Background: I am trying to setup my azure infrastructure to deploy my new web app. I am working with an external contractor cloud engineer and I only want her to be able to setup my cloud infrastructure.
Steps: I have 1 Subscription and 1 Resource Group. I have created a User in my organisation (so not a guest) in Azure AD - I will share these details with her.
I have put this new User inside a User Group and I have permissioned the User Group (as a Contributor) against my Resource Group. I have shared the username and password with her.
Problem: When she logs on to portal.azure.com she gets the message "Your sign-in was successful, but you don't have permission to access this resource."
Clearly I am missing something? I thought this was straightforward... alas
TIA.
Sometimes this may happen due to the internal policy, make sure to recheck them once again.
After this if you create a personal login detail separately then it will work out.
Here is the reference of Your sign-in was successful but you don't have permission to access this resource for the same above.
If the user is a guest user incase, then administrator of guest tenant will delete your account from their tenant.
Here is the Reference given by #Amanpreet Singh.
Common steps to be followed as below,
After login to the Azure portal as a Admin.
Go to Azure Active Directory
Select the All services, then Azure AD Conditional Access.
Here you can select the restriction policy and / or make sure to recheck the Assignments from the Users & Groups of various permissions for your given user.
VPN....
I switched off my VPN and it then worked just fine. No idea why but it works and I can now log straight in to the portal
Related
I have an API Management instance running where users can login using only Azure AD. There is a single Administrators account, but it is using the legacy User/Password Identity. I cannot remove the user. I want to assign a user from the Azure AD to the Administrators group, but I can not figure out how.
I have followed these steps by Microsoft but they just seem to redirect me to the legacy portal (or the new Developer portal if I change the URL normally) with my default Administrators account logged in.
As far as I know, we can't add another user into "Administrators" group.
The document you provided is used to login another user(which is not admin) as administrator. So the result page shows your default administrators account. The title "How do I add a user to the Administrators group?" of the document is not very accurate.
This link explains how to connect an Azure DevOps organization to Azure AD and indicates that in order for users to keep their accesses, that they should have the same e-mail in both the account from DevOps and the account from AD.
Now, I have this doubt:
If I have a user on DevOps with a MS Account (MSA) user#mydomain.com and a user on Azure AD user#mydomain.onmicrosoft.com (with NO custom domain set up, I have my custom domain running on GoDaddy for now), does this mean that all the work items created on DevOps with user#mydomain.com will be left "orphan"? What would be the outcome of doing this? And what would happen if I add my custom domain AFTER connecting DevOps to AAD?
If this user's MS Account is the same one which be added in AAD, you don't need worry about the data.
Just connect organization with this AAD, and login with the previous MS Account(don't need to change anything) . The data still be obtain now.
does this mean that all the work items created on DevOps with
user#mydomain.com will be left "orphan"?
This situation is only occurred on the MS account is not same with the account which be added in AAD. For this, if the user want to obtain and migrate the data from previous account. Need to contact our engineer here, and we will help user migrate data from backend.
Edit: May caused by my not clearly expression let it confusion.
In fact, for add MSA into AAD, it's normal for all user account to do this operation. The only one affection is the account which should be login to Org after connect AAD to Org.
Here has two account: a#outlook.com(person account), a#softcompany.com(work account).
Scene: The account you used usually is a#outlook.com.
(1)If add this account into AAD, you don't need to do anything like migrate data after connect the org with AAD. Just still login with this account is ok.
(2)If add another account(a#softcompany.com) into AAD, you need to finish the data migrate and identity transfer operation after connect org with AAD, if you want to retain the data history.
Note: these two does not belong to any AAD before add them into the new AAD you want to AAD. Or it will be a more complex operation. If you meet this, feel free to share it here, I can share the detailed process with you about this complex situation.
I am making my first steps with Azure, trying to figure out how difficult it would be to spin up a mISV business where I would sell subscriptions to my app running in Azure (SaaS model).
To that end, I am trying to run the
Tailspin sample application
following instructions described
here.
To run the application, at least two Azure Active directories are needed. One AD belongs to the fictitious Tailspin software provider (in this case, me). The Tailspin Web application and the accompanying WebAPI are registered in this directory. Other AD belongs to a customer (in this case, again me). Customers sign up for the application.
I have a single Azure subscription, so I was forced to set things up like this:
I have registered Tailspin Web application and WebAPI in my Default AD. (I guess I could have created a specific AD for this purpose, but it was not strictly necessary.). The app and the API had to be created in this AD because they consume resources, and resources require a subscription. Putting the app and the API in a separate AD would require a separate Azure subscription.
