Is there any ways to see the user logs? I know, there are two options which given "Signin logs" and "Audit logs" form "Users". However, i think that is not sufficient.
For example, some of the users complains,
they had access to Azure subscription and now its removed.
they has access to access package and now its removed etc...
However, when I'm trying to find those from "Signin logs" or "audit logs" I don't see any such details.
My question is, is there any way, I just give the user's email ID and get all the details ( what subscription assigned and when? what access package assigned and when? when user logged in and what activities performed? etc..) about user from the Azure portal? or lets say, when someone got access to certain resources and when the access removed?
they had acecss to Azure subscription and now its removed.
This could mean that their role assignment was deleted which will show up in the Activity Log of the subscription. Activity logs are just kept for a certain time so if you want to keep it for longer and allow a better way to search through it, send it to a permanent storage.
Or they were removed from an AAD group which has access to the subscription, this will show up in the Audit logs of AAD.
You can send those logs to the same Log Analytics workspace and query it. For example, to see the group membership changes for a user "user#test.com" who has a User Principal Name of "user_test.com" in the tenant you could use
AuditLogs
| where Category == "GroupManagement"
| where TargetResources has "user_test.com"
Related
I am trying to get a list of users logged into azure AD, that can be seen under Users | All Users from the azure portal, using Kusto Resource Graph Query but does anybody know how to call this? i understand i can List all sign-ins via http response
GET https://graph.microsoft.com/v1.0/auditLogs/signIns
but how do i call this in Resource Graph?
I know i can call resources to Show a List resources sorted by name
e.g
Resources
| project name, type, location
| order by name asc
and can call
resources
| where identity contains "userAssignedIdentities"
but all im returning is user assigned identities.. and not Users i.e User Type, User Principle Name, Name, Account Enabled, Company etc
that should be specific to All Users and Signin-Logs
any help would be appreciated
many thanks
You can pull the signin logs of users using kusto query -- for that you need to few prerequisite
You should have Secuirity admin or global admin Permission.
Creating a log analytics workspace.
Setting diagnostic settings.
You can follow this Microsoft Document to create log analytics workspace and add in ActiveDirectory->Diagnotics Setting.
You can use the below Kusto Query in AzureActiveDirectory->Log Analytics
SigninLogs
| project UserId,UserType,UserDisplayName
Note : There is not option to project AccountEnable,Company
Yep this works bud, also changing my permission to security admin.. many thanks
I used personal e-mail as “Microsoft Identity” to sign-up for Azure Free Trial. My expectation is my e-mail ID is the root login for my account and associated identity is the root owner, and I think that was the case initially. Later, I deployed an Azure AD Tenant with a different name, turns out a bizarre pseudo-e-mail ID (UPN) became root owner of my parent account which I don’t have access for. Now I can’t delete subscriptions or the unwanted UPN. How can I reset my account to start from clean slate? One way is to use a different e-mail ID and get started with new account. I am wondering if some one can provide steps to perform clean-up and restart with same old e-mail ID / identity as root owner. Azure support plans start # $29.00/month and I am trying to avoid that.
Another symptom, I can't cancel supscription. It asks me to use contact owner, and that happens to be that bizarre very long email looking UPN which I can't use for login as those credentials aren't there.
You should contact Azure Support Team and raise a subscription ticket which is free for further help.
They can help you to manage your subscription owner and credit card / billing information from the backend.
As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.
I have two azure subscriptions, one personal, tied to my Microsoft ID, and another under a different Microsoft ID for a charitable organization where I am the one-man IT/web dev guy. I created the org's azure account/subscription myself. I can't figure out how to create websites, etc. under my personal MS ID login without logging in and out of the separate microsoft IDs to manage both sets of Azure resources.
Logging in with the org's MS ID, in the azure portal I've made my personal ID a subscription admin (Subscriptions>Access Control>Add my personal MS ID, then right clicked to make co-administrator. This is confirmed since now a right click shows "Remove co-admin" so that implies it's correctly set up as a subscription co-admin. That user is also in the Owner Role.
Step 2, in the Active Directory for the org subscription, Users and Groups>All Users>New User, added my personal MS ID. Then I select that user, click Directory Role on the left menu, and selected Global Administrator radio button and save.
So now my personal MS ID user is a subscription co-admin and a AD Global admin in the org's azure portal.
To check, if I then go to any resource group or App Service and look at Access control I see my personal MS ID user listed as an Owner for that resource and all other resources. So everything looks good.
So if I log out of the org ID and log in with my personal MS ID and go to the Azure portal, I see my usual personal Azure account resources. But I don't understand how to either see and manage those resources in the org's Azure subscription or how to switch subscriptions, or switch directories (it's not listed on the top right), and when creating a new resource, I have no option for the org's subscription to use. How do I see/manage those resources in the org's directory? Is this even possible? Or do I need to log out and log in with the org's MS ID, which is a major annoyance since it also logs me out of outlook etc. when I switch IDs.
Azure Subscriptions are "housed" within a specific Azure Active Directory Tenant. You should treat an AAD Tenant as the top level object structure, in that each Tenant is entirely separated from each other Tenant.
If you had multiple subscriptions within a single tenant, you would be able to sign in one time, and gain access to all those subscriptions.
However, since these subscriptions look like they are in different Tenants, there is no way to avoid logging in two times to access the two subscriptions. To expand on this, there would be no way to avoid logging in two times to access any unique objects across these two Tenants.
For me, the answer was
Access Azure portal login page
Click "Sign in as a different user"
type the exact same email address
select "School or Work account" option.
This one was tied to the Azure AD and they reset my password through there. Not sure it really helps you cos signing in and out all the time still a thing, but it took me far too long to get this right so thought i'd share.
I am trying to give other users access to my resources in the Azure portal. I am trying to add them as a Contributor, but it seems like they are not able to see the resources when they login to the Azure portal.
Here's the access control list for the VM:
Any ideas why they can't see the resource when they login to the portal?
They are a Contributor.
When you add a user to an Azure subscription, s/he is also added to the directory if s/he isn't already there. This is considered an "invitation" that must be accepted before the user can get access. Tell the person to check their email, if this is the first time the email address has been added to a subscription in the directory. (Note that personal subscriptions are usually created along with a new directory whereas company subscriptions are usually in the company's directory.)
After accepting the invitation, s/he will need to switch to the directory before the subscription will be visible. You can do that in the top-right, like Juunas mentioned in the comment above. Here's a link to the directory switcher: https://portal.azure.com/#menu/account.
Steps to reproduce-
As owner:
Go to Resource Group you want to give access to:
Go to IAM:
Go to 'Add ROLE ASSIGNMENTS'
Search the name you want to give access to:
Select the Role (Contributor in your case)
Click Add and they will recieve an email.