A few of us at my company would like to start using Azure, however.. we are not quite sure of how to set it up..
We would like to have one person administrating the subscription then share that subscription between three other azure accounts.
I read something regarding subscription administrators and co-administrators that sounds to fit my needs for this.
However..
One thing that I cant quite figure out.. is how do we "share"/grant access to multiple websites between our accounts?
Lets setup an scenario..
User 1 creates a website thats hosted in Azure, since User 1 will be on vacation for multiple months, and wont be able to access the azure portal User 2 needs access to this site for maintaining it.
Either User 1 could give User 2 all his credential info for logging into User 1 Azure account, or is there anyway to "share" the created website so two accounts can administrate and maintain the same website?
Any ideas?
Br,
Inx
You just need to give permission for other users to access your subscription and that's it. Once they log into Azure they will see their subscription (if any) and yours to select from (top bar).
Add a co-administrator to an Azure subscription
https://msdn.microsoft.com/en-us/library/azure/gg456328.aspx
Related
Days ago I onboarded a customer using Service Principal with an ARM template in our blob storage, then the client went to this URL:
https://portal.azure.com/#create/Microsoft.Template/uri/{Blob Url}, accepted us as their resource manager, and we could make connections and go-to resources but via PowerShell, why it doesn't show to us in our Azure Lighthouse Customers page?
I can work with the resources, make deployments, and such but doesn't show in the list, I want to know if it is because we need to be gold competency or an expert MSP because we don't want to make a public offer in the market, we just want to manage certain customers.
It should be displayed there. No special conditions are required such as the ones you've mentioned. Are you definitely signed in to your own partner/MSP tenant with an account that has delegated access to the customers? Does anything show up under delegations within the Azure Lighthouse section?
If you have access to the customer tenant, does your company show up under Service Providers within Azure Lighthouse on the Azure portal?
Case closed, the Service Principal itself doesn't have the privileges on the service provider's tenant to make your user a reader. So the solution for this was:
Remove the offer in the customer tenant.
Add new authorization in the ARM template for a user/group with "Reader" built-in role id. (In our case, we decided to use an AD group because people in the organization is temporary)
Upload the new ARM template and re-onboarded the client.
After a couple of hours, the client's subscription showed in the subscription list in the section: Directories + subscriptions, checked it, and saw all the resources from the service provider's tenant.
I found a solution for this issue.
The Azure Lighthouse->My customers list on the azure portal only shows subscriptions activated in the global directories and subscription filter.
Please go to the global directories and subscriptions filter (in the portal top navigation) and open the drop downs for directories and for subscriptions and check, if your customer subscription appears here.
If yes, select all entries in both drop downs.
After that go back to Azure Lighthouse->My customers
and check, if the customer subscription appears now.
I have an application in Azure that's listed under 'App registrations' -> 'Applications from personal account' that I would like to move to a directory so other users in the company can manage it.
There's an info message that has this to say about personal account applications:
These applications are associated with the account xxxxxxxxxxxxx but
are not contained within any directory. They are shown here so you
can manage them, but will not be available to other users or admins in
this directory.
Is there any way to move it? I haven't been able to find any info on this, and seeing as it's in use in the wild by thousands of users I would prefer not to create a new one and have them re-authorize.
I have confirmed this with Azure support engineer. The answer is no. Here is the reply. Hope it helps.
Your applications were created in converged app portal by your
Microsoft account. After lab tested, the Apps owner cannot be changed
to a work account because the MSA account is not contained within any
AAD. The workaround would be re-create it in the new tenant for your
application.
In my azure account I have 2 directories, lets call them directory A and B.
With some recent changes I need to switch a app service from a subscription in directory A to a subscription that is on directory B.
Is this possible to achieve, and if it is how?
EDIT 1
As directory I mean the directory that you can see in the image below:
EDIT 2
Since It seems that I have mislead people I will try to explain what i want to achieve with images.
I want to move the App Service from the App Service Plan in the directory A as you can see in here:
to the App Service Plan in the directory B that you can see in here:
It looks like you want to move resources between subscriptions. It is possible to do this but there are a few restictions and rules around what you can do.
You can definitely move an App Service between subscriptions. However, in your case, as the subscriptions in question exist in different AD tenants, you will need to change the tenant of one of the subscriptions. You can only do this if you are a Service Administrator and signed in using a Microsoft i.e non organizational account.
Check this reference document from Microsoft, it explains in detail how the transfer process works.
I think we might need some additional information, since it seems that the terms we're using are sometimes equivocal. Microsoft Azure subscriptions are not associated to Azure Active Directories, but to an Service Account. You can add how many Azure ADs you want to an Azure subscription, but the Azure subscription itself will be managed by the service account (which is not necessarily member of a certain Azure AD).
Further, only the service administrator can manage Azure resources, like VMs, App Services and so on. Azure AD admins can only manage identity aspects that define identity life cycles within that specific Azure AD. The service admin could add a co-admin a user from the default Azure AD and that user would then also be able to manage Azure resources, like App Services and so on.
So the Azure App Service is tied to a Azure subscription that is managed by a service account, not by the Azure AD. Please check the official documentation on this topic. Also please clarify exactly what you would like to do.
Ive created a website in Azure and I want to allow users to login and use the app, but im slightly confused by azure active directory access. I want users to only have acces to the web app, not to the portal. Users will be from within my organisation and from outside it so its vitally important that access is locked down, If a user somehow ends up at the azure portal they must not be able to access it. If I set users up in our active directory, wont they be able to login to the azure portal too ? I want to take advantage of authentication as a service and hand over authentication and multi factor authentication to azure but everytjhing Ive read so far seems to suggest If i use azure active directory, users will be able to acess the Azure portal too, is this correct or am i misinterpreting the information ? Are there any step by step guides available for these sorts of scenarios ?
If i use azure active directory, users will be able to acess the Azure
portal too, is this correct or am i misinterpreting the information ?
No, your users will not have access to Azure Portal (rather Azure Subscription as Azure Portal is an application using which a user manages one or more Azure Subscriptions) unless you grant them permission to access it. In order for your users to have access to Azure Portal, you would need to grant them permissions explicitly to do so. In the new portal, you do it by assigning roles (e.g. Owner, Contributor, Reader etc.) and in the old portal you do it by making them co-administrators.
Unless you do this, when they login into Azure Portal all they will see is a message stating no Azure Subscriptions were found.
I'm a developer that has an Azure account for my own dev stuff. I log into my dev account using me#hotmail.com.
Next, I set up a client with their own Azure account, then invited myself via me#hotmail.com and set myself as a co-administrator for the client's subscription. When I subsequently log into Azure using me#hotmail.com, I only see my own subscriptions/resources, etc.
Is there a way that I can log into Azure, using me#hotmail.com, and have access to both my dev stuff as well as my client's subscription from within the portal (specifically portal.azure.com).
Not sure if this is supported or if I'm doing something wrong. Thanks
You can only view subscriptions for a single directory at a time.
If you click your name in the top right corner of the portal you can select which directory you want to work from.
There is a suggestion on the Azure feedback site to add the ability to view subscriptions from all directories: http://feedback.azure.com/forums/223579-azure-preview-portal/suggestions/4761959-manage-subscriptions-across-all-available-director