I'm trying to set up data in space for mobile.
In my Azure Portal, I have created a Spatial Anchors resource group.
Given myself Owner role permissions for the resource group:
In Power BI tenant, I'm the administrator and I log in with the same account.
But, I can't connect to Azure from Power BI Service:
Can anyone help?
The solution I found was to create a Management Group in Azure and delete it again.
I wasted an awful amount of time to fix this, and have no idea why it now works, but wasn't working before...
Just in case anyone bumps into this.
Related
I have two app registrations for two different projects in Azure Active Directory. I also created two Power BI Embedded instances. I only have access to a single subscription in this account. Is there a way to assign a single instance for each app?
In the PBI embedded capacity resources in azure, you can add/remove users/SPNs(apps) as PBI capacity Administrator.
PBI capacity Admin gives you the ability to assign that PBI capacity to a workspace.
e.g, If you are given the capacity admin, then you can assign that capacity to any workspace in which you are part of the admin. You can achieve the same thing for SPNs using REST APIs
For more details on how to use the Capacity you can refer here
I have started using my free Azure account and I found out that I cannot create SQL Managed Instance. I get a cryptic error message telling me to change subscription or region, no clear information. The list of free services does not include SQL MI but it does not mean much. SQL Dedicated Pool or Synapse are also not listed but I tried to create them and the Portal does not complain yet even though I did not click the final Create button yet.
So SQL Managed Instances are only available on certain subscription types. See:
You probably have an Azure Trial subscription. If not, you might also want to check your region as there are region limitations as mentioned in the article above.
I would like to give our team members the necessary permissions to use the Query Performance Insight feature for an Azure SQL database, including the possibility to see the query text of long-running queries.
They already have "Reader" and "Monitoring Contributor" roles, so they can access the Query Performance Insight feature in the Azure Portal and see the IDs of long-running queries. However, when they click on a long-running query, they cannot see the query text. An error is shown indicating that "The connection timed out while running the query".
If I assigned them the "SQL DB Contributor" role, they would be able to use that feature, but they could then also change database settings such as the pricing tier, which I do not want.
Is there a role assignment that does what I need?
I think you will need to create an Azure Custom Role, as described in https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles .
You can start with Reader, and then include permissions you want, or start with SQL DB Contributor, and remove permissions you don't want. This will require experimentation.
From your subscription, create a new Custom Role:
Then from that role, you will add or exclude permissions:
Permissions that would be interesting to me would be:
List Query Store texts - for adding to a Reader
and Update Database - for excluding from a DB Contributor
Once that's done, you would go to the Access Control blade for the server that contains your database, and then add your users with that new custom role. Test, tweak, repeat until you have the security profile you want. Which role you use as your basis depends upon how close to a least-privilege security model you wish to adopt.
Edit: One possible way to figure out the permission to assign would be:
Scale the database up
Scale it back down
Go to the resource group, select your database, and Export Template
Inspect the JSON, which will be the ARM that was applied during the operation (you might need to look at multiple deployments to figure this out)
Once you find the operation, the provider in the JSON should give you a clue as to what to exclude from any roles you create.
Adding to #WaitingForGuacamole's answer: We ended up creating a custom role definition containing Microsoft.Sql/servers/databases/queryStore/write and Microsoft.Sql/servers/databases/topQueries/queryText/action. Assigning this custom role definition to team members who already had the Reader role on the Azure SQL Server then allowed them to view the query texts in Query Performance Insight.
The actual two permissions were provided to us by a very helpful Azure support engineer. YMMV, it might also work with just Microsoft.Sql/servers/databases/topQueries/queryText/action (in addition to the read permissions), as indicated by an Azure Docs Github issue. However, the support engineer was positive we'd also need the Microsoft.Sql/servers/databases/queryStore/write one and we didn't follow up by researching why.
We are in the process of implmenting Sentinel with several data sources, what is the best way to do the RBAC?
You would just create the dashboard from Azure Sentinel and assign RBAC roles to it the same way you would with any other Resource in Azure.
The quickstart guide covers it:
To create a new dashboard from scratch, select Dashboards and then +New dashboard.
Select the subscription the dashboard is created in and give it a descriptive name. Each dashboard is an Azure resource like any other, and you can assign it roles (RBAC) to define and limit who can access.
To enable it to show up in your dashboards to pin visualizations to, you have to share it. Click Share and then Manage users.
Use the Check access and Role assignments as you would for any other Azure resource. For more information, see Share Azure dashboards by using RBAC.
Let me know if this helps.
There are two parts to this. The first is using RBAC to secure your Azure Sentinel. This document has more information on that:
https://learn.microsoft.com/en-us/azure/sentinel/roles
The second part is to secure the logs within your Log Analytics workspace. This will control what information those users that have access to your Azure Sentinel can see. So if you want only certain Security Analysts to see your O365 logs you can control it through table level RBAC in the logs.
https://techcommunity.microsoft.com/t5/Azure-Sentinel/Table-Level-RBAC-In-Azure-Sentinel/ba-p/965043
In my Azure environment I am often tinkering around, adding new services, scaling roles up and down, etc. The problem is that I am always unsure as to how I may have affected my monthly bill. I'm also scared of forgetting to kill services after I don't need them (for example, I mistakenly had a Reporting Service running for a few weeks - very expensive!).
I'm looking for an add-on or service which can give be a basic idea of how much money I am consuming in Azure. I don't need something complicated. A graph or two could be great (perhaps a burn down).
I found these but without luck:
Foglight for Azure: This didn't work for me. All my figures showed up as 0.
Active Cloud Monitoring: This has been removed from the Azure add-ons.
Does anyone know of such a solution?
thank you for the question and the feedback. The new Azure portal, which is currently in public preview, does have this feature. You can try out the new portal at https://portal.azure.com/ . Once there, click on Billing tab on the left of the screen, which should bring up a billing summary for all your subscriptions. Click on the subscription that you need to check, and that will show you the billing details for that subscription. Details include subscription status, days left, current charges, burn down, and a breakdown of current charges by resource.
Please try this out and send your feedback using the "Give feedback" link at the top of the new portal page. You will have to click on your account name to see the "Give feedback" option in the drop down.
If you are using "Enterprise Agreement" as a billing option, the Azure portal does not provide sufficient billing information.
You could use Microsoft Power BI to import the data from Azure and use it for reporting. In Power BI you can use the Content pack "Microsoft Azure Enterprise" and connect it to your subscription. You will need the Enrollment number for your Enterprise Agreement and an API key to access the data.
A detailed explanation can be found in this blog entry.