Document Details
Migrate Run As Accounts Managed Identity
❌
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Bias Types:
⚠️
powershell_heavy
⚠️
missing_linux_example
⚠️
windows_tools
⚠️
windows_first
Summary:
The documentation is heavily focused on PowerShell-based automation, with all code samples and instructions using PowerShell cmdlets and modules (Az, AzureRM), which are most commonly used in Windows environments. There are no examples or guidance for using other scripting languages or tools (such as Python, Bash, or CLI), nor is there mention of Linux-native automation patterns. The documentation assumes the use of the Azure portal UI, which is platform-agnostic but often associated with Windows workflows. Linux or cross-platform automation scenarios are not addressed.
Recommendations:
- Provide equivalent examples using Azure CLI (az) commands, which are cross-platform and commonly used in Linux environments.
- Include sample scripts in Bash or Python for authenticating with managed identities in Azure Automation, especially for hybrid runbook workers running on Linux.
- Explicitly mention support for Linux-based hybrid runbook workers and provide migration steps or code samples for those environments.
- Clarify that managed identities and Azure Automation are supported on both Windows and Linux, and link to relevant Linux documentation.
- Balance the order of presentation by including Linux or cross-platform examples alongside or before PowerShell/Windows examples.
- Reference Linux tools (such as cloud-init, systemd, or cron) where relevant for automation scenarios.
Create pull request
Scan History
| Date | Scan ID | Status | Bias Status |
|---|---|---|---|
| 2025-08-17 00:01 | #83 | in_progress | ✅ Clean |
| 2025-07-13 21:37 | #48 | completed | ❌ Biased |
| 2025-07-09 13:09 | #3 | cancelled | ✅ Clean |
| 2025-07-08 04:23 | #2 | cancelled | ❌ Biased |
Flagged Code Snippets
---
### View client ID of user assigned identity
1. In your Automation account, under **Account Settings**, select **Identity**.
1. In **User assigned** tab, select user assigned identity.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/user-assigned-inline.png" alt-text="Screenshot that shows the navigation path to view client ID." lightbox="./media/migrate-run-as-account-managed-identity/user-assigned-expanded.png":::
1. Go to **Overview**> **Essentials**, to view the **Client ID**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/view-client-id-inline.png" alt-text="Screenshot that shows how to view a client ID." lightbox="./media/migrate-run-as-account-managed-identity/view-client-id-expanded.png":::
## Graphical runbooks
### Check if a Run As account is used in graphical runbooks
1. Check each of the activities within the runbook to see if it uses the Run As account when it calls any logon cmdlets or aliases, such as `Add-AzRmAccount/Connect-AzRmAccount/Add-AzAccount/Connect-AzAccount`.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/check-graphical-runbook-use-run-as-inline.png" alt-text="Screenshot that illustrates checking if a graphical runbook uses a Run As account." lightbox="./media/migrate-run-as-account-managed-identity/check-graphical-runbook-use-run-as-expanded.png":::
1. Examine the parameters that the cmdlet uses.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/activity-parameter-configuration.png" alt-text="Screenshot that shows examining the parameters used by a cmdlet.":::
For use with the Run As account, the cmdlet uses the `ServicePrincipalCertificate` parameter set to `ApplicationId`. `CertificateThumbprint` will be from `RunAsAccountConnection`.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/parameter-sets-inline.png" alt-text="Screenshot that shows parameter sets." lightbox="./media/migrate-run-as-account-managed-identity/parameter-sets-expanded.png":::
### Edit a graphical runbook to use a managed identity
You must test the managed identity to verify that the graphical runbook is working as expected. Create a copy of your production runbook to use the managed identity, and then update your test graphical runbook code to authenticate by using the managed identity. You can add this functionality to a graphical runbook by adding the `Connect-AzAccount` cmdlet.
The following steps include an example to show how a graphical runbook that uses a Run As account can use managed identities:
1. Sign in to the [Azure portal](https://portal.azure.com).
1. Open the Automation account, and then select **Process Automation** > **Runbooks**.
1. Select a runbook. For example, select the **Start Azure V2 VMs** runbook from the list, and then select **Edit** or go to **Browse Gallery** and select **Start Azure V2 VMs**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/edit-graphical-runbook-inline.png" alt-text="Screenshot of editing a graphical runbook." lightbox="./media/migrate-run-as-account-managed-identity/edit-graphical-runbook-expanded.png":::
1. Replace the Run As connection that uses `AzureRunAsConnection` and the connection asset that internally uses the PowerShell `Get-AutomationConnection` cmdlet with the `Connect-AzAccount` cmdlet.
