Skip to content

Use managed identity for authentication#

Security · Automation Account · Rule · 2021_12 · Important

Ensure Managed Identity is used for authentication.

Description#

Azure automation can use Managed Identities to authenticate to Azure resources without storing credentials.

Using managed identities have the following benefits:

  • Using a managed identity instead of the Automation Run As account simplifies management. You don't have to renew the certificate used by a Run As account.
  • Managed Identities can be used without any additional cost.
  • You don't have to specify the Run As connection object in your runbook code. You can access resources using your Automation Account's Managed Identity from a runbook.

Recommendation#

Consider configure a managed identity for each Automation Account.

Examples#

Configure with Azure template#

To deploy Automation Accounts that pass this rule:

  • Set identity.type to SystemAssigned or UserAssigned.
  • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Template snippet
{
    "type": "Microsoft.Automation/automationAccounts",
    "apiVersion": "2021-06-22",
    "name": "[parameters('automation_account_name')]",
    "location": "australiaeast",
    "identity": {
        "type": "SystemAssigned"
    },
    "properties": {
        "disableLocalAuth": false,
        "sku": {
            "name": "Basic"
        },
        "encryption": {
            "keySource": "Microsoft.Automation",
            "identity": {}
        }
    }
}

Configure with Bicep#

To deploy Automation Accounts that pass this rule:

  • Set identity.type to SystemAssigned or UserAssigned.
  • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Bicep snippet
resource automation_account_name_resource 'Microsoft.Automation/automationAccounts@2021-06-22' = {
  name: automation_account_name
  location: 'australiaeast'
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    disableLocalAuth: false
    sku: {
      name: 'Basic'
    }
    encryption: {
      keySource: 'Microsoft.Automation'
      identity: {}
    }
  }
}

Comments