I am trying to get 7 pace timesheet details along with Azure DevOps work details programmatically using PAT token. I want to use a service account instead of a user account.
Can you please guide me to create a service account?
This service account should have 7 pace applications along with
Azure DevOps access.
The service account MFA should be disabled.
So that it can be used in Azure Runbook.
You must choose a new account that is either a system account or a member of a workgroup or domain that is trusted by every computer in this deployment of Azure DevOps Server.
Then you can have a service account in the two ways :
Use the administration console to change the service account
Open the administration console for Azure DevOps on the server that hosts the application tier.
In the console, expand the server name and select Application Tier.
In the Application Tier pane, select Change Account.
The Update Service Account window opens.
Perform one of the following steps:
To use a system account, select Use a system account, and then select a system account from the drop-down list - If your server is a member of an Active Directory domain, the default choice for the system account to use is Network Service. If your server is a member of a workgroup, the default choice is Local Service. Depending on the details of your deployment, the default choice may be the only available choice.
To use a domain or workgroup account, select Use a user account, enter the name of the account in Account Name, and then enter the password for that account in Password.
Use the TFSConfig utility to change the service account
On the application-tier server, open a Command Prompt window and change directories to the directory that contains the TFSConfig utility. By default, this utility is located in Drive:\Program Files\TFS 12.0\Tools.
At the command line, enter TFSConfig Accounts /change /accountType:ApplicationTier /account:AccountName /password:NewPassword, and then press ENTER.
Related
Good afternoon, I am fairly new to Azure AD in general; I know my way around but I am stumped on something for a client of ours.
We have a client who has devices joined to Azure AD. They wish to create local administrator accounts on specific computers that only specific people can access and only that administrative account can be used on that workstation for administrative rights (just like a regular device local admin account)
For example:
CON-01 (PC name) should have a local admin account that's in Azure AD named JohnDoe_adm#contoso.com that can do elevated admin privileges' but this JohnDoe_adm#contoso.com account should not be allowed to have local administrative rights on CON-02. And vice versa. JaneDoe_adm#contoso.com should only have local administrative rights to CON-02 but her login can't be used on CON-01 for elevated permissions.
Devices will not be connected to the local AD frequently for policy updates (and we want to avoid VPN connection to the local AD DC). Client strictly wants these devices joined via Azure AD Joined but to have administrative accounts managed through Azure AD.
The clients accounts are synchronized in Azure with their local AD.
I saw that with a premium license for Azure you can add local administrators group on Azure AD joined devices but doing so will allow that user to have local administrative access on all devices that are joined and we are trying to prevent that.
Would it be possible to create a group called CONOTSO/CON-01 Local Administrators in Azure AD; and add JohnDoe_adm#contoso.com to this group and go onto CON-01 and manually apply CONOTSO/CON-01 Local Administrators group under Administrators in lusrmgr.msc on the workstation CON-01 ?
Or any suggestions to make this process easier to achieve what I am looking for?
Any advice is appreciated! Thanks!
You can do that, just not in the GUI. :-)
On an individual computer you can use "Net Group Administrators /Add AzureAD\JohnDoe_adm" to give that account admin rights to the machine.
You'll have to do that for each machine.
• Yes, you can create an Azure AD user, for example in this scenario, johndoe_adm#contoso.com as a member of the local administrators’ group on Azure AD joined devices. For that purpose, you will have to create a policy under ‘Endpoint Protection’ in Intune management portal for ‘local user/group membership’ for managing local admins of Windows 10/11 client devices. Please follow the below snapshots for more information: -
As shown in the above policy, you can create a policy for ‘local user group membership’. In it, you can create a profile for Windows 10/11 by selecting the appropriate option and selecting the correct local users’ group to be managed through it as shown below: -
Once the above options have been selected, then you can have the option of selecting Azure AD users or groups in the respective selected local administrators group so that the Azure AD users can be a member of local administrators’ group on client system as below: -
Thus, in this way, you can add an Azure AD user/group as a member of local administrators’ group on the Azure AD joined and Intune MDM managed and complaint system by assigning this policy on the said device groups.
