Azure Automation Runbook: Connect-AzAccount Error using Managed Identity

Question

Looks like 'Run-as' accounts are retired, so I am trying to use Managed Identity to establish connection to my Azure resources in a Runbook (part of Azure Automation account).

I am following the instructions here: https://learn.microsoft.com/en-us/azure/automation/add-user-assigned-identity#authenticate-access-with-user-assigned-managed-identity

Code

$azureContext = (Connect-AzAccount -Identity -Tenant $tenantId -AccountId $managedIdentityApplicationId).context  # Connect to Azure with user-assigned managed identity
$connectionResult = Set-AzContext -Tenant $tenantId -Subscription $subscriptionId -DefaultProfile $azureContext

For $managedIdentityApplicationId, I am passing in the ClientId of the User-assigned Managed identity

Error

Connect-AzAccount : ManagedIdentityCredential authentication failed: **User assigned identity is currently not supported**
clientID must not be passed in request. 
Status: 400 (Bad Request)

What could I be missing here?

Answer 1

I wanted to clarify some points about the need for the User Access Administrator role when using a managed identity with Azure Automation Accounts, as there seems to be some confusion in the existing response.

The User Access Administrator role isn’t required for authentication: This role is only needed if the managed identity itself is required to assign RBAC roles to other Azure AD entities, such as users, groups, or service principals. For simply logging in with a managed identity using Connect-AzAccount, this role is not necessary.

I tested this scenario by assigning a User-Assigned Managed Identity to my Automation Account and successfully logged in using the following command:

Connect-AzAccount -Identity -AccountId <UserAssignedIdentityClientId>

This proves that the User Access Administrator role is not required for authentication.

The only time this role is necessary is if the managed identity needs to assign or manage RBAC roles within the Azure subscription or resource. If this functionality is not needed, the role can be omitted.

I hope this helps clarify the situation for anyone facing similar issues. If you’re still encountering problems, ensure that the managed identity has the necessary permissions (such as Contributor or Reader) for the resources it needs to access.

Answer 2

Firstly, to connect Az account using managed identities, it is possible to use system assigned as well as user assigned managed identities.

System assigned identity:

I Created a new automation account and runbook. Now go to Identity under Account settings and enable System assigned as shown.

Now to make it work without errors, you need to give a permission called Automation Contributor by clicking on the Azure role assignments in the above snap.

After its done, now you will be able to connect the Az account with the identity argument as shown below.

Connect-AzAccount -Identity

Output:

User assigned identity:

Now I created a user assigned identity to connect Az account from automation runbook.

Here you need to enable User Access Administrator role for managing user access to Azure resources.

Referring to the MSDoc provided by you, I tried to execute the below given script in my runbook and was able to perform it successfully.

Disable-AzContextAutosave -Scope Process
$context = (Connect-AzAccount -Identity -AccountId "xxx").context
$context = Set-AzContext -SubscriptionName $context.Subscription -DefaultProfile $context
write-output "context is $context"