Skip to content

Latest commit

 

History

History
120 lines (73 loc) · 8.45 KB

create-run-as-account.md

File metadata and controls

120 lines (73 loc) · 8.45 KB
title description services ms.subservice ms.date ms.topic
Create an Azure Automation Run As account
This article tells how to create an Azure Automation Run As account with PowerShell or from the Azure portal.
automation
process-automation
05/17/2021
conceptual

How to create an Azure Automation Run As account

Important

Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use managed identities. For more information, see migrating from an existing Run As accounts to managed identity to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

Run As accounts in Azure Automation provide authentication for managing resources on the Azure Resource Manager or Azure Classic deployment model using Automation runbooks and other Automation features. This article describes how to create a Run As or Classic Run As account from the Azure portal or Azure PowerShell.

When you create the Run As or Classic Run As account in the Azure portal, by default it uses a self-signed certificate. If you want to use a certificate issued by your enterprise or third-party certification authority (CA), can use the PowerShell script to create a Run As account.

Create account in Azure portal

Perform the following steps to update your Azure Automation account in the Azure portal. The Run As and Classic Run As accounts are created separately. If you don't need to manage classic resources, you can just create the Azure Run As account.

  1. Sign in to the Azure portal with an account that is a member of the Subscription Admins role and co-administrator of the subscription.

  2. Search for and select Automation Accounts.

  3. On the Automation Accounts page, select your Automation account from the list.

  4. In the left pane, select Run As Accounts in the Account Settings section.

    :::image type="content" source="media/create-run-as-account/automation-account-properties-pane.png" alt-text="Select the Run As Account option.":::

  5. Depending on the account you require, use the + Azure Run As Account or + Azure Classic Run As Account pane. After reviewing the overview information, click Create.

    :::image type="content" source="media/create-run-as-account/automation-account-create-run-as.png" alt-text="Select the option to create a Run As Account":::

  6. While Azure creates the Run As account, you can track the progress under Notifications from the menu. A banner is also displayed stating that the account is being created. The process can take a few minutes to complete.

Create account using PowerShell

The following list provides the requirements to create a Run As account in PowerShell using a provided script. These requirements apply to both types of Run As accounts.

  • Windows 10 or Windows Server 2016 with Azure Resource Manager modules 3.4.1 and later. The PowerShell script doesn't support earlier versions of Windows.
  • Azure PowerShell PowerShell 6.2.4 or later. For information, see How to install and configure Azure PowerShell.
  • An Automation account, which is referenced as the value for the AutomationAccountName and ApplicationDisplayName parameters.
  • Permissions equivalent to the ones listed in Required permissions to configure Run As accounts.

If you are planning to use a certificate from your enterprise or third-party certificate authority (CA), Automation requires the certificate to have the following configuration:

  • Specify the provider Microsoft Enhanced RSA and AES Cryptographic Provider
  • Marked as exportable
  • Configured to use the SHA256 algorithm
  • Saved in the *.pfx or *.cer format.

To get the values for AutomationAccountName, SubscriptionId, and ResourceGroupName, which are required parameters for the PowerShell script, complete the following steps.

  1. Sign in to the Azure portal.

  2. Search for and select Automation Accounts.

  3. On the Automation Accounts page, select your Automation account from the list.

  4. In the left pane, select Properties.

  5. Note the values for Name, Subscription ID, and Resource Group on the Properties page.

    Automation account properties page

PowerShell script to create a Run As account

The PowerShell script includes support for several configurations.

  • Create a Run As account and/or a Classic Run As account by using a self-signed certificate.
  • Create a Run As account and/or a Classic Run As account by using a certificate issued by your enterprise or third-party certification authority (CA).
  • Create a Run As account and/or a Classic Run As account by using a self-signed certificate in the Azure Government cloud.

  1. Download and save the script to a local folder using the following command.

    wget https://raw.githubusercontent.com/azureautomation/runbooks/master/Utility/AzRunAs/Create-RunAsAccount.ps1 -outfile Create-RunAsAccount.ps1

  2. Start PowerShell with elevated user rights and navigate to the folder that contains the script.

  3. Run one of the following commands to create a Run As and/or Classic Run As account based on your requirements.

    • Create a Run As account using a self-signed certificate.

      .\Create-RunAsAccount.ps1 -ResourceGroup <ResourceGroupName> -AutomationAccountName <NameofAutomationAccount> -SubscriptionId <SubscriptionId> -ApplicationDisplayName <DisplayNameofAADApplication> -SelfSignedCertPlainPassword <StrongPassword> -CreateClassicRunAsAccount $false

    • Create a Run As account and a Classic Run As account by using a self-signed certificate.

      .\Create-RunAsAccount.ps1 -ResourceGroup <ResourceGroupName> -AutomationAccountName <NameofAutomationAccount> -SubscriptionId <SubscriptionId> -ApplicationDisplayName <DisplayNameofAADApplication> -SelfSignedCertPlainPassword <StrongPassword> -CreateClassicRunAsAccount $true

    • Create a Run As account and a Classic Run As account by using an enterprise certificate.

      .\Create-RunAsAccount.ps1 -ResourceGroup <ResourceGroupName> -AutomationAccountName <NameofAutomationAccount> -SubscriptionId <SubscriptionId> -ApplicationDisplayName <DisplayNameofAADApplication>  -SelfSignedCertPlainPassword <StrongPassword> -CreateClassicRunAsAccount $true -EnterpriseCertPathForRunAsAccount <EnterpriseCertPfxPathForRunAsAccount> -EnterpriseCertPlainPasswordForRunAsAccount <StrongPassword> -EnterpriseCertPathForClassicRunAsAccount <EnterpriseCertPfxPathForClassicRunAsAccount> -EnterpriseCertPlainPasswordForClassicRunAsAccount <StrongPassword>

      If you've created a Classic Run As account with an enterprise public certificate (.cer file), use this certificate. The script creates and saves it to the temporary files folder on your computer, under the user profile %USERPROFILE%\AppData\Local\Temp you used to execute the PowerShell session. See Uploading a management API certificate to the Azure portal.

    • Create a Run As account and a Classic Run As account by using a self-signed certificate in the Azure Government cloud

      .\Create-RunAsAccount.ps1 -ResourceGroup <ResourceGroupName> -AutomationAccountName <NameofAutomationAccount> -SubscriptionId <SubscriptionId> -ApplicationDisplayName <DisplayNameofAADApplication> -SelfSignedCertPlainPassword <StrongPassword> -CreateClassicRunAsAccount $true -EnvironmentName AzureUSGovernment

  4. After the script has executed, you're prompted to authenticate with Azure. Sign in with an account that's a member of the subscription administrators role. If you are creating a Classic Run As account, your account must be a co-administrator of the subscription.

Next steps