In this blog I will describe an easy way to rollover credentials in you Azure Automation Credential key vault. This example we use a Global Admin account. When you setup service accounts you should always use “least privilege permissions”. This can be combined with Administrative Units or even a model where you use a secured central administration for all automation accounts together with Conditional Access.

To make an easy example we just add a runbook to our automation account. We call it “Rollover-Credentials” We need to import 3 modules to Automation Account.

  • Az.Accounts
  • Az.Automation
  • AzureADPreview
#Get Automation account credentials
$cred = Get-AutomationPSCredential -Name "<Credential Name>"

#Connect Azure AD
Connect-AzureAD -Credential $cred

#Connect to Azure AZ
Connect-AzAccount -Credential $cred
     
#Generate a password
add-type -AssemblyName System.Web
$PasswordLength = "128"
$Password = [System.Web.Security.Membership]::GeneratePassword($PasswordLength,2)
$AccountPassword = (ConvertTo-SecureString -String $Password -AsPlainText -Force)

#Update password for Automation Account in Azure AD
try { Set-AzureADUserPassword -ObjectId  "<ObjectID of Automation Account>" -Password $AccountPassword -ErrorAction Stop }
   catch {
       Write-Output "An error occurred:"
       Write-Output $_
   }
     

#Update password in Azure Key Vault
$User = "<UPN of Account>"
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $AccountPassword
try { Set-AzAutomationCredential -AutomationAccountName "O365-Automation" -Name "Azure Admin" -ResourceGroupName "Automation-RG" -Value $Credential }
   catch {
       Write-Output "An error occurred:"
       Write-Output $_
   }

We can now schedule our script to run as often we would like to have the password updated. Of course we could add reporting functionality also. But try to put it easy so you can make your own touch of it=).

Regards @jlindoe