azure-docs
azure-docs copied to clipboard
MicrosoftDocs
How do "MS-SR-Update-MobilityServiceForA2AVirtualMachines" jobs get updated to use managed identities?
When a recovery services vault has been configured to hold ASR-replicated VMs, Site Recovery leverages an automation account to manage Site Recovery extensions on all your replicated items and keeps them up-to-date, as seen here:
This job, inside the linked automation account, runs every 24 hours, as seen here:
However, the job itself is not made visible in the list of runbooks, as seen here:
But it can be seen in the job output that these jobs require a RunAs account in the automation account, as seen here:
My issue/question is: How do these critically important jobs that fail without a RunAs account, get converted to using system managed identities? No information is provided on this page or any other. It almost seems that perhaps this aspect of RunAs accounts being depricated was not considered or accounted for.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: 3eedb810-487f-bc9c-89f5-d5fdbcc5d796
- Version Independent ID: 329e9ec7-d9ea-518b-625b-d39880365e80
- Content: Migrate from a Run As account to a managed identity
- Content Source: articles/automation/migrate-run-as-accounts-managed-identity.md
- Service: automation
- Sub-service: process-automation
- GitHub Login: @SnehaSudhirG
- Microsoft Alias: sudhirsneha
@davidsandbrand Thanks for your feedback! We will investigate and update as appropriate.
@davidsandbrand, thank you for reporting this. I am reaching out to the respective teams regarding this query and will get back to you soon.
These runbooks are like system runbooks hidden from end user view in Azure Automation Account. Therefore, I have reached out to the ASR team for getting clarification on timeline when these will be migrated to managed identity.
Hey @davidsandbrand, we are working on the migration plan for the same. A manual way with a script will be available sometime this month, and a single-click way to do the same will be available by end of April. Would request you to please bear with us until then.
@AnuragSingh-MSFT removed the 'escalated-product-team' tag and closed this ticket almost 3 moths ago, without answering any questions or linking to any solutions, and this issue still exists.
'we are working on this' is not a solution.
@rishjai-msft, where is this manual script that you said would be available "sometime this month" - a month that ended almost 9 weeks ago?
I missed that this was closed, at the time it was closed, and if it's not obvious, I'm pissed-off. How does this ticket get reopened, and escalated?.
This isn't one customer having unrealistic expectations or demands; This issue will affect millions of Azure users.
Please respond @Naveenommi-MSFT , @rishjai-msft , and @AnuragSingh-MSFT .
Hi folks,
We are in the process of deploying the feature, which would be available in 2 weeks' time. Meanwhile if you'd like to do it manually, please follow the following steps: ASR - Migrate authentication type of automation accounts to Managed Identity.pdf
Ran through this process @rishjai-msft - doesnt seem to work.
Disable Job Successful:
Enable Job Successful:
Following day, still using RunAsAccount
I'm just going to leave this here through complete frustration, and would welcome other peoples' opinions.
I initially responded to the Microsoft "Migrate your runbooks to managed identities " email by trying unsuccessfully to follow the instructions on the Learn portal. Our entire Site Recovery Services infrastructure depends on this working, so we opened a premium support ticket via our CSP.
They agreed that the documentation was inadequate, and we worked together to migrate as required.
Then we get the same error as the OP above along with multiple Site Recovery failures, and once again the CSP steps to assist. They tell me that you knew all along it wouldn't work and the automated patch won't be ready for 2 weeks.
While at the same time you kindly inform us of your 9% price increase for UK customers.
There truly are no words to describe this. No amount of cups of tea are going to work for me here.
To be fair I doubt it was the ASR product group that have increased prices but what does frustrate me is they send out notifications about RunAsAccount retirements ahead of core ASR functionality not being supported by this change and you can guarantee the date for these retirements will be pushed out the further we get to September anyway.
@Naveenommi-MSFT , @rishjai-msft , and @AnuragSingh-MSFT . please reopen this ticket. This issue is not solved, and if a solution is released in 2 weeks, the ticket can be closed then.
If unwilling to reopen, please point me to the process of filling formal complaints against Microsoft employees/contractors.
@davidsandbrand, I am sorry for the inconvenience for this issue. I have reopened it and will work with the team for its resolution.
We have fixed the issue by updating the script. This was due to an incorrect API version. Please retry the steps in the same doc again. I'm sorry for the trouble here.
https://github.com/MicrosoftDocs/azure-docs/files/10895175/ASR.-.Migrate.authentication.type.of.automation.accounts.to.Managed.Identity.pdf
I acknowledge that it could've been better handled from Microsoft's end, where the deprecation and migration path could've come in sooner than it is coming. We want you to know that we commit to taking this instance as feedback and improving on it.
@davidsandbrand @birdnathan @ThinkElevenDave @silverl @Deland01 I'd like to speak with each of you to better understand your ASR experience which will be an input to our semester planning. Please drop me a note at [email protected] and we can take it ahead from there.
Thanks, Rishabh
Hi @rishjai-msft. Is there a powershell or AZ CLI commands to get the Automation account used by each Recover Service vault? or the other way around. We have a lot of recovery service vaults, and it will be a hussle to map it to the correct automation account and add the needed role. We hope we can script as much as possible. [Update] I guess such commands are not available. So for whom instrested, using the "UpdateAutomationAccount.ps1" provided by MS as a template I have modified it to be able to make an inventory for the Recovery Service Vaults mapping to Automation Accounts and Schedules. GetRecoveryServiceVaultToAutomationAccountMapping.ps1 You just have to:
- Add the script as a 5.1 powershell Runbook
- In the Automation account hosting this inventory runbook, Add Az.Accounts & Az.RecoveryServices modules under the shared resources modules
- The Runbook will be using System Assighned Identity, so make sure you have enabled it and gave it Roles necessary to read all subscriptions.
- The Script will make a very primitive csv output with all details
Hi folks,
We are in the process of deploying the feature, which would be available in 2 weeks' time. Meanwhile if you'd like to do it manually, please follow the following steps: ASR - Migrate authentication type of automation accounts to Managed Identity.pdf
Have the feature been released yesterday (March 20th) as 2 weeks have been passed?
@horvatal, the deployment is expected to be completed by March 27th, based on the current update.
@AnuragSingh-MSFT thanks for the deployment date. The feature is coming at the right moment, if the creation of Run-as-accounts will not work after 1. of April ;-) https://learn.microsoft.com/en-us/azure/automation/automation-managed-identity-faq#:~:text=starting%2001%20April%202023%2C%20creation%20of%20new%20Run%20As%20accounts%20in%20Azure%20Automation%20will%20not%20be%20possible
Is it correct, that after this release no manual hacking of the Automation Account scheduler is needed anymore, and the integration will work out of the box? So I have only to create role assignments to the system assigned Managed Identity to grant the access rights for the Automation Account?
@horvatal - After this release, just a single click operation will migrate the authentication types of your existing automation account in use. Also, any new enable replications will by default use system assigned managed identities as the authentication type.
@AnuragSingh-MSFT, given the past commitments of "A manual way with a script will be available sometime this month" that was over 70 days late (and didn't work when 1st provided), and already missing the "We are in the process of deploying the feature, which would be available in 2 weeks' time" - you are not filling me with confidence.
I hope to be proven wrong, but history would indicate this is yet another empty promise meant to simply stop your customers from asking about this feature which should have already been ready when this announcement was made over 4 months ago.
But sure, let's wait one more business day and see if everything is provisioned and functional; One more day seems like a reasonable promise here, with no preview being offered to those of us that are the most vocal; Leaving a 5-day cushion for one of the most significant parts of one of the most foundational services in Azure...
smh.
Hey @davidsandbrand , the last quarter has been a bit turbulent for us due to an Azure region outage and a few other livesite incidents, which led us to push our timelines of the feature ahead. We did intend to stay on track, but some surprises threw us off-track :) Feedback taken - sticking with our communicated timelines is of utmost importance to keep our customers happy!
The feature is deployed as I write this, however, the announcement and updates shall go out in PST morning. I decided to go ahead without a preview because adding a preview would push the general availability (GA) by another couple of weeks. Given the scope of the feature, directly going to GA was the right path.
We do have a few private previews coming up for ASR, please let me know if you'd like to enroll for any of them:
- Shared Disks DR (For Windows Server Failover Clusters on Azure) - April end
- Converged BCDR for Trusted Launch enabled VMs on Azure - Sep end
@davidsandbrand, the announcement went out yesterday about this - Generally available: Migrate from a Run As account to Managed Identities using Azure Site Recovery Hope that you were able to use the feature for migrating to Managed Identity. Please let us know if you have any questions, else we will close this issue out. Thank you all for your continuous feedback and help.
@AnuragSingh-MSFT , The option you guys rolled out is not visible on our tenant:
Hey @deepdarshansingrodia - This means you're already leveraging Managed Identities as an authentication type for your automation account. Please verify the same and let us know otherwise :)
Thanks, Rishabh
Hi @rishjai-msft Thanks for your comment, it means I can go ahead and de-associate my Run as Account directly and no more changes required? 2 weeks ago when I tried to do so my jobs started failing.
Hi @rishjai-msft Thanks for your comment, it means I can go ahead and de-associate my Run as Account directly and no more changes required? 2 weeks ago when I tried to do so my jobs started failing.
Let me know if you need a screen grab please to demonstrate how things are currently configured. Rishabh's reply seems to contradict what we saw in the portal.
Hey @deepdarshansingrodia - This means you're already leveraging Managed Identities as an authentication type for your automation account. Please verify the same and let us know otherwise :)
Thanks, Rishabh
@deepdarshansingrodia is our premium MS support engineer trying to get some facts. In addition to his screen grab, we are definitely not leveraging Managed Identities. I am happy to speak on a call as you previously mentioned if you can schedule with @deepdarshansingrodia.
@ThinkElevenDave @deepdarshansingrodia - Please try toggling the following button. After this, next day onward it should use System Assigned Identity.
@ThinkElevenDave @deepdarshansingrodia, I hope the solution provided by rishjai-msft helped, and you were able to successfully migrate the auth from RunAs account to ManagedIdentity.