Azure Automation delivers a
cloud-based automation and configuration service that provides consistent
management across your Azure and non-Azure environments. It consists of process
automation, update management, and configuration features. Azure Automation
provides complete control during deployment, operations, and decommissioning of
workloads and resources.
Run As accounts in Azure
Automation are used to provide authentication for managing resources in Azure
with the Azure cmdlets. When you create a Run As account, it creates a new
service principal user in Azure Active Directory and assigns the Contributor
role to this user at the subscription level.
If you have the following "Insufficient privileges" error, you should check the following two settings to resolve the issue.
To create or update a Run As account, you must have specific privileges and permissions. A Global Administrator/Co-Administrator can complete all the tasks. In a situation where you have separation of duties, the permission table from Microsoft shows a listing of the task. The two permissions including "Application Developer Role" and "Application administrator" roles should be assigned to the user to create Run As account.
As a result, the first way to resolve the Run As account creation error is to assign both "Application Developer Role" and "Application administrator" roles to the user who will create the Azure automation account. I would think this is the prefer the way.
The second way is to check if user has permission to register application. Go to Azure Activity Directory-> User Setting and check the "App registrations" setting is to "Yes". If not user will NOT be able to create the Run As account.
If global admin enabled this setting, user should be able to create the Run As a account w/o issue. Since this is tenant level configuration and global admin may not want to enable this for all users, the first method might be the better option.
No comments:
Post a Comment