I have delegated access to Azure resources in a third-party tenant using Lighthouse, and this works fine via the portal; users receive the roles expected (typically Contributor).
However, they are unable to access Kudu (at webappname.scm.azurewebsites.net), receiving an error;
Selected user account does not exist in tenant 'Tenant Name' and
cannot access the application 'abfa0a7c-a6b6-4736-8310-5855508787cd'
in that tenant. The account needs to be added as an external user in
the tenant first. Please use a different account.
If the same user account is added as a guest to the third-party tenant and given the same role, they can access Kudu as expected.
It's clear that Kudu is expecting/demanding an account in the same tenant as the application, but Azure Lighthouse delegated permissions is all about not having to do that.
Is there something I'm missing, or another role that needs granting?
#PhilD, Thanks for the detailed description of the scenario. I have also posted this on your Q&A thread.
Currently, Kudu is not compatible with Lighthouse-delegated permissions.
Our product engineering team is working on it; however, we do not have an exact ETA to share.
We’re expecting it to be available in a few months. Please note that this timeline is just an estimate and is subject to change, depending on a myriad of factors.
I have relayed the feedback internally to our product engineering team and it’s being tracked.
-On a side note, as mentioned in this Kudu wiki :
“Only those with Contributor / Owner access (to be exact, with microsoft.web/sites/publish/action or, for slot, microsoft.web/sites/slots/publish/action) can access to Kudu (SCM).”
Much appreciate your valuable feedback on this. Thanks for your patience!
Related
I used personal e-mail as “Microsoft Identity” to sign-up for Azure Free Trial. My expectation is my e-mail ID is the root login for my account and associated identity is the root owner, and I think that was the case initially. Later, I deployed an Azure AD Tenant with a different name, turns out a bizarre pseudo-e-mail ID (UPN) became root owner of my parent account which I don’t have access for. Now I can’t delete subscriptions or the unwanted UPN. How can I reset my account to start from clean slate? One way is to use a different e-mail ID and get started with new account. I am wondering if some one can provide steps to perform clean-up and restart with same old e-mail ID / identity as root owner. Azure support plans start # $29.00/month and I am trying to avoid that.
Another symptom, I can't cancel supscription. It asks me to use contact owner, and that happens to be that bizarre very long email looking UPN which I can't use for login as those credentials aren't there.
You should contact Azure Support Team and raise a subscription ticket which is free for further help.
They can help you to manage your subscription owner and credit card / billing information from the backend.
Our company has a Microsoft Azure account (Pay-As-You-Go).
We had a programmer that developed our web app. We gave him full access to our Azure account. So, he had access to everything.
We intend to hire another developer to make modifications to the web app, so he'll need access to the App Services and SQL Databases. Our intention is to just allow him access to those features.
We did our research and came across the documentation, Resources, roles, and access control in Application Insights. We followed it step by step, but there's an issue. Doc LINK
We tested the procedure by adding one of our IT staff's Microsoft account (personal Outlook.com account) and assigning him the Contributor role, and sent him an invite. He's not seeing the invite. We did the same for another staff, but it's the same problem.
Can we get some assistance please?
It was not working earlier .I tried with one gmail id. Now it is working perfectly fine and I am able to receive the invitation email.
To send invitation, you need to go to active directory. Add user's email as a guest under add user option (Add guest user).
I am using my work email address to set up multiple Azure IaaS environments. When I log into Azure, I get asked if I want to use the "Work or School Account" or "Personal Account" - both referring to the same email address.
I don't recall setting up anything in terms of personal accounts, or linking my work email as a Microsoft Outlook.com/Hotmail/etc account.
Access to the subscription has been applied to my Personal account, not the work one.
When granting access, there's no way to pick which one you're giving access to.
Couple of questions
I've created some VMs but want them to be linked to my work account. Can I change this?
How do I unlink my work email from Personal. I want to use work just for work, and not have any confusion between the two.
See this screengrab for more information:
There are few problem with your account so lets go over them one by one.
First means that now you have 2 different accounts one it is your work account another one it is your microsoft account. You can create both of them with the same email since they are from 2 different tenants.
This is a concept important or you to understand there is something on Azure that it is over the subscription that is the tenant
Tenant
|- Subscription
|- Resource Group
|- Resource
All subscription under the same tenant have the same Authentication method, this Authentication method can be linked to an Azure Active Directory ( Office 365 subscriptions are Azure Active Directory ) So you can open a request to microsoft to transfer your subscription to your company tenant. if you do this all the resources under it will be transferred to your other authentication. You can open this ticket on the portal.
If you don't want your personal account anymore you can close it on https://account.live.com/closeaccount.aspx
Thanks to those who edited the question for me, my line-breaks didn't work by default, I'll ensure that I get it write next time. I was only allowed to post the image as an attachment being first-time poster, someone fixed that for me.
The answer from Gabriel Monteiro Nepomuceno was correct and touched on the root cause, but there's one element I didn't include in my question.
Regarding the tenant: the tenant is created under the company account of "company.com". I am a sub-contractor and was granted access to my own account at "benscompany.com". Azure support have advised that its only possible to grant access to different account via the personal account.
I'm getting the following error when non-global admin users are trying to access graph explorer 2 within our tenant:
Additional technical information:
Correlation ID: 2346b0f5-bb5f-4138-8f9d-07fa96dcf02f
Timestamp: 2015-05-29 17:18:48Z
AADSTS90093: Calling principal cannot consent due to lack of permissions.
From within Azure we have "users may give applications permission to access their data" set to use. We also have "users may add integrated applications" to yes.
Just wanted to check which URL you are going to. We have 2 "graph explorers" - one is for exploring Azure AD Graph API, while the other (called API explorer) is for exploring the Office 365 unified API.
If you are going to https://graphexplorer2.cloudapp.net - this is (AAD) graph explorer, and should not require admin permissions. Please let us know if this is what you are using and if this is causing issues.
If on the other hand you are going to https://graphexplorer2.azurewebsites.net - this is the API explorer, and due to the number of APIs it requires access to, it currently requires admin consent. We'll look into a way to reduce the number of scopes that this requires access to, to get to a place where users can consent (but that's not the case currently).
Hope this helps,
I ran into this issue today and here what I did:
Login to your AD application in classic portal
(https://manage.windowsazure.com/)
Under "Configure" section, there
is "permissions to other applications", look at the "delegated
permissions" for "Window Azure Active Directory".
Make sure you pick
the correct permissions for your app. Normally, "Sign in and read
user profile" is enough for user to login.
For more information you
can take a look at this link
https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
I worked for Skype for business online use case (WEB API). I faced this issue for users not global admins. The users who added by global admin.
I managed to resolve the issue by passing extra parameter prompt=admin_consent.
var href = 'https://login.microsoftonline.com/common/oauth2/authorize?response_type=token&client_id=';
href += client_id + '&resource=https://webdir.online.lync.com&redirect_uri=' + window.location.href+'&prompt=admin_consent';
For more details visit link https://blogs.msdn.microsoft.com/exchangedev/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-office-365-exchange-online/
We have a number of Azure subscriptions with various co-administrators in our environment. To date, we have used people's Microsoft accounts to grant co-administrator rights, and of course many use their corporate [username]#[company domain] email address for these.
Some time ago, we enabled Azure directory, synchronized to our on-premise AD, where accounts have also been # - and all was good. When adding new co-admins, we simply had to choose if we wanted to use their MS account or their organizational account.
However, we're now seeing the following error when adding some users' Microsoft accounts to some subscriptions:
The Microsoft Account '[username]#[company domain]' cannot be made a co-administrator as its domain is the same as one of the Verified Domains of the target subscription's directory.
Has anyone else seen this - is it an intentional change in behaviour? It seems somewhat inconsistent...
i had the same issue, then I used the new preview portal and it worked.
try it out
According to Microsoft support, this change in behavior is intentional.
(Since posting the question, they have also sent email notifications that any co-admins with Microsoft accounts outside of the Azure Directory will be added as guest accounts in the subscription's directory.)