I gave my security team group unit the role roles/securitycenter.adminViewer as described in gcp documentation found here
The objective is to let the security team view all the threats with SCC.
The problem that is even with this role they are having missing permissions error :
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
I tried to add more rights with the role roles/browser but they are more missing permissions popping.
I think I'm missing something, why the role roles/securitycenter.adminViewer is not working ? Normally it should be enough to be able to view the SCC ?
In fact there is a bug with the roles of SCC in GCP found here issue tracker.
I created a custom role with the missing permissions and it worked.
Related
If I enter both an ApplicationID and key into the Advanced Settings of the dnn.azureadb2cprovider I get a generic error with no explanation. I've gone through the setup documentation (which seems to be outdated) numerous times. The error gives no clue as to what the issue is.
If I enter only the app id or only key by itself, there is no error. Obviously this wont allow Graph to work, but I am noting it anyway.
Went thought the setup process located at https://github.com/intelequia/dnn.azureadb2cprovider#requirements. I can get users to sign in successfully through B2C so it's partially working. Just the advanced features are having trouble.
You can check the log4net log files under /Portals/_default/Logs folder for more details on the issue. This is probably caused by the permissions of the App registration on the Graph API. Ensure that you have set permissions on these Application scopes and have given consent to them (the documentation will be updated soon):
Application.Read.All
Group.Read.All
GroupMember.Read.All
User.Read.All
PS: in the future please create this type of issues on the GitHub repository to concentrate all the help and documentation on the same location.
I currently have a registered app in Azure. This app has app-defined roles. The first role I created shows in the pane but is disabled (grayed out), however, it will be assigned to a user/group upon assigning that role. I created another role today, but that role isn't showing in the pane. So the default behavior when assigning a user/group a role to the application will be to assign the first role. Does anyone know what could be limiting the roles I have defined for the application?
EDIT:
In App Role under Manage in the Application Registration. There are two roles: role.one and role.two both with user/group member access. enable app role is checked.
Enterprise Application > All Application > MyApp > Users and Groups > Add Assignment
On this screen Select a role list only role.one.
Iniitially as soon as i created new app role i waas not able to see the new app role to assign as it is not appeared, but once i refreshed the portal after saving roles , it got reflected and could add that role.
So please try refreshing the portal or try to check the same after few minutes of app role creation.
I tested, and it is working fine for me. AFAIK It maynot be issue from Microsoft end .
First added 3 roles and assigned.
Then after sometime created 4th role and was able to assign to user or group one or more than one role
Note : Sometimes the reason can be browser cache may . Try to clear the Browers cache and logout and login again in a portal or try in incognito mode and see . If it is still the same issue please reach out to support they can better help here.
The issue was my app role description name was Default Access, which may have conflicted with an azure pre-defined role or description. I am still not sure, but once I changed the description to "Default Role" it became available.
I am currently assigned the role of Global administrator in Azure. I assigned myself to the role Groups administrator. I would like to remove that role. However, that button is greyed out. I assume because I was able to assign the role to myself, I should be able to remove the role as well.
Currently there are no other Group administrators. However, it was like that before I assigned myself.
There is this question that asked about the same issue. However, there was no accepted answer.
Images showing the greyed out button:
My profile
Group administrator's page
Unfortunately, self-remove Azure AD roles is currently not supported. If you have any suggestions on this issue, you can submit your ideas or vote in the community. here
There are similar problems here.
I am using .Net Core App with hosting it on Azure Portal. Now at some place I need to use Get the detail of logged in User (Active Directory user) in the application. So for that I am using Microsoft Graph API. So to setup this permission I am using Get-AzureADServiceAppRoleAssignment command. It is working fine when I run this command with Global Administrator account access. But it throws error when I used it without Global Administrator account access.
Error: Service_InternalServerError. as shown in below image.
Anyone have an idea or suggestions how to get rid of this error, and Is there any way to run this script without Global Admin access?
Any help or suggestions will be highly appreciated !
Thanks
Assign the Cloud Application Administrator directory role to the affected user and try again.
the problem here is you don't necessarily need global admin, but the application/user would need a role that has at least roleassignment permissions. so you could create a custom role at the subscription level that has role assignment permissions.
you need
"Microsoft.Authorization/roleAssignments/"
and maybe
"Microsoft.Management/managementGroups/read"
"Microsoft.Authorization/roleDefinitions/"
However, I would like to point out that if an application has role assignment permissions, it can technically assign itself a global admin role.. so it doesn't add any extra real security.
We have an application in production environment, today we found an issue that while updating "othermails" attribute of user through graph api returns insufficient privilege error.It was working couple of days back.We are using client credential flow to get access token from azure.
While troubleshooting I find out that if directory role "Global administrator" is assigned to application admin user then application admin user can update othermails attribute. But couple of days back it was working fine without "Global administrator" role. We cannot give "Global administrator" directory role to all application admins, it was restriction imposed by our client.
Now, my question is why is working earlier and now not? Does Microsoft changes directory role definition or something?
Its seems you have encountered Insufficient privileges while updating user profile.
Does Microsoft changes directory role definition or something?
No Microsoft has not change any previous Role Definition so far.
In your case to Update user profile you need to have following permission to update user profile:
Note: Once you have above permission you could update user profile. You could also take a look here