1. Select **Delete** to delete the `Get Run As Connection` and `Connect to Azure` activities.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/connect-azure-graphical-runbook-inline.png" alt-text="Screenshot to connect to the Azure activities." lightbox="./media/migrate-run-as-account-managed-identity/connect-azure-graphical-runbook-expanded.png":::
1. In the left panel, under **RUNBOOK CONTROL**, select **Code** and then select **Add to canvas**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/add-canvas-graphical-runbook-inline.png" alt-text="Screenshot to select code and add it to the canvas." lightbox="./media/migrate-run-as-account-managed-identity/add-canvas-graphical-runbook-expanded.png":::
1. Edit the code activity, assign any appropriate label name, and select **Author activity logic**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/author-activity-log-graphical-runbook-inline.png" alt-text="Screenshot to edit code activity." lightbox="./media/migrate-run-as-account-managed-identity/author-activity-log-graphical-runbook-expanded.png":::
1. In the **Code Editor** page, enter the following PowerShell code and select **OK**.
---
### View client ID of user assigned identity
1. In your Automation account, under **Account Settings**, select **Identity**.
1. In **User assigned** tab, select user assigned identity.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/user-assigned-inline.png" alt-text="Screenshot that shows the navigation path to view client ID." lightbox="./media/migrate-run-as-account-managed-identity/user-assigned-expanded.png":::
1. Go to **Overview**> **Essentials**, to view the **Client ID**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/view-client-id-inline.png" alt-text="Screenshot that shows how to view a client ID." lightbox="./media/migrate-run-as-account-managed-identity/view-client-id-expanded.png":::
## Graphical runbooks
### Check if a Run As account is used in graphical runbooks
1. Check each of the activities within the runbook to see if it uses the Run As account when it calls any logon cmdlets or aliases, such as `Add-AzRmAccount/Connect-AzRmAccount/Add-AzAccount/Connect-AzAccount`.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/check-graphical-runbook-use-run-as-inline.png" alt-text="Screenshot that illustrates checking if a graphical runbook uses a Run As account." lightbox="./media/migrate-run-as-account-managed-identity/check-graphical-runbook-use-run-as-expanded.png":::
1. Examine the parameters that the cmdlet uses.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/activity-parameter-configuration.png" alt-text="Screenshot that shows examining the parameters used by a cmdlet.":::
For use with the Run As account, the cmdlet uses the `ServicePrincipalCertificate` parameter set to `ApplicationId`. `CertificateThumbprint` will be from `RunAsAccountConnection`.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/parameter-sets-inline.png" alt-text="Screenshot that shows parameter sets." lightbox="./media/migrate-run-as-account-managed-identity/parameter-sets-expanded.png":::
### Edit a graphical runbook to use a managed identity
You must test the managed identity to verify that the graphical runbook is working as expected. Create a copy of your production runbook to use the managed identity, and then update your test graphical runbook code to authenticate by using the managed identity. You can add this functionality to a graphical runbook by adding the `Connect-AzAccount` cmdlet.
The following steps include an example to show how a graphical runbook that uses a Run As account can use managed identities:
1. Sign in to the [Azure portal](https://portal.azure.com).
1. Open the Automation account, and then select **Process Automation** > **Runbooks**.
1. Select a runbook. For example, select the **Start Azure V2 VMs** runbook from the list, and then select **Edit** or go to **Browse Gallery** and select **Start Azure V2 VMs**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/edit-graphical-runbook-inline.png" alt-text="Screenshot of editing a graphical runbook." lightbox="./media/migrate-run-as-account-managed-identity/edit-graphical-runbook-expanded.png":::
1. Replace the Run As connection that uses `AzureRunAsConnection` and the connection asset that internally uses the PowerShell `Get-AutomationConnection` cmdlet with the `Connect-AzAccount` cmdlet.
1. Select **Delete** to delete the `Get Run As Connection` and `Connect to Azure` activities.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/connect-azure-graphical-runbook-inline.png" alt-text="Screenshot to connect to the Azure activities." lightbox="./media/migrate-run-as-account-managed-identity/connect-azure-graphical-runbook-expanded.png":::
1. In the left panel, under **RUNBOOK CONTROL**, select **Code** and then select **Add to canvas**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/add-canvas-graphical-runbook-inline.png" alt-text="Screenshot to select code and add it to the canvas." lightbox="./media/migrate-run-as-account-managed-identity/add-canvas-graphical-runbook-expanded.png":::
1. Edit the code activity, assign any appropriate label name, and select **Author activity logic**.
:::image type="content" source="./media/migrate-run-as-account-managed-identity/author-activity-log-graphical-runbook-inline.png" alt-text="Screenshot to edit code activity." lightbox="./media/migrate-run-as-account-managed-identity/author-activity-log-graphical-runbook-expanded.png":::
1. In the **Code Editor** page, enter the following PowerShell code and select **OK**.