Conditional access policy for accessing vm in Azure portal - azure

Scenario
An invited guest user should be able to connect to a vm via Bastion, but only, if the user resides in a certain country/location.
What did we do so far
We've created a named location for a specific country
That has been added as a condition to a conditional access policy
We've included a user group in which the guest user has been assigned to
For "Cloud apps or actions" we really don't know what to set there for our problem. Any constellation didn't help
The policy didn't work so far. We were able to connect from several countries which weren't specified.
Any advice? Thanks in advance.

There is an app called 'Microsoft Azure Management' that you can select here but note this will block the user from the Azure portal entirely and not just to Azure Bastion. There is no way to limit conditional access to just the Azure Bastion service at this time.
https://learn.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management

Related

Azure Active Directory + Active Directory

can you guys help me with a question?
I have an ADDS created on Azure and a Windows Server 2019 (Active Directory) virtual machine hosted at Azure either.
I'm having problems to change the attributes and using the logon hours options trought the user's account... "You do not have permission to change the logon hours attribute, your changes won't be saved".
At Windows Server 2019, i have the enterprise admin permission.
At Azure, i have the administrator permition and still having theses issues.
Can someone give me a clue to solve this?
Thanks.
• In Azure ADDS, you will have to add your signing in ID to the Windows Server VM, i.e., the Azure ADDS DC to the Azure AD DC Administrators group in your Azure AD tenant. Once, you have added your user ID in this group, you will be able to configure the ‘logon hours’ attribute in the managed domain joined Windows Server VM.
• Also, though you are the administrator, but it is not clear what permissions you are assigned. As a result, you need to be assigned the ‘Domain Services Contributor’ Azure role for creating the required Azure ADDS resources along with ‘Application Administrator’ and ‘Groups Administrator’ Azure AD roles in your tenant.
Thus, if you ensure that the above changes are done, you will surely be able to change the ‘logon hours’ attribute. Please find the below snapshot for your reference: -
To know more about this, kindly follow the below links: -
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-management-vm#administrative-tasks-you-can-perform-on-a-managed-domain
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance-advanced#prerequisites

User can't access correct Azure portal

We're a very small company, for unknown reasons our internal app infrastructure (based on PaaS VMs) was set up on the Azure subscription for a "personal" Windows Live account of an internal email address, with only that one user in the AD. (We also use the "correct" Azure instance, the AD is synced from the remnant of our old on-prem infrastructure and our Office 365 is based on it.)
We're about to recruit a second developer, I want to give him some level of access to our app infrastructure but not the global admin that sharing the existing single account would provide. I've experimentally added another user to the Azure AD as a global admin (so it should have access to everything) but when I log in with that user it takes me to the portal for the default free personal Azure instance you get if there's nothing set up. If I paste in a URL for a resource in the account it's global admin for I get "You do not have access" (403). (Audit trail of the user in Azure AD shows it logged in.)
Is there an inherent restriction on this type of account (in which case I'll have to bite the bullet and migrate the infrastructure where it belongs) or should I be able to expect this user to be able to access the right portal - and if so what do I need to do to get that to happen?
Having Global Admin role in Azure AD does not give you access to Azure resources, only to manage users etc. in Azure AD.
You need to add e.g. Owner/Contributor role on the subscription to the user through the Access Control (IAM) tab.

Manage / debug virtual machines on someone elses azure subscription

I have two users, A and B. Both users have azure subscriptions. User A creates a VM, running some software, but wants to grant User B access to administer / debug this virtual machine.
Weve added User B as an owner of the virtual machine on User A's subcription, but they are not able to see the virtual machine.
Is there a way of doing this?
If there is, are we going about
it the right way?
Is there a way of doing this?
Yes, we can do this, we can invite user B to manager user A resource group.
are we going about it the right way?
We can do it via Azure portal.
1.Invite a guest via Azure portal, like this:
After that completed, Azure will send a email to that email address, user B should accept it, then we can find user B add to your Azure AD users list.
2.Grant resource group permission to this account,like this:
After that, user B reload Azure portal, then will find another directory in his portal, we can change it via portal. change to that directory, user B will find the resource group.
We can change another directory via Azure portal like this:
In this way, we can share an Azure resource group to another user out of your Azure AD.
About Azure built-in roles, please refer to this article.
By the way, as Peter said, we can't use user B account to login your Azure VM.
Don't try and administer the virtual machine using the web console. Get User A to provide the IP address they're using to log onto the machine to user B. Make sure that user B has an account on the virtual machine, and connect to that machine via RDP (username/password) or ssh (certificate/key) depending on your flavour.
RBAC manages authorization for Azure only, not the machines created within Azure.

Sharing resource groups on Microsoft Azure

I am trying to share a resource group in Microsoft Azure, but the users I give ownership/admin privileges can't see the resources or resource group within their Azure portal (I grant permissions on the resource group). Am I missing something in granting permissions? I checked that both users are admins in the active directory too, but I'm not entirely sure if that matters.
The resource group only contains a simple WebApp, Gateway and associated SQL server/database. The main Azure account and the other azure account are both under the same Azure subscription (BizSpark).
I am new to Azure, so thanks for any help!
Turns out I was being silly and didn't change directories. Thanks BenV!
Make sure the other users have selected your directory from the drop-down in the top-right corner of the portal. – BenV

Only give PS access to a specific VM?

I have an VM running in Azure which I would like the client to be able to turn on/off easily. I tought this would be simple; just a PS-script that performs an startup/shutdown/dealloc. But it seems I can't generate a "Azure Publish Settings"-file that only gives access to that VM? At the moment it seems I can only control this at the subscription level?
The Azure Publish Settings file basically contains the access information for an entire Azure subscription. It does not specify access to a specific resource (e.g. VM) but to all resources inside of a subscription.
To limit access to a subset of resources in Azure, you should be looking at the new role-based access (RBAC) functionality, which is available in the Azure preview portal and the latest Azure PowerShell cmdlets.
How it works is that you create an Azure resource group, to which you can assign roles with specific rights, and to this role you can then assign individual users.
Check the following Azure documentation link for details on how to do this.

Resources