Use managed identity for authentication#

Security · Automation Account · Rule · 2021_12 · Important

Ensure Managed Identity is used for authentication.

Description#

Azure automation can use Managed Identities to authenticate to Azure resources without storing credentials.

Using managed identities have the following benefits:

Using a managed identity instead of the Automation Run As account simplifies management. You don't have to renew the certificate used by a Run As account.
Managed Identities can be used without any additional cost.
You don't have to specify the Run As connection object in your runbook code. You can access resources using your Automation Account's Managed Identity from a runbook.

Recommendation#

Consider configure a managed identity for each Automation Account.

Examples#

Configure with Azure template#

To deploy Automation Accounts that pass this rule:

Set identity.type to SystemAssigned or UserAssigned.
If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Template snippet

{
    "type": "Microsoft.Automation/automationAccounts",
    "apiVersion": "2021-06-22",
    "name": "[parameters('automation_account_name')]",
    "location": "australiaeast",
    "identity": {
        "type": "SystemAssigned"
    },
    "properties": {
        "disableLocalAuth": false,
        "sku": {
            "name": "Basic"
        },
        "encryption": {
            "keySource": "Microsoft.Automation",
            "identity": {}
        }
    }
}

Configure with Bicep#