I have marked both the Web app and the API as Multi-tenant (so that they can appear in other ADs after customer sign-up).
I have created another AD called TaiispinClient1 (the name is not important), with the idea to use it as a "customer" AD.
In TailspinClient1 AD I have created a guest user using one of my external email addresses. I could not create a regular AD user because creating regular users requires having a validated web domain and I did not want to go through validation at this point.
I have made sure that my guest user is every bit an admin user as the regular one:
In User Settings for the TailspinClient1 AD, "Users can register applications" is set to Yes (default)
In "Manage external collaboration settings", "Guest users permissions are limited" is set to No
My guest user has administrative directory roles (specifically, "Global administrator" and "Application administrator")
To resume, I ended up having two ADs in a single Azure subscription: the Default AD with the multi-tenant-enabled Tailspin app/API in it,
and the TailspinClient1 AD with an admin user (albeit external).
I am running the Tailspin application locally.
When I try to sign up to the application as the admin user from the TailspinClient1 AD, I am getting the following error message after I (successfully) authenticate myself:
AADSTS50020: User account <my TailspinClient1 admin user> from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application <GUID of my Tailspin Web app> in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
That message would have made sense had I forgotten to mark my Tailspin app/API as Multi-tenant, which I did not.
What am I missing here? Is this particular setup supported at all? Do I need to establish trust between those two ADs somehow?
Any help is appreciated.
I just started working with Azure Active directory and i have one simple query.
I have a customer who is the admin of azure subscription and now if he wants to give access to another user who will be tasked to Create and Managing of Azure Active Directory (Like adding/deleting users, providing access to other application) what level of Role/permission needs to be assigned to this user.
Please let me know the steps for doing this from portal or any reference link please share
For just user management an "User Administrator" role would be sufficient. As far as the applications go it may vary depending on the level of access required and so on.
Check out the Azure AD roles here.
But at the subscription level it is better that the user has an "owner" role which provides all the administrative privileges.
Is it possible currently to make an application in my Azure AD tenant and allow customers to give it permission to alter their resource groups.
I basically want to create an web application that allows any azure resource owner to allow my application to add something to a resource group of their choosing.
I cant figure out if its required for the customer to have the global administrator role for this to work?
Is it possible to make a flow that lets the customer sign in to my webapp, and give permission for a resource group of this choose, without him being the global administrator.
Is it possible for something in the azure portal to select his resource group add allow my azure ad application to get access to his resource group, or what is needed from the customer for this to be possible?
There are two ways by which a 3rd party application can access a user's subscription:
Delegated Permission (User Impersonation): Azure Portal is a good example of that. Basically in this scenario, a user logs in into your application by authenticating herself/himself against their Azure AD and then your application makes ARM API calls on behalf of the logged in user. If the user has permission to do something, your application will do that otherwise your user will get an error.
Application Permission: This is basically more for running things in the background when the user is not logged in. Essentially this is where the concept of Service Principal comes in. In this scenario, someone with administrative privileges grant certain permissions to your application and then your application will be able to do things it is permitted to do. The user need not be present in this scenario.
Now coming to your questions:
I basically want to create an web application that allows any azure
resource owner to allow my application to add something to a resource
group of their choosing.
I cant figure out if its required for the customer to have the global
administrator role for this to work?
Yes, it is possible for your to create such a web application and the customer need not be a global administrator to use such an application. In fact, this is how we're providing Azure Subscription management in Cloud Portam. Azure Portal works the same way. When you login into Azure Portal, you only do things you have permissions to. To see this in action, just login into Azure Portal using a user who is in Reader role and try to create some resources.
Is it possible to make a flow that lets the customer sign in to my
webapp, and give permission for a resource group of this choose,
without him being the global administrator.
Yes, it is entirely possible however the permission from Azure's perspective will be at Subscription level and not at a resource group level. Again since you would be impersonating the user, the user need not give you explicit permission to access certain resources. Azure RBAC will take care of this for you.
Is it possible for something in the azure portal to select his
resource group add allow my azure ad application to get access to his
resource group, or what is needed from the customer for this to be
possible?
Yes, it is possible to do so. However in this case, the user who's granting the permission to your application should be in a role that allows her/him to perform this operation. They should have write permission on Microsoft.Authorization resource provider. However please do keep in mind that once your application (also known as Service Principal) is granted access to a resource in your user's subscription, there's no need for a user to login. You typically would want to use this approach for background process kind of applications.