Migrate the Nerdio Update Automation Account from Run As to Managed Identity
Prior to the release of version 5.1, the Automation account used for deploying updates leveraged an Azure Run As account for authenticating to Entra ID and publishing the update package to Nerdio Manager’s app service. Azure has been transitioning away from Run As accounts. It will be retired after September 30th, 2023.
Beginning with version 5.1, Nerdio Manager now offers the ability to migrate the Nerdio Update Automation account away from Run As accounts to a managed identity. Automation accounts using a managed identity have the same functionality and capabilities for applying updates to Nerdio Manager’s app service, but no longer have a dependency on certificate authentication.
Once migrated to use the managed identity, the Automation account identity requires the Contributor role assignment on the app service resource. Nerdio Manager automatically assigns this when migrated.
It is possible to manually convert the Automation account to use managed identity. Ensure the managed identity role assignment (Contributor) is assigned to Nerdio Manager’s app service appropriately, See Validate the Nerdio Update Automation Account Conversion below for details.
Note: To perform the actions outlined below, you must be signed in to Nerdio Manager with an account capable of assigning roles to the managed identity. By default, this requires either the Owner or User Access Administrator role. If the account used does not have the required permission, an error is displayed when you attempt to perform these steps.
Automation Account Conversion
Starting with version 5.1, Nerdio Manager now offers the ability to migrate the update Automation account to managed identity automatically when selecting the Deploy button to publish updates.
Once version 5.1 or later is installed, the next update deployment displays the optional conversion step.
This is a one-time task only. After the conversion to managed identity Nerdio Manager hides the option.
If Nerdio Manager discovers the Automation account is already set managed identity, it does not display the choice for conversion.
To automatically migrate the Nerdio Update Automation account:
In Nerdio Manager, navigate to Updates.
Select Deploy or Re-deploy.
Select Convert the existing Run-as account to a Managed Identity and then select OK.
Note: The conversion process is completed prior to starting the update deployment. A successful update process after conversion indicates that the conversion was completed successfully because the update is applied using the new managed identity.
After automatic migration, or when manually converting the Automation account to managed identity, you need to verify that the following areas are configured correctly.
To validate the conversion:
In the Azure portal, navigate to Automation Accounts.
Select the Nerdio Update Automation account.
Within the menu on the left-hand side, scroll down to the Account Settings section.
Ensure the managed identity choice is toggled On.
Select Azure role assignments.
Confirm the Automation account has Contributor role on Nerdio’s app service.
Additionally, you can verify the role assignment is set appropriately by navigating to Nerdio’s app service under Role Assignments. Set the filtering for Scope to This Resource and ensure the Automation account identity is displayed with Contributor role.