Just created a SP yesterday and when trying to assign rights to it via the portal to a ADLS enabled folder, the SP does not come up in the list of AD users/SPs to assign permissions. Is there an additional step that is needed? Other SPs that I created in the past months do come up in the search list but this newly created one does not.
THanks in advance for any help you may provide.
Related
can you guys help me with a question?
I have an ADDS created on Azure and a Windows Server 2019 (Active Directory) virtual machine hosted at Azure either.
I'm having problems to change the attributes and using the logon hours options trought the user's account... "You do not have permission to change the logon hours attribute, your changes won't be saved".
At Windows Server 2019, i have the enterprise admin permission.
At Azure, i have the administrator permition and still having theses issues.
Can someone give me a clue to solve this?
Thanks.
• In Azure ADDS, you will have to add your signing in ID to the Windows Server VM, i.e., the Azure ADDS DC to the Azure AD DC Administrators group in your Azure AD tenant. Once, you have added your user ID in this group, you will be able to configure the ‘logon hours’ attribute in the managed domain joined Windows Server VM.
• Also, though you are the administrator, but it is not clear what permissions you are assigned. As a result, you need to be assigned the ‘Domain Services Contributor’ Azure role for creating the required Azure ADDS resources along with ‘Application Administrator’ and ‘Groups Administrator’ Azure AD roles in your tenant.
Thus, if you ensure that the above changes are done, you will surely be able to change the ‘logon hours’ attribute. Please find the below snapshot for your reference: -
To know more about this, kindly follow the below links: -
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-management-vm#administrative-tasks-you-can-perform-on-a-managed-domain
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance-advanced#prerequisites
How do you find out the source of the user creation in Azure AD, for example, if the user was created via an HR cloud solution? We're using powershell and need to implement some changes to users that were created by the HR solution and not the users created directly on Azure AD. Your help is appreciated. Thanks.
Check the audit logs of your Azure Active Directory
I have a Java application running on premise in order to manage Azure app registrations and groups. For that purpose I registered an app and its service principle in Azure. I am using one of the samples under (https://github.com/Azure-Samples/aad-java-manage-users-groups-and-roles/). I am having trouble about giving right permissions to my app so that it can register other apps, create groups, assign them to groups and do client secret operations. I am receiving 403 unauthorized response. What are least possible Azure AD permissions for these operations? Which steps and options should I take/follow to implement that requirements in portal?
Thanks
UPDATE 1
Giving owner right is a big move. So that's not the answer I was looking for. That's why I am not marking it as a solution for my question but that would definitely work if you are willing to do that. Code also works.
Part of my question was least possible permissions. After experimenting I found that in app permissions:
Windows Azure Active Directory->Read Write Directory Data
Windows Azure Active Directory->Read Write All Applications
Microsoft Graph->Read Write Directory Data
Microsoft Graph->Read Write All Domains
Microsoft Graph->Read Write All Groups
solved the problem. Active Directory ones allowed me to create app and create group, graph ones allowed me to add app to group. Instead of Graph, adding app as User Access Admin also let me the app to group.
UPDATE 2
I am trying to repeat same process with another app. This time although I gave same permissions as I did in Update 1 this time adding new app to group fails with 403. Any idea how this really works? I am really confused...
You need create a service principal and give it Owner role to your subscription. You could check the code, the new created user is gived CONTRIBUTOR to your subscription. So, your sp need Owner role.
// Assign role to AD user, it needs `Owner` role.
RoleAssignment roleAssignment1 = authenticated.roleAssignments()
.define(raName1)
.forUser(user)
.withBuiltInRole(BuiltInRole.READER)
.withSubscriptionScope("3b4d41fa-e91d-4bc7-bc11-13d221b3b77d")
.create();
System.out.println("Created Role Assignment:");
You could do it on Azure Portal.
<your subscription>--><Access Control>--><Add>.
More information about this please refer to this official document.
Update:
I test in my lab, you don't need give your sp Graph permission, you only need give your sp your subscription Owner role. This is my test result.
I'm trying to delete my Ad, but the system says that I cannot delete it because "there is an Application using it.
When I go to Application Tab, it just show me Visual Studio Online (with www.visualstudio.com url) and did not show an option to delete... How can I do to remove it?
Note: I've tried to create another Azure account, but the system tells
me that I've already created my mycompany.onmicrosoft.com
A global administrator can delete an Azure AD directory from the portal. When a directory is deleted, all resources contained in the directory are also deleted; so you should be sure you don’t need the directory before you delete it.
There are some conditions before you can delete the AD from portal because it will impact the users or Applications.
global administrator who will delete the AD
sync will need to be turned off if you are using in house AD to Azure
Other users must be deleted in the cloud directory by using the Management Portal or the Azure module for Windows PowerShell.
Any applications must be deleted before the AD can be deleted.
Make sure there is no online subscription connected with AD.
Check in Azure management ? settings for more info.
I hope you can resolve your issue quicker.
Let me know the outcome.
Regards
I can't seem to figure out how I can delete the tenant which I have created from my Azure Subscription. Can anyone help me figure out how to do this? It sounds like it should be easy to do, but maybe I'm missing something.
Currently you cannot remove AAD tenant from the Azure Portal. You also cannot rename it. The good thing is that you are not being charged for it if you are not using any special features (i.e. even if you use for just authenticating without the Two-Factor-Authentication it is still free!). And I don't recall to have seen an API via which you would be able to remove an AAD tenant.
UPDATE
As of November 2013 you are able to rename Azure AD, Add new Azure AD, change default AD for a subscription, delete Azure AD(as long as there is not subscription attached, and no user/groups/apps objects in it).
We were eventually able to delete an Azure Active Directory instance after we deleted all mapped users (except for the administrator who was logged in) and groups.
Make sure you go through the following list of possible causes for not being able to delete your Azure AD:
You are signed in as a user for whom <Your Company Name> is the home directory
Directory contains users besides yourself
Directory has one or more subscriptions to Microsoft Online Services.
Directory has one or more Azure subscriptions.
Directory has one or more applications.
Directory has one or more Multi-Factor Authentication providers.
Directory is a "Partner" directory.
Directory contains one or more applications that were added by a user or administrator.