This is a question regarding the setup we have with our azure sentinel instance its only visible to the global admin that set it up and not to other global admins .So how do I as the second global administrator get to see the azure sentinel instance , log analytics workspace and resource group ? As at the moment I can only see the subscription .
A global admin does not necessarily have access to all Azure Subscriptions.
I guess Sentinel was created in a subscription where your account does not have access.
Ask your other global admin to add you to the subscription/resource group, or you can gain access this way.
https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
Related
I've been given access to a resource group in Azure, but still get 401 page while trying to access it or any resource in that resource group. I have role assigned to me only in a resource group, not subscription (maybe this can be the reason?)
Type of my user: Guest
Role for a resource group: Contributor
Contributor role gives full access, except ability to assign roles to other users.
Also, according to docs
Guests can be added to administrator roles, which grant them full read
and write permissions
What can be the problem?
This is the page I get when trying to access resource group or any of it resource:
Azure Resource Manager sometimes caches configurations and data to improve performance. When you assign roles or remove role assignments, it can take up to 30 minutes for changes to take effect. If you are using the Azure portal, Azure PowerShell, or Azure CLI, you can force a refresh of your role assignment changes by signing out and signing in. If you are making role assignment changes with REST API calls, you can force a refresh by refreshing your access token.
Source: Troubleshoot Azure RBAC - Role assignment changes are not being detected
Another option would be to visit the preview portal. Since this is a different website, you will get a new token which reflects the latest state.
Im working on an Azure function that tries to get and update a client secret for an Azure app registration. Function runs as a managed identity, and tries to execute Azure powershell cmdlet New-AzADAppCredential, Remove-AzADAppCredential, and Get-AzADAppCredential.
But, upon the execution Im getting an error Insufficient privileges to complete the operation.
I tried assigning my function a Contributor role, under Azure role assignments, and I also tried giving a delegated permissions Directory.ReadWrite.All for an app registration that the function is trying to access. However, Im still seeing the same error.
I would like to know what permissions are necessary for a managed identity azure function to be able to manage an app registration client secrets.
Thanks!
The RBAC roles are used to manage resources in azure subscriptions, in this case, what you need is the permission in Azure AD, not in the subscription.
To fix the issue, the easiest way is to give the Application Administrator to your managed identity.
Navigate to the azure portal -> Azure Active Directory -> Roles and administrators -> Application Administrator -> add the managed identity to the role like below.
The Contributor role allows the assignee to manage and access the resource, but as you have discovered that does not include managing access. Similarly, Directory.ReadWrite.All is for user data not RBAC. There are two roles for RBAC- Owner and User Access Administrator. Owner is Contributor and UA Admin only allows access control.
I am trying to create Azure Kubernetes Service (AKS) with earlier created virtual network (VN) and container registry (ACR).
I am facing below errors.
My user id does not have sufficient permissions to perform this action. Only with basic network settings and no ACR binding, I can create AKS cluster.
Which role, at Active Directory (AD) level and at subscription level, should my user id be having to create this AKS service?
You don't need any permissions on Azure AD level for this to work, but you need Microsoft.Authorization/roleAssignments/write permissions on the adequate scopes to be able to assign permissions. A built-in role of Owner grants that. Otherwise - create a custom role and assign that to your user.
I'm trying to move an VSTS/DevOps instance from one azure environment to another. Is this possible and if it is how do I do this?
So for example Azure environment "A" owned by me has resource group "mydevops" with "devops" instance.
I want to move this to Azure environment "B" which is owned by a different person/account perhaps if needed including resource group.
You need following permission to link and unlink Azure Subscription:
Project collection administrator or organization owner permissions
The owner or contributor role on your Azure subscription
So you need to have the owner or contributor role on both Azure A and Azure B to do this. Ohterwise, you need to add Azure B's owner to your Azure Devops account and give him PCA permission and ask him to link the subscription.
I`m a global administrator of my Azure Tenant and gave Global admin rights to others so they can manage the Azure Tenant.
However, they cant view any of the services already provisioned on Azure.
For Example, cannot view:
a) Resource group
b) Enterprise Applications
Please suggest what more shall I do to resolve the issue?
This issue may be caused by that you haven't been assigned a subscription.
Try to find it whether subscriptions in your Azure Account. (Put in "subscription" in search blank in Azure. )
If you don't have any subscription, try to connect the owner and add your account as owner or else role . (Go to subscription > choose one subscription > Access control > Add ) The steps looks like this: