error message
When trying to run cron job my developer keeps receiving the attached message. the only way i can avoid this is to grant 'owner' permission which is not ideal
Which specific permission is required?
Current permissions shown here
Related
Afternoon all
Trying to get a logic app to run a query on a log analytics workspace and email the results on a weekly basis. Created a service principal, and have given it Reader access at Subscriptions level and I'm allowed to create the connection, but when I try to populate the drop down in Designer, it's throwing with an error:
Could not retrieve values. Error executing the api '/listSubscriptions'. Client request id: 'undefined'
As seen here: https://imgur.com/a/CDp1g6L
I was following this guide, and it's failing to populate those list boxes:
https://thomasthornton.cloud/2020/11/09/log-analytics-queries-to-csv-emailed-using-azure-logic-apps
Tried temporarily giving it permissions as subscription Owner, same deal. Also the same error with the logic app's own System Managed Identity. Got it to work in a different subscription by using my global admin ID, but I don't want to do that as it's of course dependent on that account and it's way too privileged.
I also tried editing in the correct values in code view, just in case it was only some enumeration error, but the test run fails with:
"Message": "Failed to get valid request parameters. Authorization Error
In my other subscription, I also tried giving the account permissions at the root Tenant level, in case it was purely unable to evaluate all subscriptions, but no joy, same error when using Managed Identities or Service Principals.
I'm at a loss. Any ideas?
I am trying to update an Azure Active Directory Application but I get the error message " Insufficient privileges to complete the operation" as shown below. I have full admin access and I have given the api both delegated and application permissions as shown below and user administrator role as well. I have done search on permissions and roles but still cant get it working.
Here is a screen shot of my permissions configurations.
When you run the Microsoft Graph Powershell Get-MgApplication, you need to login it with the command like below, including the Application.Read.All delegated permission.
Connect-Graph -Scopes "User.Read","Application.Read.All"
It will open a window, then you need to enter the code authenticate, select the account which is the Global admin, select Consent on behalf of your organization option, click the Accept like below.
After login, run Get-MgApplication, it will work fine.
In addition, actually the Microsoft Graph Powershell comamnds call different Graph APIs, to run different commands, you need to Connect-Graph with different permissions, e.g. if you want to run Update-MgApplication, you need to add Application.ReadWrite.All, to run Get-MgGroup, you need to add Group.Read.All.
I need to schedule two cloud functions to run at a predefined time using Cloud Scheduler. However, when I click on the Cloud Scheduler tab it shows the below error message.
You don't have permission to enable Cloud Scheduler (appengine.applications.create, serviceusage.services.enable)
So I asked the project owner to grant me access to the below roles:
Cloud Scheduler admin
AppEngine Admin
Service Usage Admin
However, even after this I'm still getting the same message as before.
Below are the current roles that I have access to:
App Engine Admin
BigQuery Data Viewer
BigQuery User
Cloud Scheduler Admin
Cloud SQL Admin
Editor
Service Usage Admin
Storage Admin
Kindly let me know if I'm missing something here.
You don't need to be the project Owner.
You need these permission:
appengine.applications.create
serviceusage.services.enable
Predefined roles for first permission:
roles/owner
roles/appengine.appCreator
Predefined roles for second permission:
roles/owner
roles/editor
roles/serviceusage.serviceUsageAdmin
Since you already are an Editor, you only need to request App Engine Creator role for the first permission.
For you to be able to perform the configuration of Cloud Scheduler, you need to be the Project Owner.
Could you please give it a try asking your administrator to make you the Project Owner?
Understanding roles
This should fix your issue and solve your case. In case it doesn't, let me know if you are facing the same error.
Please, let me know if it worked!
If you are using target HTTP Method in your Cloud Scheduler, you can add Auth Header (Add OAuth token) with a particular or spesific service account.
my program (C:\Program Files\MyApp\Myprog) starts with windows startup; at device insertion Myprog.exe invokes another program (C:\Windows\comp.exe). this process works fine in the admin account in which I install the program but Myprog.exe is unable to invoke comp.exe when users account is changed. I want (C:\Windows\comp.exe) to be invoke in each type of account e.g admin group accounts and non-admin accounts. please help
you have to add more information. Is it possible that the invoked program has to be run as administrator because of what it has to accomplish needs elevated permissions?
My issue is two-fold:
Need a user account to write to inetpub/wwwroot that isn't in the IIS_WPG Group
Change the DefaultAppPool account to specified user account in #1
We cannot have anonymous HTTP writing to Server A from Server B from the default anon user account Windows reads from, hence for #2. And due to said server permissions, we cannot have Group IIS_WPG do any writing to inetpub/wwwroot either.
I created a new user account, but it isn't associated to any groups. Then, I added this user to the DefaultAppPool Identity instead of using Network Service. Then, under Inetpub/wwwroot I gave read/write permissions to this user account. Then I restart w3svc.
I am getting a Service Unavailable error now when I try to view any web page with this error in the logs: A failure was encountered while launching the process serving application pool 'DefaultAppPool'. The application pool has been disabled.
Note: I am not a Windows admin by any means, so what I'm doing is based off of any articles I can find and trusting their accuracy 100%.
The whole point of the IIS_WPG group is to have a pre-set grouping of the permissions required to run an application pool. So the best case is going to be creating your new user but then just adding that user to the IIS_WPG group.
If you can't do that, then I believe you have to explicitly give your new user the same permission set that IIS_WPG has already. Which can be found here: http://support.microsoft.com/kb/812614