diff --git a/internal/services/automation/automation_account_resource.go b/internal/services/automation/automation_account_resource.go
index 8449ea619f2e..cddc732661d6 100644
--- a/internal/services/automation/automation_account_resource.go
+++ b/internal/services/automation/automation_account_resource.go
@@ -5,6 +5,7 @@ import (
 	"log"
 	"time"
 
+	"github.com/hashicorp/go-azure-helpers/lang/pointer"
 	"github.com/hashicorp/go-azure-helpers/lang/response"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/commonids"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/commonschema"
@@ -75,9 +76,10 @@ func resourceAutomationAccount() *pluginsdk.Resource {
 						},
 
 						"key_source": {
-							Type:     pluginsdk.TypeString,
-							Optional: true,
-							Computed: true,
+							Type:       pluginsdk.TypeString,
+							Optional:   true,
+							Computed:   true,
+							Deprecated: "`key_source` can inferred from if `key_vault_key_id` set",
 							ValidateFunc: validation.StringInSlice(
 								automationaccount.PossibleValuesForEncryptionKeySourceType(),
 								false,
@@ -86,7 +88,7 @@ func resourceAutomationAccount() *pluginsdk.Resource {
 
 						"key_vault_key_id": {
 							Type:         pluginsdk.TypeString,
-							Required:     true,
+							Optional:     true,
 							ValidateFunc: keyVaultValidate.NestedItemIdWithOptionalVersion,
 						},
 					},
@@ -366,29 +368,33 @@ func resourceAutomationAccountDelete(d *pluginsdk.ResourceData, meta interface{}
 }
 
 func expandEncryption(encMap map[string]interface{}) (*automationaccount.EncryptionProperties, error) {
-	var id interface{}
-	id, ok := encMap["user_assigned_identity_id"].(string)
-	if !ok {
-		return nil, fmt.Errorf("read encryption user identity id error")
-	}
 	prop := &automationaccount.EncryptionProperties{
-		Identity: &automationaccount.EncryptionPropertiesIdentity{
-			UserAssignedIdentity: &id,
-		},
-	}
-	if val, ok := encMap["key_source"].(string); ok && val != "" {
-		prop.KeySource = (*automationaccount.EncryptionKeySourceType)(&val)
+		Identity: &automationaccount.EncryptionPropertiesIdentity{},
+	}
+	idObject, ok := encMap["user_assigned_identity_id"]
+	if ok {
+		if idStr, ok := idObject.(string); !ok {
+			return nil, fmt.Errorf("read encryption user identity id error")
+		} else if idStr != "" {
+			var id interface{} = idStr
+			prop.Identity.UserAssignedIdentity = &id
+		}
 	}
+
 	if keyIdStr := encMap["key_vault_key_id"].(string); keyIdStr != "" {
 		keyId, err := keyVaultParse.ParseOptionallyVersionedNestedItemID(keyIdStr)
 		if err != nil {
 			return nil, err
 		}
+
+		prop.KeySource = pointer.To(automationaccount.EncryptionKeySourceTypeMicrosoftPointKeyvault)
 		prop.KeyVaultProperties = &automationaccount.KeyVaultProperties{
 			KeyName:     utils.String(keyId.Name),
 			KeyVersion:  utils.String(keyId.Version),
 			KeyvaultUri: utils.String(keyId.KeyVaultBaseUrl),
 		}
+	} else {
+		prop.KeySource = pointer.To(automationaccount.EncryptionKeySourceTypeMicrosoftPointAutomation)
 	}
 	return prop, nil
 }
diff --git a/internal/services/automation/automation_account_resource_test.go b/internal/services/automation/automation_account_resource_test.go
index e2b47ed4735b..b1271cada010 100644
--- a/internal/services/automation/automation_account_resource_test.go
+++ b/internal/services/automation/automation_account_resource_test.go
@@ -76,14 +76,26 @@ func TestAccAutomationAccount_encryption(t *testing.T) {
 
 	data.ResourceTest(t, r, []acceptance.TestStep{
 		{
-			Config: r.encryption(data),
+			Config: r.encryptionBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("encryption.0.key_source").HasValue("Microsoft.Automation"),
+			),
+		},
+		{
+			Config: r.encryptionKeyVault(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
-				check.That(data.ResourceName).Key("sku_name").HasValue("Basic"),
-				check.That(data.ResourceName).Key("local_authentication_enabled").HasValue("false"),
 				check.That(data.ResourceName).Key("encryption.0.key_source").HasValue("Microsoft.Keyvault"),
 			),
 		},
+		{
+			Config: r.encryptionBasic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("encryption.0.key_source").HasValue("Microsoft.Automation"),
+			),
+		},
 		data.ImportStep(),
 	})
 }
@@ -275,7 +287,7 @@ resource "azurerm_automation_account" "test" {
 `, data.RandomInteger, data.Locations.Primary)
 }
 
-func (AutomationAccountResource) encryption(data acceptance.TestData) string {
+func (AutomationAccountResource) encryptionTemplate(data acceptance.TestData, encrypt string) string {
 	return fmt.Sprintf(`
 provider "azurerm" {
   features {
@@ -323,6 +335,7 @@ resource "azurerm_key_vault" "test" {
       "List",
       "Delete",
       "Purge",
+      "GetRotationPolicy",
     ]
 
     secret_permissions = [
@@ -383,13 +396,26 @@ resource "azurerm_automation_account" "test" {
 
   local_authentication_enabled = false
 
+  %[3]s
+}
+`, data.RandomInteger, data.Locations.Primary, encrypt)
+}
+
+func (a AutomationAccountResource) encryptionBasic(data acceptance.TestData) string {
+	return a.encryptionTemplate(data, `
+  encryption {
+  }
+`)
+}
+
+func (a AutomationAccountResource) encryptionKeyVault(data acceptance.TestData) string {
+	return a.encryptionTemplate(data, `
   encryption {
     key_source                = "Microsoft.Keyvault"
     user_assigned_identity_id = azurerm_user_assigned_identity.test.id
     key_vault_key_id          = azurerm_key_vault_key.test.id
   }
-}
-`, data.RandomInteger, data.Locations.Primary)
+`)
 }
 
 func (AutomationAccountResource) userAssignedIdentity(data acceptance.TestData) string {
diff --git a/website/docs/r/automation_account.html.markdown b/website/docs/r/automation_account.html.markdown
index a4baf617ae5d..8455dd7216f0 100644
--- a/website/docs/r/automation_account.html.markdown
+++ b/website/docs/r/automation_account.html.markdown
@@ -52,7 +52,7 @@ The following arguments are supported:
 
 * `tags` - (Optional) A mapping of tags to assign to the resource.
 
-* `encryption` - (Optional) An `encryption` block as defined below.
+* `encryption` - (Optional) An `encryption` block as defined below. set as an empty block for `Microsoft.Automation` kind of encryption.
 
 ---
 
@@ -70,9 +70,9 @@ An `encryption` block supports the following:
 
 * `user_assigned_identity_id` - (Optional) The User Assigned Managed Identity ID to be used for accessing the Customer Managed Key for encryption.
 
-* `key_source` - (Optional) The source of the encryption key. Possible values are `Microsoft.Automation` and `Microsoft.Keyvault`.
+* `key_source` - (Optional **Deprecated**) The source of the encryption key. Possible values are `Microsoft.Automation` and `Microsoft.Keyvault`. This field will be set to `Microsoft.Keyvault` when `key_vault_key_id` is set. otherwise it will be `Microsoft.Automation`.
 
-* `key_vault_key_id` - (Required) The ID of the Key Vault Key which should be used to Encrypt the data in this Automation Account.
+* `key_vault_key_id` - (Optional) The ID of the Key Vault Key which should be used to Encrypt the data in this Automation Account.
 
 ---