runbooks
### Check if a Run As account is used in graphical runbooks
1. Check each of the activities within the runbook to see if it uses the Run As account when it calls any logon cmdlets or aliases, such as `Add-AzRmAccount/Connect-AzRmAccount/Add-AzAccount/Connect-AzAccount`.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/check-graphical-runbook-use-run-as-inline.png" alt-text="Screenshot that illustrates checking if a graphical runbook uses a Run As account." lightbox="./media/migrate-run-as-account-managed-identity/check-graphical-runbook-use-run-as-expanded.png":::
1. Examine the parameters that the cmdlet uses.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/activity-parameter-configuration.png" alt-text="Screenshot that shows examining the parameters used by a cmdlet.":::
For use with the Run As account, the cmdlet uses the `ServicePrincipalCertificate` parameter set to `ApplicationId`. `CertificateThumbprint` will be from `RunAsAccountConnection`.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/parameter-sets-inline.png" alt-text="Screenshot that shows parameter sets." lightbox="./media/migrate-run-as-account-managed-identity/parameter-sets-expanded.png":::
### Edit a graphical runbook to use a managed identity
You must test the managed identity to verify that the graphical runbook is working as expected. Create a copy of your production runbook to use the managed identity, and then update your test graphical runbook code to authenticate by using the managed identity. You can add this functionality to a graphical runbook by adding the `Connect-AzAccount` cmdlet.
The following steps include an example to show how a graphical runbook that uses a Run As account can use managed identities:
1. Sign in to the [Azure portal](https://portal.azure.com).
1. Open the Automation account, and then select **Process Automation** > **Runbooks**.
1. Select a runbook. For example, select the **Start Azure V2 VMs** runbook from the list, and then select **Edit** or go to **Browse Gallery** and select **Start Azure V2 VMs**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/edit-graphical-runbook-inline.png" alt-text="Screenshot of editing a graphical runbook." lightbox="./media/migrate-run-as-account-managed-identity/edit-graphical-runbook-expanded.png":::
1. Replace the Run As connection that uses `AzureRunAsConnection` and the connection asset that internally uses the PowerShell `Get-AutomationConnection` cmdlet with the `Connect-AzAccount` cmdlet.
1. Select **Delete** to delete the `Get Run As Connection` and `Connect to Azure` activities.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/connect-azure-graphical-runbook-inline.png" alt-text="Screenshot to connect to the Azure activities." lightbox="./media/migrate-run-as-account-managed-identity/connect-azure-graphical-runbook-expanded.png":::
1. In the left panel, under **RUNBOOK CONTROL**, select **Code** and then select **Add to canvas**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/add-canvas-graphical-runbook-inline.png" alt-text="Screenshot to select code and add it to the canvas." lightbox="./media/migrate-run-as-account-managed-identity/add-canvas-graphical-runbook-expanded.png":::
1. Edit the code activity, assign any appropriate label name, and select **Author activity logic**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/author-activity-log-graphical-runbook-inline.png" alt-text="Screenshot to edit code activity." lightbox="./media/migrate-run-as-account-managed-identity/author-activity-log-graphical-runbook-expanded.png":::
1. In the **Code Editor** page, enter the following PowerShell code and select **OK**.
---
### View client ID of user assigned identity
1. In your Automation account, under **Account Settings**, select **Identity**.
1. In **User assigned** tab, select user assigned identity.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/user-assigned-inline.png" alt-text="Screenshot that shows the navigation path to view client ID." lightbox="./media/migrate-run-as-account-managed-identity/user-assigned-expanded.png":::
1. Go to **Overview**> **Essentials**, to view the **Client ID**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/view-client-id-inline.png" alt-text="Screenshot that shows how to view a client ID." lightbox="./media/migrate-run-as-account-managed-identity/view-client-id-expanded.png":::
## Graphical runbooks
### Check if a Run As account is used in graphical runbooks
1. Check each of the activities within the runbook to see if it uses the Run As account when it calls any logon cmdlets or aliases, such as `Add-AzRmAccount/Connect-AzRmAccount/Add-AzAccount/Connect-AzAccount`.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/check-graphical-runbook-use-run-as-inline.png" alt-text="Screenshot that illustrates checking if a graphical runbook uses a Run As account." lightbox="./media/migrate-run-as-account-managed-identity/check-graphical-runbook-use-run-as-expanded.png":::
1. Examine the parameters that the cmdlet uses.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/activity-parameter-configuration.png" alt-text="Screenshot that shows examining the parameters used by a cmdlet.":::
For use with the Run As account, the cmdlet uses the `ServicePrincipalCertificate` parameter set to `ApplicationId`. `CertificateThumbprint` will be from `RunAsAccountConnection`.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/parameter-sets-inline.png" alt-text="Screenshot that shows parameter sets." lightbox="./media/migrate-run-as-account-managed-identity/parameter-sets-expanded.png":::
### Edit a graphical runbook to use a managed identity
You must test the managed identity to verify that the graphical runbook is working as expected. Create a copy of your production runbook to use the managed identity, and then update your test graphical runbook code to authenticate by using the managed identity. You can add this functionality to a graphical runbook by adding the `Connect-AzAccount` cmdlet.
The following steps include an example to show how a graphical runbook that uses a Run As account can use managed identities:
1. Sign in to the [Azure portal](https://portal.azure.com).
1. Open the Automation account, and then select **Process Automation** > **Runbooks**.
1. Select a runbook. For example, select the **Start Azure V2 VMs** runbook from the list, and then select **Edit** or go to **Browse Gallery** and select **Start Azure V2 VMs**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/edit-graphical-runbook-inline.png" alt-text="Screenshot of editing a graphical runbook." lightbox="./media/migrate-run-as-account-managed-identity/edit-graphical-runbook-expanded.png":::
1. Replace the Run As connection that uses `AzureRunAsConnection` and the connection asset that internally uses the PowerShell `Get-AutomationConnection` cmdlet with the `Connect-AzAccount` cmdlet.
1. Select **Delete** to delete the `Get Run As Connection` and `Connect to Azure` activities.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/connect-azure-graphical-runbook-inline.png" alt-text="Screenshot to connect to the Azure activities." lightbox="./media/migrate-run-as-account-managed-identity/connect-azure-graphical-runbook-expanded.png":::
1. In the left panel, under **RUNBOOK CONTROL**, select **Code** and then select **Add to canvas**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/add-canvas-graphical-runbook-inline.png" alt-text="Screenshot to select code and add it to the canvas." lightbox="./media/migrate-run-as-account-managed-identity/add-canvas-graphical-runbook-expanded.png":::
1. Edit the code activity, assign any appropriate label name, and select **Author activity logic**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/author-activity-log-graphical-runbook-inline.png" alt-text="Screenshot to edit code activity." lightbox="./media/migrate-run-as-account-managed-identity/author-activity-log-graphical-runbook-expanded.png":::
1. In the **Code Editor** page, enter the following PowerShell code and select **OK**.