I want to delete a tenant, but I am told that I can't do this due to "License-based subscriptions"
How can I figure out which subscriptions Azure is talking about? I am not aware of any subscriptions ):
I tried to reproduce the same in my environment and got below results:
I have one Azure AD tenant named SriAAD with Azure AD Premium P2 license like below:
To know all the licenses that the above tenant has, you can check this: Go to Azure Portal -> Azure Active Directory -> Licenses -> All products
When I try to delete this tenant without removing the licenses, I got same error as you like below:
To resolve the error, cancel the subscriptions by visiting Microsoft 365 Admin portal like this:
Go to Microsoft 365 admin center -> Billing -> Your products -> Select subscription -> Cancel subscription
Do the same for other subscriptions too like below:
After cancelling the subscriptions, Subscription status will be changed to Disabled like below:
Now, delete the above subscriptions that might take up to 24 hours to be in effect.
You can delete the tenant successfully once the above operation is done.
Related
I want to create custom Azure role by extracting few properties from couple of roles like User Administrator and Application Administrator.
I saw few blogs and articles on creating custom RBAC role but my need is for Directory roles.
Permissions needed
microsoft.directory/users/*
microsoft.directory/groups/*
microsoft.directory/applications/*
microsoft.directory/serviceprincipals/*
How to create custom directory role in my case?
Any inputs are needed
Thanks
To create custom role in Azure AD, you need to have either Azure AD Premium P1 or P2 license along with Global Admin or Privileged Admin roles.
I tried to reproduce the same in my environment and got below results:
I have Azure AD Premium P2 license for my Azure AD tenant like below:
To create custom role in Azure AD, you need to follow below steps:
Go to Azure Portal -> Azure Active Directory -> Roles and administrators -> All roles -> New custom role
In Basics tab, enter custom role name and select Start from scratch option -> Next:
In Permissions tab, you can select the permissions based on your requirement in the list like below:
After selecting all required permissions, you can click on Create in Review + Create tab like below:
After that, custom role created successfully in Azure AD like below:
You can assign that custom role to Azure AD users like below:
Go to Azure Active Directory -> Roles and administrators -> All roles -> Click on your custom role -> Add assignments
I assigned that custom role to one Azure AD user like below:
You can select the type based on your need and assign role accordingly like below:
After few minutes, it assigned to the user successfully like below:
Note that, you cannot find New custom role option if your tenant doesn't have required license.
I have another tenant with Azure AD Free license like below:
When I tried to create custom role, New custom role option is greyed out like below:
So, make sure to have required licenses and roles before creating Azure AD custom roles.
I just created my account with Free subscription, And want to assign role in "My Permission" for Contributor as "Azure AD user, group, or service principle"
But i only find this option "User, group, or service principle".
Please guide me properly if I am missing something or how can I enable or get that option.
Thanks,
Adeel
I think you are referencing Azure documentation "Add Azure role assignments"
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal#add-a-role-assignment
I opened an issue in MicrosoftDocs GitHub to clarify misspelling in documentation.
https://github.com/MicrosoftDocs/azure-docs/issues/68645
Update 2021-01-14:
Answer from Microsoft
The details refer to the same thing but we will get the screenshot updated.
Documentation is updated
I accidentally deleted the only azure owner role of my subscription. Any idea how can I get that restore? I can only login now at azure portal and when I click on subscriptions it is keep loading, nothing is coming.
I have resolved this myself. As I am also a global administrator so I created an Azure AD User, assigned the global admin role to it. Login to azure portal with that new account, and re-assigned the Owner role to my original account which I accidentally deleted. Now Its Working fine :)
The same thing happened with me today and even after being "Global Admin" to Azure AD, I was unable to modify the permissions as the "Role Assignment" options were appearing disabled.
These are the steps that I followed:
I logged in to Azure Portal with the MS Live ID(#outlook.com) using which we got the MS Azure subscription registered(Root ID or Account Owner ID).
Then went to the Azure subscription --> IAM --> Add Role Assignment. This option was enabled this time!
To be on safer side now, created a Security Group in Azure AD with 3 Azure Administrators and then made this Group as "Owner" to the Azure Subscription.
I am using Azure DevOps with a Microsoft Account (#outlook.com). The same account is co-administrator of 3 different Azure Subscriptions.
I am trying to create a new Service connection from my Azure DevOps Project to my newest Azure Subscription (out of the 3).
When I:
Go to my project's Project Settings view and click on the Service Connections tab.
Click on the 'New service connection' button.
Choose 'Azure Resource Manager' for the connection type.
Choose 'Service Principal (automatic)' authentication method.
I find that the drop-down list for Subscription is only showing my two older subscriptions and my newer subscription is missing, as shown here:
How can I get my third, newer, subscription to appear in the 'Subscription' list?
I've tried the following without success:
Made my Microsoft Account to be a 'Co-administrator' of the Azure Subscription.
Gave my Microsoft Account the 'Owner' Role for the Azure Subscription.
Added my Microsoft Account to the 'Global Administrators' group in Azure Active Directory.
Set 'Guest users permissions are limited' to 'No' in the In my Active Directory's External collaboration settings.
UPDATE: The subscription that's not shown in the list is currently a "free-tier" subscription whereas the 2 subscriptions that are shown are "pay-to-go". Could this be the reason for my problem?
This is what solved it for me:
Go to your MS Azure account.
Search and go to 'Tenant Properties'.
Click on Manage Security Defaults.
Turn these off
I can finally see my Azure Subscription in the Subscription list. I'm not 100% sure which step I took is responsible for fixing the issue so I'll list 2 things that I did:
In the Azure Portal I created a new App Registration, this time having the "Supported account types" setting set to "Accounts in any organizational directory ... and personal Microsoft account ...":
In PowerShell and using the AzureAD module I reset the Service Principal Key Credential:
a. Ran PowerShell (v5.1) "as Administrator".
b. Install-Module -Name AzureAD
c. Connect-AzureAD -TenantId <tenant-id-from-the-app-registration-overview>
b. New-AzureADServicePrincipalKeyCredential -ObjectId <object-id-from-the-managed-application-overview>
PS - The Subscription's being in the free-tier seems to be irrelevant to the issue.
You can try accessing DevOps in a private mode, it simply gets the existing subscription.
Not an exact answer to the OP's question, but I think it's related and maybe helpful to others. My issues was creating a new subscription and that subscription not showing up on the Subscriptions page.
Click on the "Directories + subscriptions" button in top right.
Open dropdown and ensure desired subscriptions are selected
Navigate to Subscriptions page and click on "Subscriptions == globalfilter" and selected desired subscriptions.
See if you have a "default subscription filter" set on the Portal Settings page. Seems to add one by default.
I solved the problem by deleting an old app registration with an expired certificate. I'm not sure about the link between the two, maybe it forced a refresh somewhere.
I`m a global administrator of my Azure Tenant and gave Global admin rights to others so they can manage the Azure Tenant.
However, they cant view any of the services already provisioned on Azure.
For Example, cannot view:
a) Resource group
b) Enterprise Applications
Please suggest what more shall I do to resolve the issue?
This issue may be caused by that you haven't been assigned a subscription.
Try to find it whether subscriptions in your Azure Account. (Put in "subscription" in search blank in Azure. )
If you don't have any subscription, try to connect the owner and add your account as owner or else role . (Go to subscription > choose one subscription > Access control > Add ) The steps looks like this: