Document Details

Enable Managed Identity For Automation
Home / Scan 2 / Enable Managed Identity For Automation
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ powershell_heavy
⚠️ windows_first
⚠️ missing_linux_example
⚠️ windows_tools
Summary:
The documentation is heavily biased toward Windows and PowerShell usage. All code examples for enabling and using managed identities (including REST API, ARM templates, authentication, and resource access) are provided exclusively in PowerShell, with only a single Python example (and no Bash/CLI/Linux shell examples). Windows tools and paths are referenced first or exclusively in several places, and Linux equivalents are either missing, less detailed, or mentioned after Windows. There are no Azure CLI, Bash, or Linux-native scripting examples for the main workflows, and the documentation assumes PowerShell as the default automation and scripting environment.
Recommendations:
  • Provide Azure CLI examples for all major workflows (enabling managed identity, assigning roles, authenticating, accessing resources) alongside PowerShell.
  • Include Bash/shell script examples for REST API calls and token retrieval, especially for Linux-based Automation accounts.
  • When referencing file paths or commands for both Windows and Linux Hybrid Runbook Workers, present them in parallel and with equal detail.
  • Add Python and/or Bash examples for accessing Azure Key Vault, SQL Database, and other resources using managed identity, not just PowerShell.
  • Avoid assuming PowerShell as the default; explicitly state when an example is PowerShell and offer alternatives for Linux users.
  • Where possible, use cross-platform tools (e.g., Azure CLI, REST via curl) in examples to ensure parity.
  • Review and update all sections to ensure Linux and cross-platform users can follow the documentation without needing to translate PowerShell to their environment.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-08-17 00:01 #83 in_progress ✅ Clean
2025-07-13 21:37 #48 completed ✅ Clean
2025-07-09 13:09 #3 cancelled ✅ Clean
2025-07-08 04:23 #2 cancelled ❌ Biased

Flagged Code Snippets

$file = "path\body_sa.json"
$templateFile = "path\template_sa.json"
# Sign in to your Azure subscription $sub = Get-AzSubscription -ErrorAction SilentlyContinue if(-not($sub)) { Connect-AzAccount } # If you have multiple subscriptions, set the one to use # Select-AzSubscription -SubscriptionId "<SUBSCRIPTIONID>"
$subscriptionID = "subscriptionID" $resourceGroup = "resourceGroupName" $automationAccount = "automationAccountName"
$output = Set-AzAutomationAccount ` -ResourceGroupName $resourceGroup ` -Name $automationAccount ` -AssignSystemIdentity $output
$queryParameter = "?resource=https://database.windows.net/" $url = $env:IDENTITY_ENDPOINT + $queryParameter $Headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $Headers.Add("X-IDENTITY-HEADER", $env:IDENTITY_HEADER) $Headers.Add("Metadata", "True") $content =[System.Text.Encoding]::Default.GetString((Invoke-WebRequest -UseBasicParsing -Uri $url -Method 'GET' -Headers $Headers).RawContentStream.ToArray()) | ConvertFrom-Json $Token = $content.access_token echo "The managed identities for Azure resources access token is $Token" $SQLServerName = "<ServerName>" # Azure SQL logical server name $DatabaseName = "<DBname>" # Azure SQL database name Write-Host "Create SQL connection string" $conn = New-Object System.Data.SqlClient.SQLConnection $conn.ConnectionString = "Data Source=$SQLServerName.database.windows.net;Initial Catalog=$DatabaseName;Connect Timeout=30" $conn.AccessToken = $Token Write-host "Connect to database and execute SQL script" $conn.Open() $ddlstmt = "CREATE TABLE Person( PersonId INT IDENTITY PRIMARY KEY, FirstName NVARCHAR(128) NOT NULL)" Write-host " " Write-host "SQL DDL command" $ddlstmt $command = New-Object -TypeName System.Data.SqlClient.SqlCommand($ddlstmt, $conn) Write-host "results" $command.ExecuteNonQuery() $conn.Close()
# build URI $URI = "https://management.azure.com/subscriptions/$subscriptionID/resourceGroups/$resourceGroup/providers/Microsoft.Automation/automationAccounts/$automationAccount`?api-version=2020-01-13-preview" # build body $body = Get-Content $file # obtain access token $azContext = Get-AzContext $azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile $profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($azProfile) $token = $profileClient.AcquireAccessToken($azContext.Subscription.TenantId) $authHeader = @{ 'Content-Type'='application/json' 'Authorization'='Bearer ' + $token.AccessToken } # Invoke the REST API $response = Invoke-RestMethod -Uri $URI -Method PATCH -Headers $authHeader -Body $body # Review output $response.identity | ConvertTo-Json
New-AzResourceGroupDeployment ` -Name "SystemAssignedDeployment" ` -ResourceGroupName $resourceGroup ` -TemplateFile $templateFile
(Get-AzAutomationAccount ` -ResourceGroupName $resourceGroup ` -Name $automationAccount).Identity | ConvertTo-Json
New-AzRoleAssignment ` -ObjectId <automation-Identity-object-id> ` -Scope "/subscriptions/<subscription-id>" ` -RoleDefinitionName "Contributor"
# Ensures you do not inherit an AzContext in your runbook Disable-AzContextAutosave -Scope Process # Connect to Azure with system-assigned managed identity $AzureContext = (Connect-AzAccount -Identity).context # Set and store context $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext
$resource= "?resource=https://management.azure.com/" $url = $env:IDENTITY_ENDPOINT + $resource $Headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $Headers.Add("X-IDENTITY-HEADER", $env:IDENTITY_HEADER) $Headers.Add("Metadata", "True") $accessToken = Invoke-RestMethod -Uri $url -Method 'GET' -Headers $Headers Write-Output $accessToken.access_token
$url = $env:IDENTITY_ENDPOINT $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("X-IDENTITY-HEADER", $env:IDENTITY_HEADER) $headers.Add("Metadata", "True") $body = @{resource='https://management.azure.com/' } $accessToken = Invoke-RestMethod $url -Method 'POST' -Headers $headers -ContentType 'application/x-www-form-urlencoded' -Body $body Write-Output $accessToken.access_token
Write-Output "Connecting to azure via Connect-AzAccount -Identity" Connect-AzAccount -Identity Write-Output "Successfully connected with Automation account's Managed Identity" Write-Output "Trying to fetch value from key vault using MI. Make sure you have given correct access to Managed Identity" $secret = Get-AzKeyVaultSecret -VaultName '<KVname>' -Name '<KeyName>' $ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secret.SecretValue) try { $secretValueText = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr) Write-Output $secretValueText } finally { [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr) }