I have an Azure SQL Server residing in tenant A and I need to add a Virtual network rule for a subnet residing in tenant B.
For this, I have created a service principal and given it multi-tenant access. I am also able to see the SP in both tenants. The SP is given access to both the subscriptions and resources (SQL Server and VnNet) in both the tenants.
When I try to add the VNet rule using the SP credentials/login, I encounter the following error:
New-AzSqlServerVirtualNetworkRule:
The client has permission to perform action 'Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/Action'
on scope '/subscriptions/{subscription ID}/resourceGroups/{resource group name}/providers/Microsoft.Sql/servers/
{SQL Server name}/virtualNetworkRules/{rule name}',
however the current tenant 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not authorized to access linked subscription 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.
To encounter the following error
New-AzSqlServerVirtualNetworkRule: The client has permission to perform action 'Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/Action' on scope '/subscriptions/{subscription ID}/resourceGroups/{resource group name}/providers/Microsoft.Sql/servers/{SQL Server name}/virtualNetworkRules/{rule name}', however the current tenant 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not authorized to access linked subscription 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.
The service connection in your Azure SQL Server across azure tenants will have only access to the virtual network in one tenant. It does not have access to the virtual network in the other tenant.
You can assign Network Contributor role to that virtual network in below steps:
Go to Azure Portal ->Resource group -> Access Control (IAM) -> Add Role assignment. -> Select network Contributor -> Add
If I understand you correctly you want to connect resources that reside in two separate VNETs.
Have you set up any VNET peering between the two networks (tutorial)?
Related
I'd like to assign a user assigned manage identity a role in resource group scope for Azure Container Instances related operation, such as list containers in a RG, start or stop an container group, is there any build-in role available for this purpose? I searched in the role list, not find any:
Usually,to use a managed identity, that particular identity should have the access granted to following one or more Azure service resources like azure web app, azure key vault(with access policies or roles), or azure storage account in the subscription.
Select Access control (IAM).
and Add role assignment
Select roles , select appropriate role that you want the user identity to
have.
Here i am giving for storage access
To give storage access select storage blob data reader role or
contributer role
Then select the managed identity and select required user managed
identity.
But please note that from Limitations: Enable managed identity in container group - Azure Container Instances | Microsoft Docs
Currently you can't use a managed identity in a container group deployed to a virtual network.
Container groups which are running in Azure Virtual Networks do not support managed identity authentication image pulls with ACR.
If system assigned identity is enabled, then the group must have 'Contributor' role in order to have access to a storage account.
Reference:
use-a-managed-identity | Microsoft Docs
I have a storage account with firewall settings enabled (restricted access from only certain IPs and VNets). I need to access this storage account from Az Dedicated SQL Pool residing inside a SQL server. For this, I am using the external table concept. All works well when the storage account firewall is disabled. However, when I enable the firewall, I am not able to access data as the SQL Server does not belong to any VNet that can be whitelisted at the storage account. I do not want to remove the firewall of the storage account for security reasons. How can data access be ensured in this case?
PS: I also tried with the resource instance rules at the SA. This will not work in my case, as the SQL Server and Storage Account reside in different tenants.
Msg 105019, Level 16, State 1, Line 1
External file access failed due to internal error: 'Error occurred while accessing HDFS: Java exception raised on call to HdfsBridge_IsDirExist. Java exception message:
HdfsBridge::isDirExist - Unexpected error encountered checking whether directory exists or not: AbfsRestOperationException: Operation failed: "This request is not authorized to perform this operation.", 403, HEAD, https://xxx.dfs.core.windows.net/xxx/xxx.csv?upn=false&action=getStatus&timeout=90'
This is the error when the firewall is enabled. Without the firewall, I am able to see the data.
• I would suggest you to please ensure that you check/enable the below option in the snapshot while configuring specific resource instances for having access to the storage account: -
Allow Azure services on the trusted services list to access this storage account.
Also, select the specific resource instance that will have access to your storage account, i.e., your configured ‘Azure SQL Server’ on which your database is hosted and want to connect to. Since, communication between an Azure SQL Server and a storage account traverses through the Azure backbone network, which is secure, encrypted on both the sides and is deserted from the rest of the public internet, it is included in the list of trusted sources for connectivity purposes.
• Thus, would suggest you configure the same but also configure the access to this storage account through a system assigned managed identity for the Azure SQL Database server as only then the access based on it would be granted access as Azure considers it safe and by design, it is necessary.
Kindly refer the below link for more detailed clarification on this: -
https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#trusted-access-based-on-a-managed-identity
To configure a system managed assigned identity to an Azure SQL DB Server, kindly follow the below link: -
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity?view=azuresql#set-managed-identities-in-the-azure-portal
To connect storage account with firewalls enabled from SQL Server in Azure
We must use the ABFSS driver and Managed Service Identity Credential that connects to a Secured Storage account with Polybase.
As you have standalone dedicated SQL pool (formerly SQL DW) create the Managed Service Identity for it.
Connect-AzAccount
Select-AzSubscription -SubscriptionId your-subscriptionId
Set-AzSqlServer -ResourceGroupName your-server-resourceGroup -ServerName your-servername -AssignIdentity
You must first upgrade to general-purpose v2 if you currently have a general-purpose v1 or Azure Blob Storage account.
Under Access Control (IAM) on your storage account. Give your SQL Database server the RBAC role of Storage Blob Data Contributor.
To connect with secured Azure Storage account.
#create master key
CREATE MASTER KEY [ENCRYPTION BY PASSWORD = 'somepassword'];
#create scoped credentials using managed identity created un first step
CREATE DATABASE SCOPED CREDENTIAL msi_cred WITH IDENTITY = 'Managed Service Identity';
#create External Data Source for connection
CREATE EXTERNAL DATA SOURCE ext_datasource_with_abfss WITH (TYPE = hadoop,
LOCATION = 'abfss://myfile#mystorageaccount.dfs.core.windows.net',
CREDENTIAL = msi_cred);
Reference:Use virtual network service endpoints and rules for servers in Azure
I'm trying to create a peering between two virtual networks that reside in two different tenant using azure devops release pipelines.
Here's the error I get from the failed deployment:
LinkedAuthorizationFailed: The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '/subscriptions//resourcegroups/RG-VNet-A/providers/Microsoft.Network/virtualNetworks/vNet01/virtualNetworkPeerings/Tenant-A-to-Tenant-B', however the current tenant '***' is not authorized to access linked subscription 'tenant A subcription ID'.
LinkedAuthorizationFailed: The client has permission to perform action
'Microsoft.Network/virtualNetworks/peer/action' on scope
'/subscriptions//resourcegroups/RG-VNet-A/providers/Microsoft.Network/virtualNetworks/vNet01/virtualNetworkPeerings/Tenant-A-to-Tenant-B',
however the current tenant '***' is not authorized to access linked
subscription 'tenant A subcription ID'.
The service connection in your DevOps project only have access to the virtual network in one tenant. It does not have access to the virtual network in the other tenant.
You can assign Network Contributor role to that virtual network and you would be able to peer the two virtual networks using Azure DevOps pipelines
Im this scenario I'm hosting several resources for several projects in one azure tenant.
Additionally I have multiple azure subscriptions with corresponding resource groups per project:
Azure Subscription A -> Resource Group A -> VMs, DNS, Bastion Host... for project A
Azure Subscription B -> Resource Group B -> VMs, DNS, Bastion Host... for project B
Azure Subscription C -> Resource Group C -> VMs, DNS, Bastion Host... for project C
In the Azure AD I would like to create groups like Project A, Project B, Project C and grant them role permissions to the dedicated resource groups.
But unfortunately if I grant the role Contributor this also includes the permission of the subscription to add new services. I just want to enable them to manager their resources (access the vm through bastion host) without givin them permission to add new services.
We can restrict the user not to create the resources in the resource group in two ways,
You can grant contributor permissions to each individual resource,
that way user won't be able to create new resources, only modify
existing ones (he would be able to delete resource).
Combination of RBAC and AzurePolicy.The users that have
assigned contributor access have access to all resources in their
resource groups. In Azure Policy you can use a policy like
Allowed resource types, Not allowed resource types, Allowed location
will enable you to specify the resource types that your organization
can deploy.
There is a similar scenario that you can find here.
In my Azure DevOps release pipeline, I would like to start a VM. So I have an "Azure resource group deployment" task with the action "Start virtual machines". However, when I run this task, I get the error:
"Failed to fetch the list of virtual machines from resource group: ...
Error: "Could not fetch access token for Managed Service Principal.
Please configure Managed Service Identity (MSI) for virtual machine
'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad
Request"
In my VM I already enabled system-assigned managed identity, so I don't know why this error is appearing. Any thoughts?
You will also need a service connection in Azure DevOps to connect to your Azure subscription using the MSI.
You can configure Azure Virtual Machines (VM)-based agents with an Azure Managed Service Identity in Azure Active Directory (Azure AD). This lets you use the system assigned identity (Service Principal) to grant the Azure VM-based agents access to any Azure resource that supports Azure AD, such as Key Vault, instead of persisting credentials in Azure DevOps for the connection.
In Azure DevOps, open the Service connections page from the project settings page. In TFS, open the Services page from the "settings" icon in the top menu bar.
Choose + New service connection and select Azure Resource Manager.
Choosing a service connection type
Select the Managed Identity Authentication option.
Opening the managed service identity settings
Enter a user-friendly Connection name to use when referring to this service connection.
Select the Environment name (such as Azure Cloud, Azure Stack, or an Azure Government Cloud).
Enter the values for your subscription into these fields of the connection dialog:
Subscription ID
Subscription name
Tenant ID
After the new service connection is created:
If you are using it in the UI, select the connection name you assigned in the Azure subscription setting of your pipeline.
If you are using it in YAML, copy the connection name into your code as the azureSubscription value.
Ensure that the VM (agent) has the appropriate permissions. For example, if your code needs to call Azure Resource Manager, assign the VM the appropriate role using Role-Based Access Control (RBAC) in Azure AD. For more details, see How can I use managed identities for Azure resources? and Use Role-Based Access Control to manage access to your Azure subscription resources.
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-to-a-vm-with-a-managed-service-identity