I currently have a registered app in Azure. This app has app-defined roles. The first role I created shows in the pane but is disabled (grayed out), however, it will be assigned to a user/group upon assigning that role. I created another role today, but that role isn't showing in the pane. So the default behavior when assigning a user/group a role to the application will be to assign the first role. Does anyone know what could be limiting the roles I have defined for the application?
EDIT:
In App Role under Manage in the Application Registration. There are two roles: role.one and role.two both with user/group member access. enable app role is checked.
Enterprise Application > All Application > MyApp > Users and Groups > Add Assignment
On this screen Select a role list only role.one.
Iniitially as soon as i created new app role i waas not able to see the new app role to assign as it is not appeared, but once i refreshed the portal after saving roles , it got reflected and could add that role.
So please try refreshing the portal or try to check the same after few minutes of app role creation.
I tested, and it is working fine for me. AFAIK It maynot be issue from Microsoft end .
First added 3 roles and assigned.
Then after sometime created 4th role and was able to assign to user or group one or more than one role
Note : Sometimes the reason can be browser cache may . Try to clear the Browers cache and logout and login again in a portal or try in incognito mode and see . If it is still the same issue please reach out to support they can better help here.
The issue was my app role description name was Default Access, which may have conflicted with an azure pre-defined role or description. I am still not sure, but once I changed the description to "Default Role" it became available.
Related
I found sample code from Microsoft docs but it doesn't seem to work.
If anyone has any insight that would be helpful.
Also the broad question is if that is even possible.
As the NodeJS uses Tedious library, it's not clear if Tedious is able to support AAD connection.
Sample code was taken from: https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-nodejs?tabs=windows
It has the code sample with type: azure-active-directory-msi-app-service which I think should work.
The error I am getting is 'Security token could not be authenticated or authorized.'
The managed-identity user is added to the resources, with permissions
The code was working after adding a 'reader' role for principle user in sql server.
The steps that are required to connect SQL Server through AAD - Managed identity for NodeJS project are as below:
Create sql-server with sql-server database in an azure resource.
Create an azure-web app within the same azure resource.
Create a principle user in the web app.
This can be done by going to the azure web app > Settings > Identity menu > System-assigned tab and turning on the toggle.
In the sql-db create the user with the same name as principle user that was created in step 3. The name is same as web-app.
Also assign db_reader, db_writer, and ddladmin roles to the user.
You may use the below script to create and assign role to the user. (One thing to consider if it fails to create the user, you might need to rename the app-service name as in my case it was not allowing me to create the User saying it already exists).
**CREATE USER [<identity-name>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<identity-name>];
ALTER ROLE db_datawriter ADD MEMBER [<identity-name>];
ALTER ROLE db_ddladmin ADD MEMBER [<identity-name>];**
Add the reader role to the principle user in the sql server. (The one that I was missing).
This can be done by going to the Sql server resource(in Azure)> Access control (IAM)
Select Reader and select member/user (principle user with the app name), and assign the role reader to that user/member.
After all these configuration part is done, use the code from microsoft docs. For me lower node version was not working so needed to upgrade the node version.(14 in my case).
https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-nodejs?tabs=windows
Also the connection was successful only in the deployed version.
Hope this is helpful !! :)
I am trying to create a new Blazor server app and configure it to use a new Azure Active Directory that I recently created. I have found a couple tutorials online showing how to do this, including one from Microsoft, but I keep encountering an error that says "The user account doesn't have the required permissions to access the domain."
I read online that I needed to verify that my user account is assigned to the Global Administrator role, which I did and it is. I have tried to create 3 different active directories in Azure to see if it was a fluke, but I have received the same error message each time.
Any help that you are able to provide would be greatly appreciated.
Make sure that you have signed in to Visual Studio with an admin account of the domain (here it should be "thomasagarza#yahoo.com").
After adding the account, you can apply filter for it (select the domain it is an member in). Make sure you have added it as the guest of that domain and assign Global Admin role to it.
