We have several (MSDN/Visual Studio Enterprise) Azure Subscriptions that was created by users that no longer exists in our Active Directory.
As a Global Administrator I'm able to do almost everything, including giving owner rights. But I found a few things that only the classic Account Administrator can do:
Re-activate a deactivated subscription
Update Subscription Address
Change the Service Administrator
Is there a way to change the Account owner/Account Administrator (both names are use in Azure) of a subscription, if that user does not exist anymore?
Bonus: Is this also possible if the subscription is diabled?
Here I'm trying to reactivate a disabled MSDN/Visual Studio Enterprise subscription, but I can't because I'm not the Account Administrator:
Here I'm trying to change the Service Administrator on an active subscription. I have owner rights, but I'm not the Account Administrator:
Here I'm trying to delete resources on a disabled subscription. But I cannot because I cannot reactive the subscription. This in turn means I cannot even delete resources and free up global unique names:
AFAIK,
Reactivating the Disabled MSDN/VS Enterprise Subscription without Account Administrator Role access. Only the Account Administrator can switch offer on this subscription.
You should have appropriate administrator role access on the Subscription scope to manage the Subscriptions and follow the steps provided in this MS Doc for switching to different models of Azure Subscriptions.
Changing the Service Administrator with Owner Right but no-Account Admin role assigned.
I believe being the Service Administrator can change the Service Administrator details if the user is assigned with the Subscription Scope Owner role as stated in this MS Doc of Changing the Service Admin in Azure.
I'm trying to delete resources on a disabled subscription. But I cannot because I cannot reactive the subscription. This in turn means I cannot even delete resources and free up global unique names.
You cannot delete the resources on disabled subscription because it allows Read-only access on the resources within the disabled subscription.
If there are any issues in deleting the resources, mail the details to Microsoft Support - supportmail#microsoft.com so that they would assist the possible steps, or they will delete that disabled subscription from the backend by confirming your consent.
Related
I have added a new user to the Azure active directory which is associated with Azure subscription. The user is added with the Global Administrator role.
However, when the user tries to login to the portal, no subscription is showing up. Tried logging off and logging in multiple times, but the subscription is not showing up.
Having rights to Azure AD doesn't necessarily give you rights to an Azure Subscription; they are separate. You can either Elevate access for Global Admins to manage your Azure subscriptions, or you can go the the Azure Subscription IAM settings and add the new user to a role.
We're a very small company, for unknown reasons our internal app infrastructure (based on PaaS VMs) was set up on the Azure subscription for a "personal" Windows Live account of an internal email address, with only that one user in the AD. (We also use the "correct" Azure instance, the AD is synced from the remnant of our old on-prem infrastructure and our Office 365 is based on it.)
We're about to recruit a second developer, I want to give him some level of access to our app infrastructure but not the global admin that sharing the existing single account would provide. I've experimentally added another user to the Azure AD as a global admin (so it should have access to everything) but when I log in with that user it takes me to the portal for the default free personal Azure instance you get if there's nothing set up. If I paste in a URL for a resource in the account it's global admin for I get "You do not have access" (403). (Audit trail of the user in Azure AD shows it logged in.)
Is there an inherent restriction on this type of account (in which case I'll have to bite the bullet and migrate the infrastructure where it belongs) or should I be able to expect this user to be able to access the right portal - and if so what do I need to do to get that to happen?
Having Global Admin role in Azure AD does not give you access to Azure resources, only to manage users etc. in Azure AD.
You need to add e.g. Owner/Contributor role on the subscription to the user through the Access Control (IAM) tab.
I am trying to set up octopus to deploy resources to azure.
Under azure active directory I've added a new app registration, and have generated a key and hooked up octopus with the correct Application ID, Tenant ID and key
The organisation has multiple azure subscriptions corresponding to the environments, so I've noticed if I use the Subscription ID of my "Visual Studio Professional MSDN" subscription it works and creates the resources, however if I try to use any of the other organisation Subscription IDs I get the following error:
Login-AzureRmAccount : The provided account c0b2.......76a6 does not
have access to subscription ID "f06.......2aa3". Please try logging in
with different credentials or a different subscription ID.
I have looked through all the settings of the Application Registration and granted it every "Windows Azure Active Directory" permission available, but still no luck.
How do I go about granting permissions to this Application Registration so that it can access the relevant subscriptions?
You need to give the app a role on the subscription/resource group/resource you want it to be able to access.
So for example, you can go to the Access Control (IAM) tab of the subscription, and give the app the Contributor role, which allows the app to read and modify anything in the subscription.
You can also give a more limited role if desired.
Roles can also be applied at a lower scope, like a resource group.
More info in the docs: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
In Azure trial subscription my MSN email is associated with an other account with owner rights. But when I try to access Azure publishSettings it generates an error No Subscription fouund .
Please help me to resolve the issue. Do I need Co-administrator or Service Administrator rights along with owner rights ?
Service Administrator and Co-Administrator originated with the old portal at http://manage.windowsazure.com. The new portal, found at http://portal.azure.com, has introduced role based access control (RBAC), which provides the notion of Owner. You can find a lot of details about RBAC at https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/.
When RBAC was rolled out, Administrators where automatically added as Owners. It's possible to be an RBAC Owner in a subscription without being an Administrator, as Owner applies to ResourceGroups or Resources within a subscription.
The webpage you're trying to use has been available for a long time and from the looks of it has not have been updated to support RBAC. The download of the publish profile from that webpage is based on selecting a subscription, which an Owner of a ResourceGroup or Resource would not necessarily have full access to everything in the subscription.
That means if you have your account added as a Co-Administrator or Service Administrator, that webpage should work.
It could be the difference between Microsoft Account and Azure Active Directory Account. Check which you are using.
I suggest you to clear all cookies, cache and temporary internet files on browser or use InPrivate/Incognito mode. Login again and it will work.
Click the "Sign Out" button and then login with the account that is associated with your trial. Owner rights should be sufficient.
You may have found an answer but in searching for an answer I found this link which says the owners you added through the Azure portal cannot manage services in the Azure classic portal.
So I MUST add co-administrator IN the classic portal so they can administer classic portal
Worked immediately after added my New Portal global admin as a co-administrator in the classic portal
nigel.jones#kloud.com.au
I signed up for an azure subscription and a default directory was provisioned for my subscription.
i cannot manage the default directory (e.g. create user or groups) via the azure portal. the portal replies with: "You do not have permission to access these resources."
while i understand that a admin role for an azure subscription is not the same as the admin role to manage an azure active directory; i am unable to find any MS guidance on how to assign the AD global admin role to my azure admin/subscription identity.
You have to be a Global Administrator in the directory to create users. Oddly though, you should already be one. When you sign-up for an Azure subscription you are automatically added to the default directory as a Global Administrator. At least that is how it used to work - perhaps it changed.
Anyway, this has the information you need and should get you going.