I have connected my azure account in Data Studio and I am using Azure SQL migration extension (v0.1.12) to migrate on-prem SQL to Azure Managed Instance.
However my subscription details are not getting fetched.
Screen Shot Attached Here
When I manually add Azure Subscription details I am getting following error
Manually Entered Details
And the error message Error
The issue seems to be more of access level issues.
Below are the type of access levels that you need to have for creating Azure Migrate Appliance project
Contributor or Owner permissions in the Azure subscription.
Permissions to register Azure Active Directory (Azure AD) apps.
Owner or Contributor and User Access Administrator permissions in the Azure subscription to create an instance of Azure Key Vault, which is used during agentless server migration.
Below are the steps to set contributor or Owner permissions
From Azure Subscriptions panel select the subscription
Move to Access Control IAM and select Add role Assignment
Assign the following roles.
For complete information check the Microsoft Document on providing access.
Related
I want to configure Unity Catalog and one step is creating a metastore in the region where I create databricks workspace (I am on Azure).
I created a workspace with a premium pricing tier and I am the admin.
Following the documentation, I should go to the Data tab to create metastore.
However, when I open the Data tab, I don't see "Create Metastore" button.
The same in SQL persona:
Could you guide me how to make a new metastore?
If a metastore is already created in the region, how can I find it?
In order to do this sort of management, you should access the Databricks account portal at the tenant level:
Databricks Account
From there, you can create and manage the metastores, as well as assign a metastore with a Databricks Workspace, which is what you have created.
Take into account that for most of what you have described, you must be an account admin for the Databricks Account.
As per the official docs (source):
The first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console. Upon first login, that user becomes an Azure Databricks account admin and no longer needs the Azure Active Directory Global Administrator role to access the Azure Databricks account. The first account admin can assign users in the Azure Active Directory tenant as additional account admins (who can themselves assign more account admins). Additional account admins do not require specific roles in Azure Active Directory.
Configure your Unity Catalog Metastore
Go to + New add click on new notebook and open.
If you already have catalogs with data .then use below command to check,
# Show all catalogs in the metastore.
display(spark.sql("SHOW CATALOGS"))
If you don't have catalog . create utility catalog :
# Create a catalog.
spark.sql("CREATE CATALOG IF NOT EXISTS catalog_name")
# Set the current catalog.
spark.sql("USE CATALOG catalog_name")
for more information refer this offical_document and Notebook.
You must be an Azure Databricks account admin to getting started using Unity Catalog this can be done for first time using Azure Active Directory Global Administrator of your subscription.
As per official documentation:
The first Azure Databricks account admin must be an Azure Active
Directory Global Administrator at the time that they first log in to
the Azure Databricks account console. Upon first login, that user
becomes an Azure Databricks account admin and no longer needs the
Azure Active Directory Global Administrator role to access the Azure
Databricks account. The first account admin can assign users in the
Azure Active Directory tenant as additional account admins (who can
themselves assign more account admins). Additional account admins do
not require specific roles in Azure Active Directory.
How to identify your Microsoft Azure global administrators for your subscriptions?
The global administrator has access to all administrative features. By default, the person who signs up for an Azure subscription is assigned the global administrator role for the directory. Only global administrators can assign other administrator roles.
Login into the Azure Databricks account console via Global admin and then account admin can assign users in the Azure Active Directory tenant.
For more details, refer to Azure Databricks - Get started using Unity Catalog and also refer to MS Q&A thread - How to access Azure Databricks account admin? addressing similar issue.
Trying to create a Metastore for manage identity incorporating in Azure Databricks but the data tab only shows create table.
Per the documentation, it should be there. Also, I have created the databricks service and have azure contributor role.
I am an admin to the Databricks workspace. Is it unavailable on Azure?
Well, you don't give details about your environment, so I just can give some ideas about what is missing.
First, change the environment to "SQL" (click on "Data Science & Engineering" menu at the top left)
Second, do you have all the requirements? The requirements are here: https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/get-started#requirements
I think do you missing this permission here:
*You must be an Azure Databricks account admin.
The first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console. Upon first login, that user becomes an Azure Databricks account admin and no longer needs the Azure Active Directory Global Administrator role to access the Azure Databricks account. The first account admin can assign users in the Azure Active Directory tenant as additional account admins (who can themselves assign more account admins). Additional account admins do not require specific roles in Azure Active Directory.*
To check if you are an Azure Databricks account admin you can access:
https://accounts.azuredatabricks.net/login?next_url=%2Flogin%2F
and verify if you have the access to the Databricks administration screen
I have created an automated Service Principal from the service requests on Azure Devops with sufficient permissions. Now, when I am trying to create an artifact which is an ML model (registered) it is not auto populating the registered models and resulting in an error.
I am using a free trial Azure account and attempting to implement CI CD for ML. I turned my firewall off and attempted as well but still the issue persists.
It appears that the Service Principal is not assigned the role in the appropriate subscription.
You need to grant the service principal Azure subscription access permission:
Login Azure portal->All service->Subscriptions->click your subscription->Access control(IAM)->Add role assignment->assign the correct role to your service principal
Refer to Use the portal to create an Azure AD application and service principal that can access resources and Assign Azure roles using the Azure portal for details.
Azure Run As account creation error
An error occurred while creating the Azure Run As account for account 'xxxxxxxxxx'.
Error details:
You don't have enough permissions to access service principal needed for the Run as account in the AAD tenant. See https://aka.ms/AARunAsPermissions for more details.
dc
I think your error message has clearly stated your problem, and you need to grant the account the subscription RBAC owner role.
Use the subscription administrator account to log in to the Azure portal>Subscriptions>your Subscriptions
In addition, you also need to ensure that you have the permission to create AAD applications. Use the tenant administrator to log in to Azure portal> Azure AD>User settings and set Users can register applications to Yes.
I am trying to run an Azure Resource Group Deployment task in Azure Pipelines. I have deployed an Azure Pipelines self-hosted agent on an Azure VM running Windows, and in my Azure DevOps organization I have set up an Azure Resource Manager service connection to a VM with a managed service identity.
However, I get the following error when trying to configure my Azure Resource Group Deployment task with my service connection with managed identity:
GetUserAccessToken: Failed to obtain an access token of identity . AAD returned silent failure.
Screenshot:
I have already verified that I granted access (Contributor) to the VM's managed identity to the target resource group:
The service connection is also scoped to the Azure subscription:
Any help on diagnosing this issue is appreciated. Thanks!
Failed to obtain an access token typically occur when your session has expired.
To resolve these issues:
Sign out of Azure Pipelines or TFS.
Open an InPrivate or incognito browser window and navigate to https://visualstudio.microsoft.com/team-services/.
If you are prompted to sign out, do so.
Sign in using the appropriate credentials.
Choose the organization you want to use from the list.
Select the project you want to add the service connection to.
Create the service connection you need by opening the Settings page. Then, select Services > New service connection > Azure Resource Manager.
Refer to:
https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-rm-endpoint?view=azure-devops#sessionexpired
In case this is useful to anyone else, I had a similar issue when modifying service connections through Azure DevOps. The solution provided by Charlie Brown pointed me in the right direction: The user in AAD isn't automatically added to the Azure DevOps Enterprise Application, so if you run into this it may mean that you need to add the user or group that's trying to access it through DevOps.
In my case I just added myself as and owner and user through the Azure Portal -> Azure Active Directory -> Enterprise Applications -> Azure DevOps.
I didn't have to create another user, nor modify anything with MFA.
It appears that the issue comes about because it is the user account authenticated to Azure DevOps that is retrieving subscription information. Azure DevOps is not using the managed identity to retrieve the subscription information.
In particular, my original Azure DevOps user account had MFA turned on to authenticate to an Azure subscription (e.g. portal.azure.com), but did not have MFA turned on to authenticate to Azure DevOps (e.g. dev.azure.com/). I think that this was causing the issue when failing to get an access token:
I created a different user account in my Azure AD, gave it access to my Azure DevOps organization, and made sure that this new user account had Reader permissions over the target subscription and did not have MFA turned on. This resolved the issue of getting subscription info when using managed identity:
My scenario getting this error was adding a Service Connection to a Management Group in Azure DevOps
GetUserAccessToken: Failed to obtain an access token of identity
{{GUID}}. AAD returned silent failure.
Fix for me was adding my account as a Project Collection Admin in DevOps... details below:
Tried every permission possible ... GA, ROOT Mgmt Group Owner (via AAD setting), target Mgmt Group Owner, Subscription Owner, App Administrator... In devops i am a project admin and i have Admin security role in service connections.
Interesting diff i have here, my Azure AD home tenant is different from my Azure Subscription AD tenant (i am a B2B Guest).
I actually tried to use a different DevOps tenant that has an AAD tied to the Azure Subscription tenant and it WORKED :( This lead me to diving further into what is different. Aside from the DevOps->AAD link, I am also COLLECTION admin on the working one, and only a project admin on the failing one. I made sure I had Management Group Owner rights and then added my account as a Project Collection Admin - WORKED!
Ref: https://developercommunity.visualstudio.com/solutions/1246044/view.html