I have added a new user to the Azure active directory which is associated with Azure subscription. The user is added with the Global Administrator role.
However, when the user tries to login to the portal, no subscription is showing up. Tried logging off and logging in multiple times, but the subscription is not showing up.
Having rights to Azure AD doesn't necessarily give you rights to an Azure Subscription; they are separate. You can either Elevate access for Global Admins to manage your Azure subscriptions, or you can go the the Azure Subscription IAM settings and add the new user to a role.
Related
I'm trying to register an application in Azure following these instructions in the link below.
I go to "App Registrations > New Registration" get the error "Access Denied You don’t have permission to register applications".
My user permission in the Azure Portal is Owner.
I can't find what permissions I need to set for my user so I can add a new app registration.
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
Owner role is an Azure RBAC role and is not the same as Azure AD directory roles which you need to register apps.
Azure RBAC roles apply to subscriptions and resources within them.
Azure AD tenants are above subscriptions.
Your Azure AD admin needs to give you at minimum Application Developer directory role.
Since I had access to more directory's I was just on the wrong one.
So in my case that was my problem and by switching directory to the correct one where I had access my problem was solved.
First I checked that I was given the access mentioned above.
I have an Azure Devops organization that is linked to an Azure Active Directory. This organization has projects and pipelines for deploying applications to App Services in the linked Azure AD.
Recently, one of my user account (the one with the Visual Studio Enterprise Subscription) was made the organization owner and all other project users were deleted. However, my account that is now the only user in the Azure DevOps organization is just a guest account type of the linked Azure Ad, and not an actual member of the Azure AD.
I need to add new users back to the organization but since my user account is just a guest of the linked Azure AD, when I try to add users, I get an info dialog that states that since I am only a Guest of the Azure AD domain, I can't see the domain members I want to add and so the add user process fails.
As I stated earlier, my account is the Organization Owner. I also assigned my guest user account to the Global Administrators role in the linked Azure AD, but I still cannot add domain users to the Azure DevOps organization.
This organization has production code in the repo as well as build and deployment pipelines that I do not want to lose access to or lose the ability to deploy to the App Services in the linked Azure AD, so I am concerned about taking any action until I know exactly what I need to do to be able to add users from the linked Azure AD into the organization.
Any advice as to how I can add users from the linked Azure AD back to this organization would be greatly appreciated.
This is just a guess, but DevOps could be looking at your userType and show the message based on that.
Global admin would definitely allow you to list the users.
You could try using PowerShell to change your userType from Guest to Member.
E.g. with AAD PowerShell v2:
Set-AzureADUser -ObjectId 'your-user-object-id-in-tenant' -UserType 'Member'
It's actually something that isn't super-well-known.
Guest/member and local/external user are two different things.
External users just become Guests by default, which restricts what they can do.
Add the guest users to Azure AD directly, before you try to give them access in DevOps. After adding a new guest user, that new guest can be given access to DevOps by your subscription admin.
Or create yourself a domain user in your Azure AD with the proper privileges too.
e.g. If your Azure AD domains is "MyMsdnAzureADDomain.onmicrosoft.com" (or a Custom Doamin like "mycompany.com" if you have such domain registered in Azure).
A) Create new domain user in MyMsdnAzureADDomain.onmicrosoft.com
The new user is would be MyNewUser#MyMsdnAzureADDomain.onmicrosoft.com
B) Give that new user full admin in Azure AD and your DevOps (or tailor your permissions to your needs).
C) Login into Azure using that new user to manage your DevOps.
I found out that you need to have owner rights of your subscription to add a Run as account in an Automation account. But as I search in my services I can see that my role inside the subscription is as an owner. Still i can't create a run as account because i don't have enough permissions ?
Is it enough to only have the owner rights of the subscriptions or do I need any more permissions ?
The issue was caused by you do not have the permission to create the AAD App.
If you want to configure Run As accounts, you also need to have the permission to create the AAD App.
For more details about the permissions, refer to this link.
Except for the permissions equivalent to the Owner role for Microsoft. Automation resources, you need to check these:
In the Azure portal, under Azure Active Directory > MANAGE > App registrations, if App registrations is set to Yes, non-admin users in your Azure AD tenant can register Active Directory applications. If App registrations is set to No, the user who performs this action must be a global administrator in Azure AD.
Ref: https://learn.microsoft.com/en-us/azure/automation/automation-create-standalone-account#permissions-required-to-create-an-automation-account
I am trying to set up octopus to deploy resources to azure.
Under azure active directory I've added a new app registration, and have generated a key and hooked up octopus with the correct Application ID, Tenant ID and key
The organisation has multiple azure subscriptions corresponding to the environments, so I've noticed if I use the Subscription ID of my "Visual Studio Professional MSDN" subscription it works and creates the resources, however if I try to use any of the other organisation Subscription IDs I get the following error:
Login-AzureRmAccount : The provided account c0b2.......76a6 does not
have access to subscription ID "f06.......2aa3". Please try logging in
with different credentials or a different subscription ID.
I have looked through all the settings of the Application Registration and granted it every "Windows Azure Active Directory" permission available, but still no luck.
How do I go about granting permissions to this Application Registration so that it can access the relevant subscriptions?
You need to give the app a role on the subscription/resource group/resource you want it to be able to access.
So for example, you can go to the Access Control (IAM) tab of the subscription, and give the app the Contributor role, which allows the app to read and modify anything in the subscription.
You can also give a more limited role if desired.
Roles can also be applied at a lower scope, like a resource group.
More info in the docs: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
I signed up for an azure subscription and a default directory was provisioned for my subscription.
i cannot manage the default directory (e.g. create user or groups) via the azure portal. the portal replies with: "You do not have permission to access these resources."
while i understand that a admin role for an azure subscription is not the same as the admin role to manage an azure active directory; i am unable to find any MS guidance on how to assign the AD global admin role to my azure admin/subscription identity.
You have to be a Global Administrator in the directory to create users. Oddly though, you should already be one. When you sign-up for an Azure subscription you are automatically added to the default directory as a Global Administrator. At least that is how it used to work - perhaps it changed.
Anyway, this has the information you need and should get you going.