Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 months ago.
Improve this question
I am in an organization on azure with the following roles:
Another member with the same roles created an azure VM that I can not see in my virtual machine interface. It always takes me to this window whenever I search Virtual Machine.
When I access the link shared by the other person to access the page, it will lead me to this error page:
Having the role of Global admin, should not I be able to access everything in the organization setup?
This is the current license of the organization
Note that, Azure AD roles are different from Azure RBAC roles.
You have Azure AD roles that will only help you to manage Azure AD resources like users, groups, applications etc., and won't give access for Azure resources.
To manage Azure resources like virtual machines, storage accounts etc., you need Azure RBAC roles that links with subscription.
I tried to reproduce the same in my environment and got below results:
I created one Azure AD user named Test user and assigned same roles as you like below:
When I signed in with above Test user account, I got the same screen as you like below:
I got the same error as you when I tried to access virtual machine like below:
You can check with other members what Azure RBAC role they have under virtual machine as below:
To resolve the error, get yourself assigned with the same RBAC role the other member has, under your subscription like below:
After getting that role, you can access the virtual machine successfully like below:
Related
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 months ago.
Improve this question
AD integration can do with Linux VM for different directories VM?, I have tried AD integration with Windows VM for different directories VM but it not worked and Is there any way to do AD integration for Windows VM with different directories VM. as per Microsoft documentation it will work for Azure AD joined to the same directory as the VM.
Any suggestions or advises for AD integrations for Windows VM (or) Linux VM for different directories.
https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows
I created Windows VM in Azure by using Azure AD, windows-11 (win11-21h2-pro) operating system with size of (Standard B1ls (1 vcpu, 0.5 GiB memory).
To log in to the VM by using your Azure AD credentials, you first need to configure role assignments for the VM, I did role assignments as per my requirement.
Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the same directory as the VM. Additionally, to RDP by using Azure AD credentials, users must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login.
If you're using an Azure AD-registered Windows 10 or later PC, you must enter credentials in the AzureAD\UPN format (for example, AzureAD\john#contoso.com).
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
Net core application and my application communicates to various azure resources such as Storage Account V2. My app is deployed into azure app service. I have various ways for my web app to connect to storage account. Out of them first way is using connection string like below
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(_azureStorageClient.AzureStorageAccount03ConnectionString);
In the above code I am passing connection string. I can get connection string from azure key vault and I can avoid hard coding of connection string in appsettings.json. This is secured I can understand but If someone changes or regenerates access key in storage account accidentally then my app will not work.
I found one more way using app registred in azure portal and give RBAC in storage account.
TokenCredential credential = new ClientSecretCredential(
_authenticationConfig.TenantId, clientId, _authenticationConfig.ClientSecret, new TokenCredentialOptions());
In this way also I can avoid using connection strings and based on roles I can access storage account. But in this case also I will end up with managing client secrete and client id in code/key vault.
I found last option which is using managed identities. I feel this is more reliable way so far.No secretes in code nor in keyvault. This is all my understanding and I am in conclusion that third way is more reliable and I am trying to implement through out the application. So I want to know all my understanding is correct and I can get rid of first two ways and go with third approach and it does not have any problems? Can someone help me weather I am in correct understanding or If I have understood the things in wrong way then someone can help me to design best practices? Any help would be appreciated greatly. Thanks a lot
Where possible do use managed identities as they allow you to access azure resource withouth having to expose secrets. An early blog post by microsoft states:
Your code needs credentials to authenticate to cloud services, but you want to limit the visibility of those credentials as much as possible. Ideally, they never appear on a developer’s workstation or get checked-in to source control. Azure Key Vault can store credentials securely so they aren’t in your code, but to retrieve them you need to authenticate to Azure Key Vault. To authenticate to Key Vault, you need a credential! A classic bootstrap problem. Through the magic of Azure and Azure AD, MSI provides a “bootstrap identity” that makes it much simpler to get things started.
Here is an overview of the supported services. As you can see most services do support managed identities.
Here is a step-by-step tutorial that shows you how to connect to azure storage using managed identities.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I am trying to connect Azure DevOps with Azure KeyVault by whitelisting the IP addresses of Azure DevOps into the key vault. Now I need to add the service tag of Azure DevOps into KeyVault. I am following the below process to do it. Please correct me if I am wrong?
Create a Network Security Group
Click on Inbound security rules
Click on Add button to add a rule
Select Source as “Service Tag”
Select the Souce service tag as “AzureDevOps” (unfortunately this tag is not available).
Please let me know how can I add the Service Tag of Azure DevOps in the Network security group and map the Network Security Group with Azure Key Vault?
As of today they are available on the Portal (18-11-2021)
Original reply
You can't. Azure Devops Service Tag is not available from the Portal
Info taken from documentation.
Now that a service tag has been set up for Azure DevOps Services, customers can easily allow access by adding the tag name AzureDevOps to their NSGs or firewalls programmatically using Powershell and CLI.
Here os the info on the blog.
And what is important here is:
The Service Tag does not apply to Microsoft Hosted Agents. Customers are still required to allow the entire geography for the Microsoft Hosted Agents. If allowing the entire geography is a concern, we recommend using the Azure Virtual Machine Scale Set Agents. The Scale Set Agents are a form of self-hosted agents that can be autoscaled to meet your demands.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
Daniel explains it here how to start and stop a VM located on Azure.
I cannot do this as I cannot find Create Azure Run As Account
I believe my account is limited by the account owner.
What do I Need to ask to get this permission?
I have a Contributor role with Access to one particular subscription.
I am in a middle Company owned by a bigger Company.
I would like to give a developer the ability to start and stop a VM he is using.
As you said this is because you don't have enough privileges(roles) to Create Azure run as Account.You need to get Owner/Co-Administator role of that particular subscription to enable this.
Difference between owner role and contributor role
You need to request your company higher official who has owner roles for your Azure subscription to add your account as Owner/Co-Administator role for that particular subscription
Like it explained here
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
I have found service bus explorer a windows application which will allow me to connect to the Azure Service Bus and look at my topics and subscription and the messages on the subscriptions. I need to be able to do this from my mac as I am developing connectivity to the service bus and need to be able to look at the messages on the subscription to see why they are not being processed etc.
I would have thought that the az cli would be useful to do this but I cannot see any az service bus options as of yet. If anyone knows of a service bus explorer equivalent for the mac that would be greatly appreciative otherwise if anyone has any other ways of me be able to look at the actual message on the subscription that would be great.
You can use Cerulean, which is a cross-platform product from Cerebrata.
Today, Cerulean enables you to manage your Azure Subscriptions, Azure Storage accounts, Azure Cosmos DB accounts, Azure Redis Cache accounts, Azure Service Bus accounts, and Azure Search accounts. Support for more Azure services will be added soon. It is highly customizable.
Unfortunately it's not free though. Costs roughly 10$ per month at the time of this writing.