I have created a new Dev Azure AD in Azure , When i switch Directories to this new AD, i am unable to create a subscription under the Dev AD Tenant, The Error message is;
"You don't have permission to create a subscription for this billing account, contact the billing account owners."
I have worked with the Billing accountenter image description here owner to verify i have all the required permissions, still yet i can't create this resource. Am an owner on the Dev AD Tenant, can there be any other reason why am unable to create this resource?
Related
I accidentally deleted the only azure owner role of my subscription. Any idea how can I get that restore? I can only login now at azure portal and when I click on subscriptions it is keep loading, nothing is coming.
I have resolved this myself. As I am also a global administrator so I created an Azure AD User, assigned the global admin role to it. Login to azure portal with that new account, and re-assigned the Owner role to my original account which I accidentally deleted. Now Its Working fine :)
The same thing happened with me today and even after being "Global Admin" to Azure AD, I was unable to modify the permissions as the "Role Assignment" options were appearing disabled.
These are the steps that I followed:
I logged in to Azure Portal with the MS Live ID(#outlook.com) using which we got the MS Azure subscription registered(Root ID or Account Owner ID).
Then went to the Azure subscription --> IAM --> Add Role Assignment. This option was enabled this time!
To be on safer side now, created a Security Group in Azure AD with 3 Azure Administrators and then made this Group as "Owner" to the Azure Subscription.
I'm trying to remove the permission to the user on my azure tenant to create a new subscription.
The only way a find is the but the GlobalReader role in active directory when I create the user.
But with this method, the user can see the active directory same I block it with users' permission.
I also try to create a rbac in my tenant root in my management group. But when I but a reader role the user can create a new subscription again.
Azure RBAC just for control Azure subscription resource access here, it will not work for Azure subscription creation.
For creating Azure subscriptions ,based on this official doc, only users who have billing roles:
Invoice section owner , Invoice section contributor , Azure
subscription creator
Will be able to create Azure subscriptions.
Billing roles belongs to your billing account . This doc describes the relationship with billing account with your subscriptions well.
Hope it helps .
I am attempting to automate the registration of a new application in Azure Active Directory. Upon running the command in Azure CLI, it returns with the following error:
Insufficient privileges to complete the operation.
The command was run using a Service Principal which has Owner permissions at the Subscription level. When attempting to run other Azure AD commands (e.g. az ad app list), the same error is thrown. However, it works fine if we run commands relating to Azure API Manager (e.g. az apim list).
We have tried creating the Service Principal using both the Azure console (https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) and CLI by running the following command but neither works.
az ad sp create-for-rbac --role Owner --name some-service-principal
Is there anything else required to perform this operation?
The Owner role you mention is part of Azure RBAC, which does not apply to Azure AD.
The Azure AD tenant is above the Azure subscriptions and has its own permissions.
You need to give the SP application permissions to MS Graph API / AAD Graph API (not sure which one the CLI is trying to use), or a directory role.
The first you give through API permissions on the app registration for the SP.
A directory role can be added through the Roles and administrators tab.
that happens because Azure AD and Azure subscription are completely unrelated in terms of permissions. You need Application Read\Write Azure AD permissions for your principal (user\service principal\application) to be able to carry out that task
https://learn.microsoft.com/en-us/graph/permissions-reference#application-resource-permissions
az ad app permission: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-add
followed by az ad app grant: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-grant
or you could do it using the portal, like the other answer suggests
I have an azure service principal with owner access that is able to add contributors at the resource or resource group level.
But when i use the same service principal to access Azure AD it fails and throws a 403 forbidden error.
Is it possible that a service principal with owner access to a subscription fails to access azure ad in the same subscription?
The subscription is under the azure ad tenant, the owner role is an RBAC role which manages the resources in the subscription, not the azure ad tenant.
For more details about the roles, refer to Classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles.
If you want to fix the error to call the Microsoft graph to list users/get a user in the tenant, navigate to your AD App in the App registrations in the prortal -> API permissions -> Add a permission -> select Microsoft Graph -> Application permissions -> User.Read.All -> click Add permissions -> click Grant admin consent for xxx, then it will work.
I'm using service principal as login item for azure cli. The role of this service principal is "owner".
I'm trying to run:
az ad app list
and
az ad app create --display-name "Test application 2"
and getting error:
Directory permission is needed for the current user to register the
application. For how to configure, please refer
'https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal'.
Original error: Insufficient privileges to complete the operation.
What role should I assign to this service principal?
Your service principal is missing permissions related to reading and writing applications in Azure AD.
Go to your Azure AD, "Registered applications"
Find your service principal (may need to look at all applications instead of just my)
Add required permissions as shown below:
Once you've selected the right permissions and done. Please click on "Grant Permissions" because these permissions need Admin consent.