I am new to Azure and want to understand, who define and setup developer roles.
Ideally what roles developer teams should have to start ?
Who defines and assign these roles to developer ?
Is it something similar like we define NetOps, Secops, AppDevOps,PlatformOps team ?
Any help is appreciated.
Related
can anyone tell what "Roles and administrators" under App Registration (as well as Enterprise Application) is there for?
Seems that it always has "Cloud Application Administrator", but this role is NOT assigned to the service principal. I didn't find any documentation about it, maybe I'm missing something here.
Thank you!
Well, after searching/debugging for hours it seems that I just solved it a few minutes later when searching for a slightly different thing:
Role assignments at the organization-wide scope are added to and can
be seen in the list of single application role assignments.
Role assignments at the single application scope aren't added to and
can't be seen in the list of organization-wide scoped assignments.
So the Cloud Application Administrator is scoped to this app registration only. This also explains why I wasn't able to create SP's with this service principal (since it would need the organisation-wide assignment)
https://learn.microsoft.com/en-us/azure/active-directory/roles/view-assignments
User needs to have read only access to two subscriptions, so added user to the Access
Control for both subscriptions and gave them the built in role [Readers]. Basically I want the user to be able to view Application Insights but not to create, delete, update anything else.
The user reported that they could not AI and instead saw this.
Digging into this error I got this documentation from MS.
The pertinent information is:
These items require write access to the whole Resource group that contains your website:
TLS/SSL Certificates and bindings (TLS/SSL certificates can be shared between sites in the same resource group and geo-location)
Alert rules
Autoscale settings
Application insights components
Web tests
I think the best way to proceed is to create a role that is the same as the built in Reader, and then assign write rights to Application Insights, add this role to the user, and remove the built-in reader. I am knew to Azure and would appreciate any advice or recommendation.
Try to grant the user with both Reader and Application Insights Component Contributor roles. For full list of built-in roles, see Azure built-in roles.
How about this role https://learn.microsoft.com/en-us/azure/azure-monitor/roles-permissions-security#monitoring-reader
It allows for:
- Access Application Insights data and view data in Application Insights Analytics.
Let me know if you've found some other solution.
I have somewhat similar task: provide user with readonly access to Application Insights, but without using Contributor role or custom roles.
Is any way I can create a dynamic Azure AD group with service principals as dynamic members? I can only select users which is quite frustrating.
Currently, it is impossible.
Please refer to this feedback. If you really need this, you could vote up this feedback.
I need to assign publish permission to one of my developers so that he should be able to publish to only one cloud service & do not affect others.
Azure websites have these concepts called download publishing profile.
I could not find anything similar for cloud service. Can it be
achieved?
As you know Azure Management Portal does not have any role defined where we could map a user account login to manage a set of resources (say cloud service 1 & 2)
It is not possible as of today. It seems that it should be possible with Resource Groups and Role Based Access Control (RBAC) however currently cloud services can't be added in resource groups and assigned RBAC.
One way you could achieve this is have a custom application consuming Service Management API and implement your own RBAC in that application. However it is still a "hack" and not proper solution.
Why don't you try using "publish from source control"? When the developer checks in it will auto publish the code.
I believe the new portal will allow the creation of roles for publishing profiles; it already allows adding additional users to your organization; but to get what you want for now; publishing from source code should do the trick.
I am trying to figure out how to create a windows azure active directory group and/or role from the web portal. Am I missing something obvious here or? I can create users, and assign them to the 2 built in roles, but how do I create a new role? or group?
Admittedly I haven't tried this yet, but the PowerShell extensions should be able to do this:
http://technet.microsoft.com/en-us/library/jj151815.aspx
Look under "Manage group and role membership" for details on the relevant commands.
I would also assume that the Graph API could handle it. I too was hoping that the Azure Management Portal would let us do it in their GUI.
Seems the way to add groups, etc is via the graph api or as suggested above by PS scripts. The graph api is amazingly powerful, albeit not as convenient as if this funcitonality lived within the Azure portal.
Basically you have 2 options:
create app roles and assign security groups to them (AAD Premium is
required)
enable security groups as claims (AAD Free is enough)
Follow this official manual: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps