While creating access package or group, How can I force uses to get access (for any resources) via PIM in Azure?
While creating the group there is a option called "Azure AD roles can
be assigned to the group". What is this all about? If I say "Yes", its
showing up the "Roles".
I'm bit confused about the additional settings. Is this the setting to do this?
I don't know about access packages or access groups. But for my PIM setup I have Azure AD groups where users are added. And once they get access to the group they become eligible for requesting roles through PIM.
I have then a role in PIM, I make it eligible, and assign it to the group.
Users can open PIM, go to My Roles, and then activate the role.
Activating the role gives them permissions for one hour to access resources in a resource group. (This is all depending on what settings you put on the role in PIM). Outside of PIM they have no permissions whatsoever, so if they need access to resources they must request it via PIM.
PIM
Azure Resource
Change the default filter on Resource Type from Subscription to Resource Group or Resource if you want to assign permissions on smaller scopes
Do the things.
Related
I've been given access to a resource group in Azure, but still get 401 page while trying to access it or any resource in that resource group. I have role assigned to me only in a resource group, not subscription (maybe this can be the reason?)
Type of my user: Guest
Role for a resource group: Contributor
Contributor role gives full access, except ability to assign roles to other users.
Also, according to docs
Guests can be added to administrator roles, which grant them full read
and write permissions
What can be the problem?
This is the page I get when trying to access resource group or any of it resource:
Azure Resource Manager sometimes caches configurations and data to improve performance. When you assign roles or remove role assignments, it can take up to 30 minutes for changes to take effect. If you are using the Azure portal, Azure PowerShell, or Azure CLI, you can force a refresh of your role assignment changes by signing out and signing in. If you are making role assignment changes with REST API calls, you can force a refresh by refreshing your access token.
Source: Troubleshoot Azure RBAC - Role assignment changes are not being detected
Another option would be to visit the preview portal. Since this is a different website, you will get a new token which reflects the latest state.
I'm new to Azure AD. Got a few issues that say users are unable to see resource groups. (When they click on particular subscription -> resource group.) Is there any way to check? How to check which users can access or view the resource group which can't?
The easiest way to check the access for a user is to use the Check access feature on the Access control (IAM) page. See
Quickstart: Check access for a user to Azure resources
I have a client that can only give me full access to one or two resource groups.
I need to deliver some prescripted terraform resources that contain the need for a service principal.
Can you lock an SP to a resource group? The subscription itself is a production subscription so they want to know if you can tie down using role base access just to that group.
Or should I be create a MI account?
Can you lock an SP to a resource group?
You most certainly can. Azure Role-based access control is very granular and you can apply access control at any level (management group, subscription, resource group or even at individual resource).
Please see this for more details: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps.
I would like to give members of a specific role the ability to create resource groups. Can this be achieved without giving users the co-owner role at the subscription level?
You can grant them contributor rights on the specific Azure subscription, they don't have to be co-owner. This is the least-privilege built-in role available that allows you to create resource groups.
However, you could also create a custom role with only one action:
Microsoft.Resources/subscriptions/resourceGroups/write
Read more here: Custom roles for Azure resources
I am trying to setup 2 separate Contributor-role user group for 2 separate Resource Groups in Microsoft Azure. In the new portal, I added 2 groups in the Contributor role. So after I created a new Azure website and its resource group, the 2 contributor user groups are automatically accessible to the new resource group, however, I want to only allow one group to be able to access that resource. I went in to the Resource Group blade and select the User group I don't want it to access, however, the 'Remove' button is disabled. So how can I remove the User group?
And also I realized that a member of the User Group is not able to see the resource assigned but if that member is added explicitly as a user(without a group), the user is then able to access the resource group. So my question is, is the Resource Group not supported for user group (yet)? In my case, should I create 2 separate active directory for the 2 different user groups?
It sounds like you've assigned your 2 groups to the Contributor role at the subscription level. If you want to remove access for one of those groups (or otherwise manage access at a more granular level than the subscription) you should go to your subscription, remove the group there (where it was assigned), and then individually add that same group to the Resource Groups that you want it to have access. Make sense?
Role assignments are supported for user groups.
My hypothesis for the user/group issue is that you may have recently added the user to the group. If you sign the user out and in again they might be able to get access.
Feel free to email me specifically on this issue as well.