• Also, please note that as you are saying that a particular Azure AD user, i.e., ABC should be a member of a local administrators’ group on an Azure AD joined device, viz., XYZ which is readily possible as per stated above but you also want that this user ABC should not be a member of another Azure AD joined device’s local administrators’ group, then for this purpose, you will have to create a separate Azure AD user for every Azure AD joined device and create one profile likewise for every Azure AD user/group as well as for every device that is going to be a part of the local administrators’ group on the client system which can be very hectic and time consuming given the options available in Intune MDM.
Thus, I would suggest you create a single Azure AD user for the purpose of adding it in the local administrators’ group on every Azure AD joined and Intune MDM managed Windows 10/11 device and further create a profile as shown above and deploy it on all the Windows 10/11 devices to be managed through Intune and required accordingly. Also, do keep the credentials of that Azure AD user with yourself only to maintain a level of confidentiality.
For more detailed information on the above, kindly refer the below link: -
https://www.anoopcnair.com/manage-local-admins-using-intune-group-mgmt/#:~:text=The%20local%20user%20group%20management,or%20Windows%2011%20local%20group.
My team already has a working Azure DevOps account. I would like to start an Azure subscription / Active Directory to begin linking our DevOps to App Services and other Azure products.
However, any time I click on a link to get started with Azure, I am met with a perplexing paradox trying to log in.
First I'm told that I can't log in because my MS account isn't found:
But if I try to "Create one!" or "get a new Microsoft account", I'm told it already exists:
I've taken out the email address being used, but I've confirmed they are the same between the two screens (I'm not even typing anything; all I'm doing is clicking "Next" on each screen).
I know that this MS account is valid. It's the same one I use to sign in with Azure DevOps and many other MS services. I'm not sure why I can't log in to the Azure set up platform. And there doesn't seem to be any kind of support options with Azure before you become a subscriber, so I thought I'd try my luck posting the issue here.
Thanks for any help!
You can connect your Azure DevOps organization to Azure Active Directory (Azure AD). Kindly checkout this document - About accessing your organization via Azure AD
Just to clarify, I hope you are an administrator on the subscription.
https://learn.microsoft.com/azure/devops/organizations/accounts/faq-azure-access?view=azure-devops
When your sign-in address is shared by your personal Microsoft account and by your work account or school account, but your selected identity doesn't have access, you can't sign in. Although both identities use the same sign-in address, they're separate: they have different profiles, security settings, and permissions.
Sign out completely from Azure DevOps by completing the following steps.
Closing your browser might not sign you out completely.
Sign in again and select your other identity.
https://learn.microsoft.com/azure/devops/organizations/accounts/faq-azure-access?view=azure-devops
To connect your organization to Azure AD.
Sign in to your organization, https://dev.azure.com/{yourorganization}).
Select gear icon > Organization settings.
Select Azure Active Directory, and then select Connect directory.
We're a very small company, for unknown reasons our internal app infrastructure (based on PaaS VMs) was set up on the Azure subscription for a "personal" Windows Live account of an internal email address, with only that one user in the AD. (We also use the "correct" Azure instance, the AD is synced from the remnant of our old on-prem infrastructure and our Office 365 is based on it.)
We're about to recruit a second developer, I want to give him some level of access to our app infrastructure but not the global admin that sharing the existing single account would provide. I've experimentally added another user to the Azure AD as a global admin (so it should have access to everything) but when I log in with that user it takes me to the portal for the default free personal Azure instance you get if there's nothing set up. If I paste in a URL for a resource in the account it's global admin for I get "You do not have access" (403). (Audit trail of the user in Azure AD shows it logged in.)
Is there an inherent restriction on this type of account (in which case I'll have to bite the bullet and migrate the infrastructure where it belongs) or should I be able to expect this user to be able to access the right portal - and if so what do I need to do to get that to happen?
Having Global Admin role in Azure AD does not give you access to Azure resources, only to manage users etc. in Azure AD.
