I'm transferring a resource (storage account) from one subscription to another. During the transfer the RBAC permissions will be removed from my resource. I know you can download the RBAC permissions to have a copy, but what is the best way to add them back to my resource? Do I have to do it manually one by one? Felt like there was an easier way.
You could download the role assignments as a csv file(without Inherited), then use the azure powershell to assign the roles to your storage account after transferring below. Please make sure your subscriptions are in the same AAD tenant, otherwise it will not work.
$csv = Import-Csv -Path C:\Users\joyw\Desktop\role-assignments-2021-11-08.csv
$scope = "<storage account resource id after transferring>"
foreach($rs in $csv){
New-AzRoleAssignment -ObjectId $csv.ObjectId -Scope $scope -RoleDefinitionName $csv.RoleDefinitionName
}
Thanks Joy. I should mention these resources won't be in the same ADD tenant. I'm moving the resource from one tenant to another.
Related
When i'm trying to remove user on the storage account using below commands through automation account i'm getting error
object reference not set to instance of an object
Remove-AzRoleAssignment -SignInName $emailid -RoleDefinitionName
"Storage File Data SMB Share Contributor" -Scope "/subscriptions/00000-0000-00/resourceGroups/resourcegroupname/providers/Microsoft.Storage/storageAccounts/storageaccname"
Few of the workaround you can follow to achieve the above requirement;
Make sure that you have following permission to that subscription
Owner or, User Access Administrator( must have a role that includes Microsoft.Authorization/roleAssignments/write permissions) to assign or remove.
If you have above permission Check the role which have defined in storage account same as what you have mentioned want to remove. Or it exist or not.
And make sure that the role which you want to remove, that not showing as inherited If so you can not remove those assignments as you are trying to remove a role assignment at a child scope.
For more information please refer the below links:-
MICROSOFT DOCUMENT| Remove Azure role Assignments ,Manage role permissions and security in Automation & Remove-AzRoleAssignment
like to know all the sites in Azure that are currently associated to our Azure Tenant includes full URL,azure web apps,azure SQL,Storage accounts,Datalake,Cosmosdb,container registries
Tried Get-AzureADTenantDetail and also az resource list but not able find it
Any Powershell script will help
You can use
Azure CLI
az resource list
Powershell
Get-AzureRmResource
You can use Get-AzureRmResource to get the list of resources in an Azure Subscription. By default this Cmdlet will list all resources in an Azure Subscription. To get a list of certain resource types, you can specify an OData filter query.
For example, the Cmdlet below will list all storage accounts and webapps in an Azure Subscription:
Get-AzureRmResource -ODataQuery "ResourceType eq 'Microsoft.Storage/storageAccounts' or ResourceType eq 'Microsoft.Web/sites'" | ft
You will need to find the proper resource type values for each kind of resource that you want to find.
Another thing to notice is that this Cmdlet is scoped to a single Azure Subscription. If your Azure Tenant serves as authentication/authorization source for multiple subscriptions, you would need to run this Cmdlet for each subscription separately.
If you have multiple tenants, you can switch between tenants and get resources within them (subscription by subscription) via
connect-azaccount -Tenant [different tenant id]
$context = Get-AzSubscription [subscriptionid in different tenant id]
set-azcontext $context
get-azresource > resources.tenantname.subcription.txt
where tenantname and subscription are the names of the tenant and subscription in english form (instead of id's).
you should probably not use those azurerm commands anymore, they will stop working sometime in 2024. use the az equivalents (basically replace azurerm with az (yeah, i could delete urerm but that seems weirder!))
I'm trying to create an Azure Role Assignment which assigns the User Access Administrator role to a service principal but only for Azure Data Factory resources.
I see plenty of documentation on setting scopes by subscription, resource group, or even resource, but can't figure out how to set it for all resources of a certain type.
I've tried this PowerShell command which runs successfully but doesn't have the intended effect. The service principal still can't perform the actions of that role on ADF resources.
New-AzRoleAssignment -ObjectId ddddddd-dddd-dddd-dddd-dddddddddddd -RoleDefinitionId 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 -Scope "/providers/Microsoft.DataFactory"
I've also tried experimenting with wildcards in the scope, but this seems unsupported: /subscriptions/dddddddd-dddd-dddd-dddd-dddddddddddd/resourceGroups/*/providers/Microsoft.DataFactory/dataFactories/*
Here's the documentation I've already read:
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#assignablescopes
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template
The Role Assignment is used to assign the user a predefined or custom role "role definition".
The role definition is the one that defines the scope of the role. The scope of the role needs to be subscription(s), resource group(s) and resource(s). You can't define a type of resource. Its more like one or multiple locations.
