I am unable to select "Yes" on the Restrict access to Azure AD administration portal option for my Azure AD, even though I have the Global Administrator role. Every time I select yes and hit save I get an "insufficient privileges" message.
Ended up creating a new user and assigning the Global Administrator role to that user. The new user was then able to change the setting.
Related
Previously, I was able to reset a user's password by using the following steps:
Get an access token with an administrator's credentials and setting the scope to Directory.AccessAsUser.All from https://login.microsoftonline.com/{{tenant_id}}/oauth2/v2.0/token
Pass the new password in a passwordProfile object and hit the https://graph.microsoft.com/v1.0/users/{{oid}} using the access token retrieved from the first step.
But now, I cannot find Directory.AccessAsUser.All under Delegated API Permissions.
How can I change a user's password without it?
If your application or script needs to update users' passwords, you need to assign the User administrator role to your application. The User administrator role has a fixed set of permissions you grant to your application.
See Documentation
To add the User administrator role, follow these steps:
Sign in to the Azure portal and use the Directory + Subscription filter to switch to your Azure AD B2C tenant.
Search for and select Azure AD B2C.
Under Manage, select Roles and administrators.
Select the User administrator role.
Select Add assignments.
In the Select text box, enter the name or the ID of the application you registered earlier, for example, managementapp1. When it appears in the search results, select your application.
Select Add. It might take a few minutes to for the permissions to fully propagate.
When you create the application registration, choose the first option - accounts in this organisational directory. You won’t use this app for B2C user flows, only for your admin AAD account, hence you choose the first option.
Just search "Directory.AccessAsUser.All" for it.
I have an API Management instance running where users can login using only Azure AD. There is a single Administrators account, but it is using the legacy User/Password Identity. I cannot remove the user. I want to assign a user from the Azure AD to the Administrators group, but I can not figure out how.
I have followed these steps by Microsoft but they just seem to redirect me to the legacy portal (or the new Developer portal if I change the URL normally) with my default Administrators account logged in.
As far as I know, we can't add another user into "Administrators" group.
The document you provided is used to login another user(which is not admin) as administrator. So the result page shows your default administrators account. The title "How do I add a user to the Administrators group?" of the document is not very accurate.
After being invited to a client's Azure account and having "Owner" role + access to "Azure AD user, group, service principal" granted I am able create App Services, import source from Github but when I try to create a DevOps project to start actual work I get an error:
Following the link towards more details I can see that its about permission issue but if I re-check my permissions:
It says "Owner" but the scope is: "This resource" - note that these infos are under the single Subscription that my client created, however if I click my name for detailed view on my identity I see "Guest":
What would be the proper way to grant me global permissions on my clients Azure account?
Thanks!
If you create a project, it will automatically create an AD App named like organizationname-projectname-513f22f1-befd-xxxxxxcfe90f1 in the App Registerations in your tenant.
To fix the issue, let the global admin of your tenant to modify the user settings. Navigate to the Azure Active Directory in the portal -> User settings -> set Users can register applications to Yes.
Then in the Manage external collaboration settings, set the Guest users permission are limited to No.
Besides, if you can get an administrator role, no matter the settings are, you can create the app directly.
My company is using Azure Active Directory. We are able to login into the Azure portal using AAD.
However, we only want a handful of employees to be able to login into the portal. All other employees should be kept out.
How do I accomplish this?
You cant do that if they are part of the AAD, you can however grant them no permissions, so they wont be able to see any resources or do anything on the portal
And you really dont have to do anything to acomplish that. Those are default permissions.
To check users permissions go to the portal and navigate to Azure AD blade.
Portal => AzureAd => Users => pick user => click Azure Resources on the left
Apply the Restrict access to Azure AD administration portal setting, which will block all access unless a user has Directory Reader or higher permissions in Azure AD
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
As a Global admin:
Azure Active Directory
User Settings
Restrict access to Azure AD administration portal -> yes
Or you can just block sign in for the user in the user profile. By this, the blocked users will be denied to log in the portal.
Note: This operation requires the global admin.
when an app is registered in azure ad, to give permission to the app, we can grant consent to an application's delegated permissions on behalf of all the users in your tenant by clinking "Grant Permissions" button. How to undo this permission once it is given? Or, it can't be undo from azure portal once it is clicked? I am confused as it is always of same color and always ask "Do you want to grant...." dialog and "No" doesn't undo the action.
Revoking Tenant Wide Consent can be done through the Azure Portal.
See here: Revoking Consent for Azure Active Directory Applications
Using the Azure Portal to Remove Tenant Wide Consent
If you are a tenant administrator, and you want to revoke consent for
an application across your entire tenant, you can go to the Azure
Portal. Whether it be for a bunch of users who individually consented
or for an admin who consented on behalf of all the users, by simply
deleting the application’s service principal, you will remove all
delegation entries (the object used to store consent) for that
application. Think about removing the service principal like
uninstalling the application from your tenant.
You could delete the service principal a bunch of different ways like
through Azure Active Directory PowerShell or through the Microsoft
Graph API, but the easiest way for the average administrator is right
through the Azure Portal.
Navigate to the Enterprise Applications blade in the Azure portal:
Then click “All Applications” and search for the application you want
to revoke consent for:
When you click the application, you will be brought to an “Overview”
section, where a tempting button called “Delete” will be at the top.
Before you click this button, you might want to take a peak at the
“Permissions” section to see the types of consent that was granted to
this application:
Once you feel confident that you want to delete this application, go
back to “Overview” and click “Delete”!
Viola! The app and all consent associated with that app is now gone.
There are some screenshots included in the actual blog post.
I hope this helps!
As #Shwan Tabrizi said, you can refer to the blog's way to remove the app from Enterprise Application.Because once you click Grant Permissions bottom, the app will be auto added into Enterprise applications and assign permissions to user. You can also choose which user to remove permission as following steps:
1.Sign in to the Azure portal with an account that's a global admin for the directory.
2.Select More services, enter Azure Active Directory in the text box, and then select Enter.
3.On the Azure Active Directory - directoryname blade (that is, the Azure AD blade for the directory you are managing), select Enterprise
applications.
4.On the Enterprise applications blade, select All applications. You'll see a list of the apps you can manage.
5.On the Enterprise applications - All applications blade, select an app.
6.On the appname blade (that is, the blade with the name of the selected app in the title), select Users & Groups.
7.On the appname - User & Group Assignment blade, select one of more users or groups and then select the Remove command. Confirm your
decision at the prompt.