From Azure portal, I'm trying to do "Assign the Service Desk Virtual Machine Contributor permissions"
I have created user:
Created a VM:
Searching by Name:
However, the search says no user assignment exists.
What am I doing wrong/missing? Any suggestion please? Thanks
As #Rockstar has mentioned in comments section, If the user is a part Service Desk Group then in IAM blade the user won't be visible but if you check the user's azure role assignment then you will find the role which was assigned to the group has been inherited by the user as well.
If the user is not a part of the group then you have to directly assign the Role in IAM blade for the user itself to make it visible in the Portal IAM Blade.
I tested in my environment like this:
1.Created a user and added him to the service desk group
2.Assigned virtual machine contributor role to the group
3.And then I go to the User>>azure role assignment and I see that role is assigned to the user as well as it is a part of the group
4.And assigned another user(not part of service desk group) to the role and I can see it in the portal
Related
I've been given access to a resource group in Azure, but still get 401 page while trying to access it or any resource in that resource group. I have role assigned to me only in a resource group, not subscription (maybe this can be the reason?)
Type of my user: Guest
Role for a resource group: Contributor
Contributor role gives full access, except ability to assign roles to other users.
Also, according to docs
Guests can be added to administrator roles, which grant them full read
and write permissions
What can be the problem?
This is the page I get when trying to access resource group or any of it resource:
Azure Resource Manager sometimes caches configurations and data to improve performance. When you assign roles or remove role assignments, it can take up to 30 minutes for changes to take effect. If you are using the Azure portal, Azure PowerShell, or Azure CLI, you can force a refresh of your role assignment changes by signing out and signing in. If you are making role assignment changes with REST API calls, you can force a refresh by refreshing your access token.
Source: Troubleshoot Azure RBAC - Role assignment changes are not being detected
Another option would be to visit the preview portal. Since this is a different website, you will get a new token which reflects the latest state.
While creating access package or group, How can I force uses to get access (for any resources) via PIM in Azure?
While creating the group there is a option called "Azure AD roles can
be assigned to the group". What is this all about? If I say "Yes", its
showing up the "Roles".
I'm bit confused about the additional settings. Is this the setting to do this?
I don't know about access packages or access groups. But for my PIM setup I have Azure AD groups where users are added. And once they get access to the group they become eligible for requesting roles through PIM.
I have then a role in PIM, I make it eligible, and assign it to the group.
Users can open PIM, go to My Roles, and then activate the role.
Activating the role gives them permissions for one hour to access resources in a resource group. (This is all depending on what settings you put on the role in PIM). Outside of PIM they have no permissions whatsoever, so if they need access to resources they must request it via PIM.
PIM
Azure Resource
Change the default filter on Resource Type from Subscription to Resource Group or Resource if you want to assign permissions on smaller scopes
Do the things.
According to this link, there should be 3 built in roles for azure sentinel. However, a global admin account is unable to see any of them in Administrative Roles on Azure.
When I go to the underlying workspace, in the Access Control (IAM) blade, I can set the roles:
They do not appear in the Azure AD roles list indeed.
If you go the the resource group that your instance of Sentinal is in it will have a 'Access Control' link.
From there you can click 'Add role assignment'
Choose which role you wish to assign and press next
Then assign access to a user or group
I accidentally deleted the only azure owner role of my subscription. Any idea how can I get that restore? I can only login now at azure portal and when I click on subscriptions it is keep loading, nothing is coming.
I have resolved this myself. As I am also a global administrator so I created an Azure AD User, assigned the global admin role to it. Login to azure portal with that new account, and re-assigned the Owner role to my original account which I accidentally deleted. Now Its Working fine :)
The same thing happened with me today and even after being "Global Admin" to Azure AD, I was unable to modify the permissions as the "Role Assignment" options were appearing disabled.
These are the steps that I followed:
I logged in to Azure Portal with the MS Live ID(#outlook.com) using which we got the MS Azure subscription registered(Root ID or Account Owner ID).
Then went to the Azure subscription --> IAM --> Add Role Assignment. This option was enabled this time!
To be on safer side now, created a Security Group in Azure AD with 3 Azure Administrators and then made this Group as "Owner" to the Azure Subscription.
A user should be able to read a resource group. Not allowing the user to create/delete a resource group.
i. I have created a custom role using json script with the following permissions:
Actions: Microsoft.Resources/subscriptions/resourceGroups/read
NotActions: Microsoft.Resources/subscriptions/resourceGroups/write,
Microsoft.Resources/subscriptions/resourceGroups/delete
ii. Added it using PowerShell cmdlet New-AzureRMRoleDefinition.
But when I assigned this custom role to a user in IAM, user is still able to create/delete a resource group.
Note: I have used RBAC and IAM services of Azure
Go to resource group blade >> IAM >> Add (at the top of the blade).
Select contributor. Select User. you are done.