Code Library

Authenticating using management certificates is the original and primary way to secure your calls from your Azure Automation scripts into the Azure environment, but there are a lot of steps to create and upload the certificates to Azure. Managing them can also require a lot of organizational effort.

There is now a new and recommended option that provides a more integrated and simpler authentication mechanism for Azure Automation runbooks. Using Azure AD, you can use credential-based authentication for your Azure Automation runbooks. Azure Automation allows a robust and rich, integrated, identity-based authentication mechanism, supporting key industry-wide identity access mechanisms such as single sign-on (SSO) and Multifactor Authentication (MFA). Azure Automation easily integrates and synchronizes with your on-premises enterprise Active Directory installation. Azure Automation also uses role-based access control (RBAC) mechanisms available in the Azure Preview Portal. Additionally, you can leverage RBAC in your Azure Automation runbook authentication strategy. This permits you to simplify and improve control regarding who in your organization is allowed to perform specific operations or access specific resources.

Azure Automation is becoming increasingly integrated into the various Azure services as an all-inclusive identity solution. With Azure Automation, your organizational groups and user accounts are used to simplify secure access to different parts of Azure. When you log into your Azure subscription or use the Azure REST Management application programming interface (API), you authenticate using Azure Automation. Azure Automation, along with services such as Microsoft Office 365, Microsoft Azure SQL Database, Microsoft Azure Mobile Services, and Microsoft Azure Cloud Services, trust Azure Automation with identity access management.

To enable Azure Automation for a new user, do the following:

1. Create the user in Azure AD. For more information about creating a user in Azure AD.

2. Add the user as co-administrator to your Azure subscription. Log in to the Azure Management Portal at manage.windowsazure.com, click Settings, click Administrators, and then click Add.

3. Log in to the Azure Management Portal as the Azure Automation user you created in step 1 and change the password when prompted.

(This procedure isn’t necessary if you want to use an existing Azure user account.) After the user is created, you will want to create an Azure Automation credential asset with the login credentials of that user. As a best practice, it often makes sense to create a user account just to use for running your Azure Automation scripts.

You can access the Azure Automation credential asset from within your Azure Automation runbook. The runbook code gets the credentials from Azure Automation, using the Azure Automation credential asset, and then uses the credentials to authenticate when it connects to Azure.

Although using management certificates to authenticate Azure Automation runbooks is still supported, as a best practice, use Azure AD for all your Azure Automation authentication mechanisms whenever possible.

Source of Information : Azure Automation