Document Details

Add User Assigned Identity
Home / Scan 2 / Add User Assigned Identity
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ powershell_heavy
⚠️ windows_tools
⚠️ missing_linux_example
⚠️ windows_first
Summary:
The documentation page demonstrates a strong Windows bias by providing only PowerShell-based CLI examples for all command-line operations, including REST API calls, ARM template deployment, and role assignments. There are no examples using Bash, Azure CLI (az), or Linux-native tools. File paths use Windows-style backslashes, and all scripting assumes a PowerShell environment. The only non-PowerShell code sample is a Python runbook, but even this relies on environment variables typically set in Azure Automation, not on Linux shell usage. There are no explicit instructions or examples for Linux users or those using Bash or Azure CLI.
Recommendations:
  • Add equivalent examples using Azure CLI (az) commands for all PowerShell examples, especially for adding managed identities, assigning roles, and deploying ARM templates.
  • Provide Bash shell script examples for REST API calls using curl or httpie, including authentication steps for Linux environments.
  • Use platform-neutral file path syntax (forward slashes or mention both styles) when referring to file locations.
  • Explicitly mention that all PowerShell examples can be run on PowerShell Core on Linux, or provide alternative commands for Bash users.
  • Include a section or callouts for Linux/macOS users, highlighting any differences or additional steps required.
  • When listing options (e.g., portal, PowerShell, REST API, ARM template), present Azure CLI and Bash examples alongside or before PowerShell to avoid 'windows_first' ordering.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-08-17 00:01 #83 in_progress ✅ Clean
2025-07-13 21:37 #48 completed ✅ Clean
2025-07-09 13:09 #3 cancelled ✅ Clean
2025-07-08 04:23 #2 cancelled ❌ Biased

Flagged Code Snippets

$file = "path\body_ua.json"
$templateFile = "path\template_ua.json"
New-AzResourceGroupDeployment ` -Name "UserAssignedDeployment" ` -ResourceGroupName $resourceGroup ` -TemplateFile $templateFile ` -automationAccountName $automationAccount ` -userAssignedOne $userAssignedOne ` -userAssignedTwo $userAssignedTwo
# Sign in to your Azure subscription $sub = Get-AzSubscription -ErrorAction SilentlyContinue if(-not($sub)) { Connect-AzAccount } # If you have multiple subscriptions, set the one to use # Select-AzSubscription -SubscriptionId "<SUBSCRIPTIONID>"
$subscriptionID = "subscriptionID" $resourceGroup = "resourceGroupName" $automationAccount = "automationAccountName" $userAssignedOne = "userAssignedIdentityOne" $userAssignedTwo = "userAssignedIdentityTwo"
$output = Set-AzAutomationAccount ` -ResourceGroupName $resourceGroup ` -Name $automationAccount ` -AssignUserIdentity "/subscriptions/$subscriptionID/resourcegroups/$resourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$userAssignedOne", ` "/subscriptions/$subscriptionID/resourcegroups/$resourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$userAssignedTwo" $output
$output = Set-AzAutomationAccount ` -ResourceGroupName $resourceGroup ` -Name $automationAccount ` -AssignUserIdentity "/subscriptions/$subscriptionID/resourcegroups/$resourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$userAssignedOne", ` "/subscriptions/$subscriptionID/resourcegroups/$resourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$userAssignedTwo" ` -AssignSystemIdentity $output
# build URI $URI = "https://management.azure.com/subscriptions/$subscriptionID/resourceGroups/$resourceGroup/providers/Microsoft.Automation/automationAccounts/$automationAccount`?api-version=2020-01-13-preview" # build body $body = Get-Content $file # obtain access token $azContext = Get-AzContext $azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile $profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($azProfile) $token = $profileClient.AcquireAccessToken($azContext.Subscription.TenantId) $authHeader = @{ 'Content-Type'='application/json' 'Authorization'='Bearer ' + $token.AccessToken } # Invoke the REST API $response = Invoke-RestMethod -Uri $URI -Method PATCH -Headers $authHeader -Body $body # Review output $response.identity | ConvertTo-Json
(Get-AzAutomationAccount ` -ResourceGroupName $resourceGroup ` -Name $automationAccount).Identity | ConvertTo-Json
New-AzRoleAssignment ` -ObjectId <automation-Identity-object-id> ` -Scope "/subscriptions/<subscription-id>" ` -RoleDefinitionName "Contributor"
# Ensures you do not inherit an AzContext in your runbook Disable-AzContextAutosave -Scope Process # Connect to Azure with user-assigned managed identity $AzureContext = (Connect-AzAccount -Identity -AccountId <user-assigned-identity-ClientId>).context # set and store context $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext
$resource= "?resource=https://management.azure.com/" $client_id="&client_id=<ClientId of USI>" $url = $env:IDENTITY_ENDPOINT + $resource + $client_id $Headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"  $Headers.Add("Metadata", "True") $headers.Add("X-IDENTITY-HEADER", $env:IDENTITY_HEADER) $accessToken = Invoke-RestMethod -Uri $url -Method 'GET' -Headers $Headers Write-Output $accessToken.access_token
$url = $env:IDENTITY_ENDPOINT $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Metadata", "True") $headers.Add("X-IDENTITY-HEADER", $env:IDENTITY_HEADER) $body = @{'resource'='https://management.azure.com/' 'client_id'='<ClientId of USI>'} $accessToken = Invoke-RestMethod $url -Method 'POST' -Headers $headers -ContentType 'application/x-www-form-urlencoded' -Body $body Write-Output $accessToken.access_token
Write-Output "Connecting to azure via  Connect-AzAccount -Identity -AccountId <ClientId of USI>"  Connect-AzAccount -Identity -AccountId <ClientId of USI> Write-Output "Successfully connected with Automation account's Managed Identity"  Write-Output "Trying to fetch value from key vault using User Assigned Managed identity. Make sure you have given correct access to Managed Identity"  $secret = Get-AzKeyVaultSecret -VaultName '<KVname>' -Name '<KeyName>'  $ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secret.SecretValue)  try {    $secretValueText = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)      Write-Output $secretValueText  } finally {      [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)  }