Structure of RBAC Scope:
https://learn.microsoft.com/en-us/azure/role-based-access-control/overview#scope
How to create a Custom Role:
https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles
In your case, if you want to grant a user to be able to handle IAM on all DataFactory you will need to manually define each datafactory scope. Then use the actions in the Microsoft.Authorization provider: https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
When defining the Scope for the assignment you can either define it with the -Scope <String> parameter or a combination of the following parameters.
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
The resource type "-ResourceType ". For e.g. Microsoft.Network/virtualNetworks. Should only be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
For more details see: https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azroleassignment?view=azps-3.3.0
the existing answer is pretty much on point, however there are a few things you can do to make it work:
the most obvious limit all data factories to a single resource group (or a couple of them) and grant SP owner permissions to those resource groups (or create a custom RBAC role).
use a simple script to assign those permissions dynamically
If you cant put all of the data factories in the same resource group\set of resource groups. Script would look like this ("pseudo" code, not tested, but will give you the idea):
Get-AzSbuscription | Foreach-Object {
$_ | Select-AzSubscription
Get-AzDataFactory | Foreach-Object {
New-AzRoleAssignment -Scope $_.ResourceId`
-ObjectId ddddddd-dddd-dddd-dddd-dddddddddddd `
-RoleDefinitionId 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9
}
}
and run it on a schedule
I can't find any documentation on how to choose which AAD to create the service principal in. Basically, I can't find out if there is even a way to add the SP to the local AAD.
So we have a default Global AD which covers all of our enrollment and below that all subscriptions. I'm using Powershell derived from the many many examples on the net to create a SP in the default AD. Then I permission that SP against the subscription it is going to be working in.
At this point I've run into the following problem.
I'm rolling out a Key Vault, this works.
New-AzureRmKeyVault -VaultName $VaultName -EnabledForDeployment -EnabledForTemplateDeployment -ResourceGroupName $ResourceGroupName -Location $Location -Verbose
I need to add the first secret into it as part of the deployment. This bit fails because the SP doesn't have access to the KV.
# Set-AzureRmKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $ResourceGroupName -PermissionsToSecrets get,set -ServicePrincipalName $ServicePrincipalName
This is the result of that command.
Set-AzureRmKeyVaultAccessPolicy : Cannot find the Active Directory object
'Service-Principal-Name' in tenant '6166a717-xxxx-xxxxx-b0e8-6b7288c1f7ec'.
Please make sure that the user or application service principal you are
authorizing is registered in the current subscription's Azure Active
directory.
Reading into this, its not possible to set the Global AD Service Principal to have get/set on the local Keyvault. it would have to be a local Service Principal. However, we dont have one of them and nowhere can I work out how to create one of them.
Anyone else feeling this pain and know how to resolve it?
In the settings section of the old portal (manage.windowsazure.com), you will find a list of all subscriptions. The fourth column (Directory) shows the default directory that is associated with each subscription. No matter what, you will have to create the Service Principal in the Directory that is associated with that particular subscription. Please check this link to understand the relationship between Subscriptions and AAD.
I am trying to move some Azure resources from one subscription to another one. I have one Microsoft Account which is co-administrator in both source and target subscriptions.
I run Powershell and log in using the following commandlet:
Add-AzureRmAccount -TenantId "source tenant GUID"
Then I use
Move-AzureRmResource -ResourceId "id of the resource" -DestinationResourceGroupName "xxx" -SubscriptionId "target subscription GUID"
I am getting this error:
Move-AzureRmResource : LinkedAuthorizationFailed : The client has permission to perform
action 'Microsoft.Resources/subscriptions/resourceGroups/write' on scope '/subscriptions/
xxx/resourceGroups/dotnetportal', however the linked subscription 'target subscription GUID' is not in
current tenant 'source tenant GUID'.
Can't reproduce your question and no official material found, but according to the error message however the linked subscription 'target subscription GUID' is not in
current tenant 'source tenant GUID', I think resources moving between subscriptions belong to different tenant is not allowed. Microsoft Azure should have limited the function within identical tenant.
The Azure PowerShell module Move-AzureRmResource cmdlet allows you to move a resource to a different resource group or subscription, but it requires the subscriptions to be in the same tenant.
The best way to check if you have linked subscription is using UI, first.
Login to your source azure subscription.
Browse > Resource groups and select the resource group that contains the VM.
In the Resource group blade, select Move from the menu.
Check if you can see the linked subscription.
A good workaround to copy or move a resource group from one subscription to another see: https://blogs.msdn.microsoft.com/azuregov/2016/12/09/copying-azure-resource-groups-between-different-azure-subscriptions-or-environments/
Share you some code as referenceļ¼
Get-AzureRMResource -ResourceName **** -ResourceGroupName **** |
Move-AzureRMResource -DestinationResourceGroupName *** -DestinationSubscriptionId **** -Force