Assign Managed Identity Access to Azure Automation Accounts Using PowerShell

In this blog post, we’ll guide you through the process of using PowerShell to assign managed identity access to your Azure Automation account.

Azure Automation accounts provide a powerful way to manage and automate tasks in your Azure environment. By leveraging PowerShell, you can simplify the process of assigning managed identity access to Azure Automation accounts, streamlining your cloud management and security.

Azure Managed Identity

Azure Managed Identity is a powerful and secure feature designed to simplify identity management and access control in cloud environments. It eliminates the need to store and manage credentials or access keys in applications, reducing the risk of data breaches and unauthorized access.

Managed Identity automatically creates and manages service principals for your Azure resources, allowing applications to authenticate and access other Azure services without requiring manual intervention. By integrating with Azure Active Directory (AAD), Managed Identity provides a seamless and secure way to authenticate and authorize access to resources, enabling developers to focus on building applications while ensuring that their infrastructure remains protected and compliant.

Azure Role Assignment

The code block below will assign the ‘contributor’ role to the Automation Account at the resource scope level. This can be changed to azure scope level and any role name.

New-AzRoleAssignment -ObjectId $objectID -RoleDefinitionName "contributor" -Scope $resourceID

PowerShell Code

The end-to-end code, including comments, is shown below. Make sure you define the variables in the variables section before running the code.

# This PowerShell script creates an Azure Automation account and assigns the necessary permissions
# and tags to it.

# Variables
$rgname="Resource-Group-Name" # The name of the resource group
$location="Azure-Region" # The Azure region in which the resources will be created
$AutomationAccountName="Automation-Account-Name" # The name of the Automation account

# Create a new Resource Group
New-AzResourceGroup -Name $rgname -Location $location

# Create a new Automation Account
New-AzAutomationAccount -ResourceGroupName $rgname -Name $AutomationAccountName  -Location $location

# Enable managed identity for the Automation Account
Set-AzAutomationAccount -Name $AutomationAccountName -ResourceGroupName $rgname -AssignSystemIdentity

# Retrieve the Automation Account details
Get-AzAutomationAccount -Name $AutomationAccountName -ResourceGroupName $rgname

# Get the object ID and resource ID of the Automation Account
$objectID = (Get-AzAutomationAccount -Name $AutomationAccountName -ResourceGroupName $rgname).identity.principalid
$resourceID  = (Get-AzResource -Name $AutomationAccountName).ResourceId
Write-Host $objectID

# Assign the 'contributor' role to the Automation Account at the resource scope
New-AzRoleAssignment -ObjectId $objectID -RoleDefinitionName "contributor" -Scope $resourceID

After the script has been executed successfully, you should see the output displaying the object ID of the managed identity. This confirms that the managed identity has been assigned to your Azure Automation account. You can also check the Azure portal to verify that the managed identity is now associated with the Automation account and has been granted the ‘contributor’ role.

Success! You're on the list.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.