A colleague sent this Microsoft notification around about RunAs accounts retiring later this year. I don’t use them (having switched to Managed Identities a while ago) but I was curious if anyone else is using these.
Came up with this bit of PowerShell to find such accounts.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# Authenticate with Azure Connect-AzAccount Set-AzContext -SubscriptionName "**replace**" # Get a list of all Azure Automation accounts in your subscription $automationAccounts = Get-AzAutomationAccount # Loop through each automation account foreach ($automationAccount in $automationAccounts) { # Get the Run As connections associated with the automation account $runAsConnections = Get-AzAutomationConnection ` -ResourceGroupName $automationAccount.ResourceGroupName ` -AutomationAccountName $automationAccount.AutomationAccountName # Join all the Run As connection names together and see if it contains the word "RunAs" # Examples: AzureClassicRunAsConnection & AzureRunAsConnection if ($runAsConnections.Name -join ',' -match 'RunAs') { Write-Host "$($automationAccount.AutomationAccountName)" } } |
I found a bunch of results in our case but turns out even though they had the RunAs account it wasn’t actually in use (the certs had expired a long time ago, for instance). Wonder if there’s some way of also getting the RunAs certificate and checking it’s date… though I can’t be bothered with it. :)