How can we improve Azure Automation service?

← Automation

Azure Automation should support using pre-existing Service Principals for RunAs connections

Currently the only supported method for adding a RunAs connection to an Azure Automation account is to create a new Service Principal. By default the SP is created with Contributor access to the entire subscription.

This is not ideal for several reasons:
* Contributor access to a subscription is a relatively high level of access. I would like to ensure that my automation accounts are more tightly constrained.
* The auto-generated name for the SP can cause problems in accounts that have applied a naming standard/governance model to SP accounts.
* Since we are unable to reuse our existing SPs for managing resources, we are forced to manage duplicate access profiles for two SPs (one used for ARM deployments, one used in Automation Accounts).

While it is possible to create a RunAs connection with an existing SP via powershell, the process is finicky and I am being told by MS support that the result is considered an "unsupported configuration". I would like this configuration to be documented and supported.

For reference, I was able to successfully create a RunAs connection via powershell without creating a new SP if I made sure that the following were true:
* The connection is named "AzureRunAsConnection"
* The certificate is named "AzureRunAsCertificate"
* The connection object is created first and the certificate is created second

61 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Mark Gardner shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

3 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Steeve Roy commented  ·   ·  Flag as inappropriate

    Is there any progress on this? We also have some restriction that prevent us to create RunAs account...

  • Eric Torbenson commented  ·   ·  Flag as inappropriate

    Another reason for supporting this is that some environments lock down the creation of service principals. When you do that in AAD, you need to be a global admin in the AAD tenant, which most organizations won't allow developers/engineers to have.

    If we had an easy way to reuse a service principal that was created when our subscription was created, or even have a script we can give to our AD global admins to run, this would encourage the use of Azure Automation.

Automation: Role Based Access Control

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice