Can I use User Managed Identity to reset the Secret of a Service Principal?

Stanley Shih 5 Reputation points
2023-09-20T03:27:50.51+00:00

Hello, I would like to use a PowerShell runbook to automate the updating of a Service Principal password. Due to security concerns, I do not want to use an account without MFA to connect to Azure. Is it possible to achieve this?

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,237 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Stanley Shih 5 Reputation points
    2023-09-25T08:14:42.4033333+00:00

    Hello All,

    In the end, I used the method of inviting a guest, creating a new account, and then inviting it to another Tenant. I controlled the account's properties using the system-assigned managed identity for an Azure Automation account. When it was necessary to update the Secret for the Microsoft Entra application, I would enable that account, and during regular times, I would keep it disabled.

    After all, automation cannot log in with accounts that have MFA enabled, so I used this approach to prevent any security issues from arising.

    1 person found this answer helpful.

  2. AnuragSingh-MSFT 21,356 Reputation points
    2023-09-22T08:57:02.0733333+00:00

    永勝 施, thank you for posting this question on Microsoft Q&A.

    You should be able to perform this operation using the user-managed identity. Please find below the high-level set of steps that needs to be taken to achieve this goal:

    1. Create user managed identity and assign it to Azure Automation Account. For details, see Using a user-assigned managed identity for an Azure Automation account.
    2. The main point to remember is to assign the role which has access to update the Service Principal. The Microsoft Entra (formerly known as Azure Active Directory) built-in roles are available here - Microsoft Entra built-in roles
    3. Verify the role assignment to the user-managed identity.
    4. For authentication, use the Connect-AzAccount -Identity -AccountId <user-assigned-identity-ClientId> cmdlet and parameter. For sample, see Authenticate access with user-assigned managed identity

    Hope this helps.

    If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.