Migrate from a Run As account to Managed Identities

Important

  • Azure Automation Run As Account was retired on September 30, 2023 and is replaced by Managed Identities. We recommend to start migrating your runbooks to use managed identities. For more information, see migrating from an existing Run As accounts to managed identity.
  • Delaying the feature has a direct impact on our support burden, as it would cause upgrades of mobility agent to fail.

This article shows you how to migrate your runbooks to use a Managed Identities for Azure Site Recovery. Azure Automation Accounts are used by Azure Site Recovery customers to auto-update the agents of their protected virtual machines. Site Recovery creates Azure Automation Run As Accounts when you enable replication via the IaaS VM Blade and Recovery Services Vault.

On Azure, managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Microsoft Entra ID and using it to obtain Microsoft Entra tokens.

Prerequisites

Before you migrate from a Run As account to a managed identity, ensure that you have the appropriate roles to create a system-assigned identity for your automation account and to assign it the Owner role in the corresponding recovery services vault.

Note

You can use the same automation account across multiple recovery services vaults, however, both the automation account and recovery services vault should be in the same region.

Benefits of managed identities

Here are some of the benefits of using managed identities:

  • Credentials access - You don't need to manage credentials.
  • Simplified authentication - You can use managed identities to authenticate to any resource that supports Microsoft Entra authentication including your own applications.
  • Cost effective - Managed identities can be used at no extra cost.
  • Double encryption - Managed identity is also used to encrypt/decrypt data and metadata using the customer-managed key stored in Azure Key Vault, providing double encryption.

Note

Managed identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI).

Migrate from an existing Run As account to a managed identity

Configure managed identities

You can configure your managed identities through:

  • Azure portal
  • Azure CLI
  • your Azure Resource Manager (ARM) template

Note

For more information about migration cadence and the support timeline for Run As account creation and certificate renewal, see the frequently asked questions.

From Azure portal

To migrate your Azure Automation account authentication type from a Run As to a managed identity authentication, follow these steps:

  1. In the Azure portal, select the recovery services vault for which you want to migrate the runbooks.

  2. On the homepage of your recovery services vault page, do the following:

    1. On the left pane, under Manage, select Site Recovery infrastructure. Screenshot of the **Site Recovery infrastructure** page.

    2. Under For Azure virtual machines, select Extension update settings. This page details the authentication type for the automation account that is being used to manage the Site Recovery extensions.

    3. On this page, select Migrate to migrate the authentication type for your automation accounts to use Managed Identities.

      Screenshot of the Create Recovery Services vault page.

Note

Ensure that the System assigned Managed Identity is turned off for the Automation account for the "Migrate" button to appear. If the account is not migrated and the "Migrate" button isn't appearing, turn off the Managed Identity for the Automation Account and try again.

  1. After the successful migration of your automation account, the authentication type for the linked account details on the Extension update settings page is updated.
  2. Once the Migrate operation is completed, toggle the Site Recovery to manage button to turn it On again.

When you successfully migrate from a Run As to a Managed Identities account, the following changes are reflected on the Automation Run As Accounts :

  • System Assigned Managed Identity is enabled for the account (if not already enabled).
  • The Contributor role permission is assigned to the Recovery Services vault’s subscription.
  • The script that updates the mobility agent to use Managed Identity based authentication is updated.

To link an existing managed identity Automation account to your Recovery Services vault. Follow these steps:

Enable the managed identity for the vault

  1. Go to the automation account that you have selected. Under Account settings, select Identity.

    Screenshot that shows the identity settings page.

  2. Under the System assigned, change the Status to On and select Save.

    An Object ID is generated. The vault is now registered with Azure Active Directory. Screenshot that shows the system identity settings page.

  3. Go back to your recovery services vault. On the left pane, select the Access control (IAM) option. Screenshot that shows IAM settings page.

  4. Select Add > Add role assignment > Contributor to open the Add role assignment page.

    Note

    Once the automation account is set, you can change the role of the account from Contributor to Site Recovery Contributor.

  5. On the Add role assignment page, ensure to select Managed identity.

  6. Select the Select members. In the Select managed identities pane, do the following:

    1. In the Select field, enter the name of the managed identity automation account.
    2. In the Managed identity field, select All system-assigned managed identities.
    3. Select the Select option. Screenshot that shows select managed identity settings page.
  7. Select Review + assign.

  8. Navigate to the Extension update settings under the Recovery Services Vault, toggle the Site Recovery to manage button to turn it On again.

Next steps

Learn more about: