I want to update a Subscription of an Azure Event Grid Partner Topic to change the ExpirationDateTime.
To do so I'm using a PowerShell AzureFunction authenticated with an App Registration on GraphAPI. I'm using the Update-MgSubscription function to update the field above.
When I execute the function I get the following error message: "The app id 'appid' is not enabled for event grid subscription." where 'appid' is the id of my App Registration.
I was able to update the field with Graph Explorerbut I couldn't manage to find a specifc permission to do it with the App Registration. I've tried to allow the App in the IAM of the Azure Event Grid Partner Topic with no success.
Any idea?
"The app id 'appid' is not enabled for event grid subscription."
This error occurs when the App Registration you're using lacks the required permissions to update the Event Grid subscription. You will need to grant the necessary permissions to your App Registration to resolve this issue.
You mentioned that you tried to allow the App in the Azure Event Grid Partner Topic's IAM before, but it didn't work. This is due to the reason that updating the subscription requires permissions at the Azure Event Grid system level, rather than just the topic level.
To grant the necessary permissions, Check below:
Select your Azure Event Grid System topic and Goto Access Control (IAM) -> Add a role assignment and search for Event Grid contributor role and then assign to the registered application. Now it will manage all the operations for the Event subscriptions.
I created a system topic in my subscription and added a relevant permission as shown below:
System topic:
Role Assignments:
Related
I have over 50 Azure subscriptions under same tenant. I have created a service-principal under Azure active directory and provided the service principal 'reader' role to each subscriptions. When I make an API call from Postman I get all subscription ids but my concern is I am giving 'READ' access to all my resources on different subscriptions. I want to limit this service-principal will ONLY be able to list the subscription ids and nothing else.
I want to limit this service-principal will ONLY be able to list the
subscription ids and nothing else.
With "Reader" role, a user would be able to read all resources inside a subscription and not just subscription id.
I believe the solution to your problem is to create a custom role (let's call it SubscriptionPropertiesReader) and then give only the permission to perform read operation just at the subscription level. Based on the information provided here, I believe the permission you would want to include in this role is Microsoft.Resources/subscriptions/read.
The challenge obviously will be to create this custom role in each and every subscription and then assigning this role to your Service Principal in each subscription.
I'm trying to configure an ADF self-hosted integration runtime to be shared with another ADF in the same RG. I'm getting the following error:
(I removed the id specifics)
Error occurred when grant permission to [Object-ID]. Error: {"error":{"code":"AuthorizationFailed","message":"The client [My-Username] with object id [object-id] does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/[object-id]/resourcegroups/DataEngineering-RG/providers/Microsoft.DataFactory/factories/[Data Factory Name]/integrationRuntimes/[IR-Name]/providers/Microsoft.Authorization/roleAssignments/[Role Object ID]' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
Question- what role is required for me to be able to perform this action and at what level does that access need to be granted (eg. Subscription Level, RG level, ADF Level)?
Note: I have Azure Data Factory Contributor level access currently.
Thanks in advance
what role is required for me to be able to perform this action
You need the Owner or User Access Administrator role (maybe other roles, just check this doc, see the json file of each role, if the actions include Microsoft.Authorization/roleAssignments/write , it will be able to do the operation.)
You can also create a custom role which has Microsoft.Authorization/roleAssignments/write in its actions, it depends on your requirements.
and at what level does that access need to be granted (eg. Subscription Level, RG level, ADF Level)?
The three levels are all correct.
The RBAC role in Azure is inherited, e.g. if you assign the Owner role to your user account in the subscription, the account will also have the Owner role in all the resource groups/resources of the subscription. But if you just assign the user account in the ADF level, it will not be able to access other resources in the subscriptions.
So to fix the issue, just navigate to the ADF mentioned in the error message/RG/Subscription in the portal -> Access control (IAM) -> Add -> add your user account as an e.g Owner role, then it will work fine.
I'm a dev. I have
WEBSITE CONTRIBUTOR
Role on my azure function that our infrastructure team created. I can't see any functions listed in my function app in the portal and this ajax request fails when I try to expand the functions list in the side nav in the azure portal:
Request URL:
https://management.azure.com/subscriptions/{{my-enterprise-subscription-id-here}}/resourceGroups/mclintdevnc-ase-rg/providers/Microsoft.Web/hostingEnvironments/mclintdevnc-aseweb?api-version=2016-09-01
Request Method:
GET
Status Code:
403
The response body on this request contains this:
{"error":{"code":"AuthorizationFailed","message":"The client '{{my-organizational-username-here}}' with object id '{{my-organizationao-user-id-here}}' does not have authorization to perform action 'Microsoft.Web/hostingEnvironments/read' over scope '/subscriptions/{{my-enterprise-subscription-id-here}}/resourceGroups/mclintdevnc-ase-rg/providers/Microsoft.Web/hostingEnvironments/mclintdevnc-aseweb'."}}
So what privledges do i need on my function app to be able to do things like see the functions, enable disable individual functions, and generate api keys for a function?
Here is the screen show of what I'm getting:
When I deploy the same code to an azure function on my personal account (which I'm an administrator for) I see this:
I'm sure I wont get administrator role in my organizations subscription, so what is the minimal set of privileges I can have so i can see my functions and perform basic configuration on them?
As a reader level permission, you are restricted to check inside a related function implementation in function app. However, you can go to Platform Features tab and navigate to All Settings to check out all setting related to Function App (similar to web app), though as expected reader permission limits you to modify any setting.
For example, if a user is assigned the Reader role, they will not be able to view the functions within a function app. The portal will display (No access).
You can make a custom role for your use case.
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles
Website Contributor means you can "manage websites(not web plans), but not access them". Reader role gives you the right to read everything, but you cannot contribute. These roles are Built-in roles for Azure resources. You can find all of the Azure built-in RBAC in Microsoft docs https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Your organization administrator can create a custom role for you if it's needed to be a Website Contributor and reader at the same time.
I'm just starting on this, been going through the Microsoft documentation and the lightbulb hasn't come on yet...
How do I add a user to my subscription so they can login? From there I just need to limit them to Azure Media Services.
I've seen instructions on web for clicking a "Users" button from subscription, but I do not see that. I've tried adding a user through the Azure Active Directory as well with no luck...
Any ideas would be helpful.
Thanks!
James
OK, so I figured this out:
1) Add your user to Active Directory (I added guest user)
2) Go to subscriptions and to your IAM panel
3) Ensure that your new user has access to at least Read the subscription.
(When I did this it allowed me to view my Azure resources as other user)
4) From there I created a role in a JSON file and used New-AzureRmRoleDefinition -InputFile to import it. IMPORTANT: Make sure for permissions you have Microsoft.Media/* and Microsoft.Media/mediaservices/*
5) Once I did this I went to my Media Services IAM panel and added the user to my new Azure Media Services role.
6) Presto! It started working.
Thanks to all who responded to this thread!!!
I've tried adding a user through the Azure Active Directory as well
with no luck...
This is exactly what you need. Create a user in Azure Active Directory (at portal.azure.com) and grant them access to your subscription with the custom role to allow only Azure Media Services (I don't think there's a built-in role for that). To do that, follow the links (to create custom role, to create user and to assign user that role). I don't think you can create custom role using portal, so you will need REST API or powershell\CLI\SDK
Links:
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is
https://learn.microsoft.com/en-us/azure/active-directory/add-users-azure-active-directory
I created some AD user in Azure Management Portal, too and would like to assign some roles to these users. My user has role "Global Administrator". There are only roles available that do not fit to my business requirements. So I would like to know whether there is already a solution how to add new roles because Graph Api or azure ad powershell seems not to support this feature.
Thx for the support
Azure AD doesn't yet allow creating custom "app roles". You can however create security groups and add users to those groups. The application that needs to check for these roles for authorization can check for the signed in user's group membership (transitively using this graph API: http://msdn.microsoft.com/en-us/library/azure/dn424889.aspx) for the group that represents the role(s).
App roles is on our radar - however you shouldn't block on it.
Hope this helps.
Now this is supported and in your app you can
[Authorize(Roles = "Admin, Observer, Writer, Approver")]
In this example of Microsoft you can see how to do it https://github.com/AzureADSamples/WebApp-RoleClaims-DotNet
You can red more about this feature in http://blogs.msdn.com/b/aadgraphteam/archive/2014/12/12/announcing-the-new-version-of-graph-api-api-version-1-5.aspx