Add the feature of RunAs credentials. When using A2mator for multiple applications like AD, VMware etc. It would be great to have the opportunity to run each service with different accounts, to limit access to each application.
Add the feature of RunAs credentials. When using A2mator for multiple applications like AD, VMware etc. It would be great to have the opportunity to run each service with different accounts, to limit access to each application.
In Azure Automation, you can make use of the so called “system-assigned Managed Identity”. A SP managed by Microsoft and assigned to the Azure resource itself (the Azure Automation account).
Then you can create an Azure Key Vault and grant the system-assigned Managed Identity (MI) Reader (access policy)access, so that the MI is able to get; list secrets stored in your Azure Key Vault, e..g. Enterprise Apps (App Registrations) with AppId and CertificateThumbprint / Client Secret. Thereby you can split the API permissions into several apps which then hold the necessary permissions.
Advantage:
The MI only needs permissions to Azure Key Vault. No maintenance of secrets needed. Permisssions spread over several Enterprise Apps.
For further reference see:
Microsoft Docs:
https://docs.microsoft.com/en-us/azure/automation/enable-managed-identity-for-automation
and this blog post:
https://baswijdenes.com/how-to-use-key-vault-secrets-in-azure-automation-powershell/