Then all the related domains will be listed when you create a new project with Work or School Accounts Authentication. Select the domain which "thomasagarza#yahoo.com" is the admin in and click on OK. Generally you won't be required to enter your credential again in this step.
Please note if you have a custom domain for your AAD tenant and have made it primary, the domain listed here will be the custom domain name. In this case, if you manually set the domain as the format "***.onmicrosoft.com", you will get the error you are facing.
I've created and registered a web application via Azure Active Directory -> App Registrations.
Within my application manifest I've created a role (why there's no UI to do this is beyond me), and for now am planning on adding quite a few more.
However, I'm unable to assign users to the role I created via Azure Active Directory -> Enterprise Applications, as the Add, Edit, and Remove options are greyed out.
According to these docs, I need to be Global Admin to be able to set these. The only way I can do so is to keep pestering my network admin every time I want to assign users/groups to roles. This is obviously not a suitable solution, and as the registered application owner, it should be trivial for me to control the authorization levels of my application.
How is it possible for me to assign users & groups to the roles I create? If it's simply not possible without having to raise the issue with my global admin, what are my options?
Unfortunatelly, as per docs, you already went through, today only administrator can assign roles to an application.
There is a feature request to simplify that and Microsoft is working on a solution. If you give your vote, it will certainly make the request more important.
For time being it is only the Global Admin who can grant permissions to an Application.
I'm just starting on this, been going through the Microsoft documentation and the lightbulb hasn't come on yet...
How do I add a user to my subscription so they can login? From there I just need to limit them to Azure Media Services.
I've seen instructions on web for clicking a "Users" button from subscription, but I do not see that. I've tried adding a user through the Azure Active Directory as well with no luck...
Any ideas would be helpful.
Thanks!
James
OK, so I figured this out:
1) Add your user to Active Directory (I added guest user)
2) Go to subscriptions and to your IAM panel
3) Ensure that your new user has access to at least Read the subscription.
(When I did this it allowed me to view my Azure resources as other user)
4) From there I created a role in a JSON file and used New-AzureRmRoleDefinition -InputFile to import it. IMPORTANT: Make sure for permissions you have Microsoft.Media/* and Microsoft.Media/mediaservices/*
5) Once I did this I went to my Media Services IAM panel and added the user to my new Azure Media Services role.
6) Presto! It started working.
Thanks to all who responded to this thread!!!
I've tried adding a user through the Azure Active Directory as well
with no luck...
This is exactly what you need. Create a user in Azure Active Directory (at portal.azure.com) and grant them access to your subscription with the custom role to allow only Azure Media Services (I don't think there's a built-in role for that). To do that, follow the links (to create custom role, to create user and to assign user that role). I don't think you can create custom role using portal, so you will need REST API or powershell\CLI\SDK
Links:
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is
https://learn.microsoft.com/en-us/azure/active-directory/add-users-azure-active-directory
My issue is two-fold:
Need a user account to write to inetpub/wwwroot that isn't in the IIS_WPG Group
Change the DefaultAppPool account to specified user account in #1
We cannot have anonymous HTTP writing to Server A from Server B from the default anon user account Windows reads from, hence for #2. And due to said server permissions, we cannot have Group IIS_WPG do any writing to inetpub/wwwroot either.
I created a new user account, but it isn't associated to any groups. Then, I added this user to the DefaultAppPool Identity instead of using Network Service. Then, under Inetpub/wwwroot I gave read/write permissions to this user account. Then I restart w3svc.
I am getting a Service Unavailable error now when I try to view any web page with this error in the logs: A failure was encountered while launching the process serving application pool 'DefaultAppPool'. The application pool has been disabled.
Note: I am not a Windows admin by any means, so what I'm doing is based off of any articles I can find and trusting their accuracy 100%.
The whole point of the IIS_WPG group is to have a pre-set grouping of the permissions required to run an application pool. So the best case is going to be creating your new user but then just adding that user to the IIS_WPG group.
If you can't do that, then I believe you have to explicitly give your new user the same permission set that IIS_WPG has already. Which can be found here: http://support.microsoft.com/kb/812614