I am following this document https://learn.microsoft.com/en-us/azure/synapse-analytics/sql/how-to-pause-resume-pipelines to get the list of SQL pools,
but facing the error: The client 'XXXXX' with object id 'XXXXXX' does not have authorization to perform action 'Microsoft.Synapse/workspaces/sqlPools/read' over scope '/subscriptions/XXXXX/resourceGroups/XXXXXX/providers/Microsoft.Synapse/workspaces/workSpaceName' or the scope is invalid. If access was recently granted, please refresh your credentials."
Could you please guide what and where to grant permission to solve this issue?
You will have to grant permissions to that specific user on the Azure Synapse Workspace data plane using the following steps:
Go you your Azure Synapse Workspace resource.
Then, under Getting started Open Synapse Studio.
Go to Manage, and under Security label, Select Access control.
Click + Add.
Add Role Assignment to the user with:
Workspace Scope.
Azure Apache Spark Administrator Role.
Related
I have an Azure SQL server and database which have MFA login and I am the admin. But when I try to establish a connection via a new linked service from ADF to this database using System Managed Identity option, it throws error -
"Cannot connect to SQL Database. Please contact SQL server team for further support. Server: 'Server details', Database: 'database name', User: ''. Check the linked service configuration is correct, and make sure the SQL Database firewall allows the integration runtime to access.
I have already given contributor role access to ADF in SQL database using system managed Identity. Also, I have tried to access this database using Autoresolve runtime and azure runtime. But still the error is coming.
It sounds like you are missing the user creation and role assignment within the SQL database:
Connect to the database with your account and create an account for the data factory:
CREATE USER [<datafactory-name>] FROM EXTERNAL PROVIDER;
Then grant it the required role for your task:
ALTER ROLE [<roleName>] ADD MEMBER [<datafactory-name>]
Some available role names are:
db_accessadmin
db_backupoperator
db_datareader
db_datawriter
db_ddladmin
db_denydatareader
db_denydatawriter
db_owner
db_securityadmin
public
I created Azure SQL database in portal and created linked service in azure data factory with managed identity authentication I got below error:
I followed below procedure to resolve this:
I turned on the managed identity of data factory
I set admin for azure SQL database:
Login with Admin to sql database Create User username as data factory name using below code:
CREATE USER [DATAFACTORY NAME] FROM eXTERNAL PROVIDER
Added rules to the user using below code:
ALTER ROLE db_datareader ADD MEMBER [DATA FACTORY NAME];
I tested linked service again, tested successfully
It worked for me, once check from your end.
Inside the Synapse Studio Access Control page, the screen shows:
Failed to load
Failed to load role assignments due to server error, error code 500. Refresh or troubleshoot the issue.
As far as I can tell, no one setup the Synapse Administrator or any other roles within the studio itself.
I cannot add the Synapse Administrator. When I attempt to, I get another 500 error:
"body": "{"error":{"code":"HttpWrapOperationAsyncFailed","message":"System.Exception : No RoleAssignment for workspace :
I've also tried it through the CLI and got a similar error there as well.
I'm afraid that something went wrong with the deployment of the resources related to this Synapse workspace, but I don't see anything wrong within the portal. Help?
I’m trying to queue Azure DevOps pipeline from Azure Logic App. When I create workflow, the connection is configured correctly without any issue. However, the project dropdown list is unable to populate team project and same as build definition id dropdown list. The organization dropdown list is populated correctly. I do have team project administrator to the team project, and do have logic app contributor. I'm also able to get list of team project from this organization using REST-API. Here is an error I got:
Could not retrieve values. Error code: ‘Unauthorized’, Message: ‘TF400813: The user ‘573f1013-71ca-6a2f-ac35-ba1bef678b59’ is not authorized to access this resource.
Azure DevOps ActivityId: 0ba5ef8c-4ac4-4810-bf92-7835ca5bf444
Details: TF400813: The user ‘573f1013-71ca-6a2f-ac35-ba1bef678b59’ is not authorized to access this resource.
clientRequestId: eae306a3-f638-424b-96e5-579a70c9dcf7’. More diagnostic information: x-ms-client-request-id is ‘F6A975D5-74AA-41E3-9DCA-70A508139387’.
Error code: ‘Unauthorized’, Message: ‘TF400813: The user ‘573f1013-71ca-6a2f-ac35-ba1bef678b59’ is not authorized to access this resource. Azure DevOps ActivityId: 0ba5ef8c-4ac4-4810-bf92-7835ca5bf444
According to the error message, it may be that the account you logged in in the Queue a build action selected the wrong domain (AAD directory).
You can try the following steps to sign in the account again in the queue a build action.
Here are the steps:
Step1: Navigate to this user Profile URL: https://aex.dev.azure.com/me?mkt=zh-CN&campaign=o~msft~old~vsts~profile
Then you could select the correct AAD directory.
Step2: Sign in your account to Azure DevOps in Azure Logic App again.
You need to check if the domain is correct.
I am trying to understand the overlap between two of those roles in Azure RBAC. Looks like monitor-contributor completely covers application-insights-component-contributor besides "Microsoft.Resources/deployments/*". Considering the following situation whether I am deploying web availability tests into AppInsights resource and the deployment identity is service principal which was already granted monitor-contributor permissions. Should I grant this identity also 'application-insights-component-contributor' to be able to create those resources or 'monitor contributor' is good enough?
1 Edit
I am also deploying alert rules along with the tests and those rules implemented as rm template, if SP was granted monitoring-contributor only it's fails with
Error: requesting Validation for Template Deployment "app508-dfpg-dev3-diag-eastus2-backoffice-ai-test-dep" (Resource Group "app508-dfpg-ne-diag-eastus2"): resources.DeploymentsClient#Validate: Failure sending request: StatusCode=403 -- Original Error: Code="AuthorizationFailed" Message="The client '2c20abbf-e825-495c-9d06-90c5f04f9c60' with object id '2c20abbf-0000-0000-0000-90c5f04f9c60' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/s/resourcegroups/app508-dfpg-ne-diag-eastus2/providers/Microsoft.Resources/deployments/app508-dfpg-dev3-diag-eastus2-backoffice-ai-test-dep' or the scope is invalid. If access was recently granted, please refresh your credentials."
No need to give the Application Insights Component Contributor role, Monitoring Contributor role is enough. When you deploying the web availability tests, you just need the Microsoft.Insights/webtests/* action permission, it is already included in Monitoring Contributor.
I have upgraded my subscription from "azure for students" to "pay as you go" but when i try to create workspace using jupyter local notebook server i am getting a user error which says You are currently logged-in to ... tenant you don't have access to .... subscription, please check if it is in this tenant., i was able to create my workspace using azure portal but i want to create my workspace using jupyter local notebook server, how to fix that error?
user error
code
I Had the same issue and found out that azure ml was using my default tenant. I had to specify the tenant Id I want to use.
interactive_auth = InteractiveLoginAuthentication(tenant_id="my-tenant-id")
ws = Workspace(subscription_id="my-subscription-id",
resource_group="my-resource-group",
workspace_name="my-workspace",
auth=interactive_auth)
This issue usually occurs if you selected the wrong directory, or your account doesn't have sufficient permissions. To fix this issue, first ensure that you have selected the correct directory and have your resources in that directory by clicking your account at the top right.
If you still see that message, make sure that you have the Owner role assigned to your account by going to All Services > Subscriptions > your subscription that you want access to > Access control (IAM) > Role assignments > Add > Add role assignment.
Refer to the guide for reference.