Disable system-assigned managed identity for Azure Automation account
You can disable a system-assigned managed identity in Azure Automation by using the Azure portal, or using REST API.
Disable using the Azure portal
You can disable the system-assigned managed identity from the Azure portal no matter how the system-assigned managed identity was originally set up.
Sign in to the Azure portal.
Navigate to your Automation account and under Account Settings, select Identity.
From the System assigned tab, under the Status button, select Off and then select Save. When you're prompted to confirm, select Yes.
The system-assigned managed identity is disabled and no longer has access to the target resource.
Disable using REST API
Syntax and example steps are provided below.
Request body
The following request body disables the system-assigned managed identity and removes any user-assigned managed identities using the HTTP PATCH method.
{
"identity": {
"type": "None"
}
}
If there are multiple user-assigned identities defined, to retain them and only remove the system-assigned identity, you need to specify each user-assigned identity using comma-delimited list. The example below uses the HTTP PATCH method.
{
"identity" : {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/firstIdentity": {},
"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/secondIdentity": {}
}
}
}
The following is the service's REST API request URI to send the PATCH request.
PATCH https://management.azure.com/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name?api-version=2020-01-13-preview
Example
Perform the following steps.
Copy and paste the request body, depending on which operation you want to perform, into a file named
body_remove_sa.json. Save the file on your local machine or in an Azure storage account.Sign in to Azure interactively using the Connect-AzAccount cmdlet and follow the instructions.
# Sign in to your Azure subscription $sub = Get-AzSubscription -ErrorAction SilentlyContinue if(-not($sub)) { Connect-AzAccount } # If you have multiple subscriptions, set the one to use # Select-AzSubscription -SubscriptionId "<SUBSCRIPTIONID>"Provide an appropriate value for the variables and then execute the script.
$subscriptionID = "subscriptionID" $resourceGroup = "resourceGroupName" $automationAccount = "automationAccountName" $file = "path\body_remove_sa.json"This example uses the PowerShell cmdlet Invoke-RestMethod to send the PATCH request to your Automation account.
# build URI $URI = "https://management.azure.com/subscriptions/$subscriptionID/resourceGroups/$resourceGroup/providers/Microsoft.Automation/automationAccounts/$automationAccount`?api-version=2020-01-13-preview" # build body $body = Get-Content $file # obtain access token $azContext = Get-AzContext $azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile $profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($azProfile) $token = $profileClient.AcquireAccessToken($azContext.Subscription.TenantId) $authHeader = @{ 'Content-Type'='application/json' 'Authorization'='Bearer ' + $token.AccessToken } # Invoke the REST API Invoke-RestMethod -Uri $URI -Method PATCH -Headers $authHeader -Body $body # Confirm removal (Get-AzAutomationAccount ` -ResourceGroupName $resourceGroup ` -Name $automationAccount).Identity.TypeDepending on the syntax you used, the output will either be:
UserAssignedor blank.
Next steps
For more information about enabling managed identities in Azure Automation, see Enable and use managed identity for Automation.
For an overview of Automation account security, see Automation account authentication overview.