You need to add e.g. Owner/Contributor role on the subscription to the user through the Access Control (IAM) tab.
I have used the free month trial offered by Azure with a personal Microsoft account in parallel with a professional account from my company. In this professional account I have limited access to certain resources (mostly VMs, storage and that), so I don't manage neither subscriptions nor Azure AD.
After several unsuccessfull login attemps in which I was asked to provided a 6 digit code when the Microsoft Authenticator gave me an 8 digit code, I've discovered that if I do the following:
Try to sign in in azure.portal.com with my personal account (fails)
Sign in with my company account.
Then, in the upper right I see my personal account as a directory, like usenamehotmail.onmicrosoft.com. However, when trying to access Azure AD to manage that directory I am shown a message that says I have no access.
My question is, why does this happen? Can I use the same credit card and create a pay as you go subscription with another personal Microsoft account?
If you using the external account to access Azure AD like outlook.com, hotmail.com and the account from other Azure AD tenant. it will cause the Access Denied(you don't have access).
There are two ways to resolve this issue
1. Log in to Azure Portal by using the account with Global Administrator Role for Azure AD. Navigate to the User settings tab, toggle the setting Guest users permissions are limited to No.
2. Log in to Azure Portal by using the account with Global Administrator Role and navigate to the Users and Groups tab, search for the external account, and change the Directory Role to Global Administrator.
I joined to Windows Azure Active Directory beta trial when http://activedirectory.windowsazure.com was initially launched.
At initial process, site forced me to use a new LIVE account instead of the one I already have which is myname#live.com and also controls all my Azure services. Anyway, I did create a new one as myname#mycompany.com
Next, I did be able to create the active directory domain as mycompany#onmicrosoft.com and added my mycompany.com domain as secondary domain.
While ago, Active Directory tab appeared in Azure control panel and it came empty. So I assumed it needs to be link somehow but couldn't find anything about it.
After that, I tried to create a new domain but when I type mycompany into the name field of the create a directory page, it says "This domain is not unique" which is predictable since other live account holds the name.
Tried to delete entire account but didn't work. Also in here says :
"The original contoso.onmicrosoft.com domain name that was provided for your tenant when you signed up cannot be removed from your tenant."
Since I'm the owner of the both account, I would like to move (or re-create etc.) mycompany#onmicrosoft.com under my actual Azure account which is myname#live.com.
Please advise. Thank you!
I didn't realize you had an existing subscription you were looking to work wit. So what you are seeing is expected behavior as there is no subscription associated with your Azure AD account.
We are propping an update this weekend and Monday that will help you here. On Tuesday morning, do the following:
Log into Azure using your Azure AD account.
It will tell you that you have no subscription - set up a 90 day trial subscription - you will not be charged anything for this.
Click onto Active Directory tab in the Azure Portal.
Add a new user - and select to add a user with a Microsoft Account - specify the account that is the administrator of your Windows Azure subscription and make them a "global administrator".
Log off
Log in to Azure portal using the same Microsoft Account that you just added.
Go into Settings.
Click on administrators tab
Select your Azure Subscription
Click "add" in the tray at the bottom
Now add the Azure AD user account you would like to have be a co-admin on your Azure subscription.
That should do it. Now when you log in using your Windows Azure Account you'll be able to administer your Azure subscription.
Just a reminder - try this on Tuesday morning! We will have the update propped by then.
You can make this work though by creating a new 90 trial subscription - you do this on the page where you are being told there are no subscriptions associated with your account.
You need to log into Azure using your myname#mycompany.com account (the Windows Azure Active directory account you created).
To do that, go to the Azure Management portal - if you are already logged in using a Microsoft Account (formerly LiveID) you will need to log-out first - Then the left hand side of the login page you should see a link that says "Office 365 users: Sign in using your organizational account".
Click on that link, and now log into the Azure portal using your Azure AD Account (myname#mycompany.com). Once you do that, you should see your Windows Azure AD tenant in the Active Directory tab in the portal.