I am trying to build a machine learning model on Azure for my company. The IT team at the company I work at has given me maximum permissions for our Azure Machine Learning account since I am doing all the setup part (we started using it only last month). However, I checked the portal and realized that I am not authorized to access any of the modules within Azure ML, namely Experiment, Models, Endpoints, Datasets, etc. Is there something I am missing that is giving me this error? The error message has this link but I am not sure it serves the purpose.
Note: I am new to Azure so please forgive me if this is a very basic doubt.
any chance you could ask your IT team, exactly what permissions you have? can you also confirm that you have permissions on the all the resources (not just the workspace)? There are three associated resources you need access to besides the ML workspace: the storage account, the key vault, and the container registry.
try going to portal.azure.com to see if you can find those resources
Related
I am a Solution Architect responsible for setting up a project's infrastructure on Azure. The project should be running in multiple environments (dev, staging, prod). As far as I learned the best practice regarding environment separation in Azure is to use Resource Groups. That's what I did.
However, this is where things start getting tricky. Our application will use Azure AD as OAuth Authorization Server. I want to have my AD isolated, like everything else in my infrastructure. I don't want to accidentally modify a production user from the dev environment and for the dev environment, I want to be able to create a ton of test users which I don't want to see in production. So, isolation.
The problem is I don't see any option on how to do this. My first instinct was to create multiple ADs. But when I do that, they actually need to create a completely new tenant for each of these environments. This seems really messy to me. Have to support as many (almost empty) tenants as I want to have environments.
Please, what is the right way how to do this?
Does Azure AD have some kind of support for isolation I require?
Am I missing something?
Note: this question was also asked in MS Q&A.
You're correct that a tenant is equivalent to a directory and a user is either in the directory or it's not. However, using RBAC, you can restrict the permissions on users so that they can't access particular services. It would be good if you separated permissions by subscription which is what a lot of major companies do and that's how they know which workload a subscription handles.
I am trying to deploy an on-prem instance of Azure DevOps Server to a VM in an Azure Government subscription (which by nature, seems it does not support standard DevOps).
This template is referenced within support material directly from Microsoft:
https://github.com/usri/deploy_DevOps_Server_AzureSQL
All the referenced resources were created from scratch for the purpose of getting this server running.
This requires an AAD account with the associated password stored in a Key Vault. However, every attempt I make to run the template returns the following error on the 'Write VirtualMachines' step (when all other components pass):
The client has permission to perform action 'Microsoft.Compute/images/read' on scope '(MY_SUBSCRIPTION)\(MY_RESOURCEGROUP)\(VM)', however the current tenant '(MY_KEYVAULT)' is not authorized to access linked subscription '(ID in the template with the deployment files)'
This seems to me like the password cannot be retrieved from Key Vault- is it a formatting issue with the Secret? An access control issue somewhere? I've tried many various combinations of both. Hopefully this is just a trivial issue..
I am the original author of the code in that repo. I went ahead and merged a pull request into that repo which should address your issue. I did the following:
Updated the ReadMe file to include information on creating the image
Updated the azuredeploy.json with parameters for Key Vault & image references
Updated the ps1 file to eliminate hard links for KV (a particularly bad oversight on my part, my apologies).
Updated and tested everything for the latest version of Azure DevOps Server 2020
This should fix your issue and several other related ones. I retested the entire deployment from scratch and it worked as designed. A couple of other quick notes:
The USRI and all of it's repositories including the one being utilized here are not Microsoft official repositories. They represent an open-source Azure community dedicated to regulated entity customers. The members which contribute there are mostly Microsoft employees and the repos themselves just represent interesting and sometime niche templates that might be of interest.
This particular repo shows a manner in which Azure templates could be used to deploy services when no internet connection is available or permitted. I just used Azure DevOps Server because it was interesting and regulated industry customers use it.
All the best
I maintain a family web site on Azure on my spare time. For a small fee, we have purchased a custom domain name to make it more "professional".
Unfortunately, the credit card associated with the susbscription has expired and since I was not actively monitoring the dedicated mail account I had created for this purpose, the susbscription has now been deleted (the susbscription is actually disabled in the portal, but the mail from Azure says that I need to create a new subscription if I want to change my mind).
In a matter of minutes, I registered a new subscription and thanks to continuous deployment, I could deploy the Web App from sources that I had kept on a GitHub account. However, an attempt to bring an external domain to the Web App fails with the reason being that the said domain is already in use by another Azure web site (presumably, the old Web App from the, now deleted, subscription)
A quick chat with the #AzureSupport team on Twitter, they suggested I file a support request from the Azure portal. However, since this is not a professionnal susbscription, I do not have a support plan. I see that support costs 25 $/month for at least 6 months in my situation.
This seems a bit too costly, like an order of magnitude higher than buying a new domain name for several years. At the same time, I don't understand why the deleted account is still locking the custom domain name. And it seems unfair that I need to pay to recover a domain name that I own but am unable to benefit from because it is associated with a Web App in a disabled Azure subscription!
Please, what are my options?
PS: Even though this is not a programmatic question, I post here because that's where Microsoft recommends to obtain community support. I have also posted a similar question on an appropriate MSDN Forum but the answers there are not satisfying.
Unfortunately on a technical level this will be something that can only be rectified by Azure support. Since you no longer have access to the account they will need to delete that domain association.
It is excessive that you are required to pay for a six month support contract to resolve an issue that is clearly an issue with the way Azure decommissions subscriptions.
The problem you now have is that you can't use Azure to host this domain until that association is removed. Your only options are to either have the complexity of using a VM or to move your site to AWS etc.
If you make those points to #AzureSupport team, maybe they will process it for you. Point them to this question and ask them to help you to keep using Azure.
Scenario:
One team had built one application, and application is running on azure.
maintenance is taken care by same team, we don't want to give full access of production instance to developer team, but want to give read permission, like - monitoring of logs, cpu usages etc.
Solution according to me is build an application which will get dashboard data and log data from azure via api and that data will be displayed to development team.
I am referring these 2 links
https://msdn.microsoft.com/en-us/library/azure/dn722415.aspx
https://azure.microsoft.com/en-in/documentation/articles/api-management-get-started/
Question:
Still I am not able to find api which will give the dashboard data. if anyone know api for the same, please help.
Is there any alternative solution for this scenario.
If you deploy your app using the new Azure Resource Manager mode, it provides a Role Based Access Control to your resources. You can deploy your app inside a Resource Group and provide read access to your developers. They will be able to view the information about the services that your app are made of but without the option to change anything.
This session from Build 2015 can help you to understand what ARM is and what you can do with it: https://channel9.msdn.com/Events/Build/2015/2-659
Every guide, blog and the health analyser keeps saying that you need to set up different accounts for different services, farm account and application pool accounts.
But no-one want to explain me why! I have tried to search for an answer, and while I am pretty sure it has a good reason I just cannot seem to find one. I really would like to know why. I want to learn! Try to be concrete!
To narrow down the question a bit. What are the reason for these two security issues reported by the health analyser:
The server farm account should not be used for other services.
Accounts used by application pools or service identities are in the local machine Administrators group.