I signed up for a trial Azure portal account.
Many times however, I see in the portal "admin consent required" and it seems I'm not an admin...
How can I be admin of my own portal I created?
In Enterprise applications | User settings I see the "Admin consent request grayed out" and set to "no"...
It’s possible to get this if you sign up with an email account that’s already associated with an Enterprise Agreement. It’s best to sign up for a trail account with a Live ID or similar and use in private browsing to initially set up so the portal doesn’t pick up any saved credentials.
Related
I have an API Management instance running where users can login using only Azure AD. There is a single Administrators account, but it is using the legacy User/Password Identity. I cannot remove the user. I want to assign a user from the Azure AD to the Administrators group, but I can not figure out how.
I have followed these steps by Microsoft but they just seem to redirect me to the legacy portal (or the new Developer portal if I change the URL normally) with my default Administrators account logged in.
As far as I know, we can't add another user into "Administrators" group.
The document you provided is used to login another user(which is not admin) as administrator. So the result page shows your default administrators account. The title "How do I add a user to the Administrators group?" of the document is not very accurate.
We deleted an "unused" user in our Azure AD. Deleting both the MS account as well as removing him from the AD. Now, a few days into the 60 day deletion process (of the MS account) we realize he might have been the creator of an AD application that we can now no longer find anywhere. My guess it is was a "private" application? But somehow still in AD? Not sure exactly.
We reopened the MS account and created the user again in the AD (as a global admin), but the application is no-where to be found. If we try to access the application via a direct link we have lying around, we see a 403 No Access page, and an error notification in the notification center that suggests there's a permission issue but the user is a global admin again:
Additional information from the call to get a token: Extension:
Microsoft_AAD_IAM Resource: identity.diagnostics Details: AADSTS50020:
User account '{EmailHidden}' from identity provider 'live.com' does
not exist in tenant 'Default Directory' and cannot access the
application 'xxxxxxxxxxxxx'(ADIbizaUX) in that tenant. The account
needs to be added as an external user in the tenant first. Sign out
and sign in again with a different Azure Active Directory user
account. Trace ID: xxxxxxxx Correlation xxxxxxx Timestamp: 2020-06-25
14:44:18Z
We've also tried logging in with multiple other global admins but no-one can access that page or find the application using the id it has. Is there something to be done maybe using Powershell?
Actually, as I recall, it might have been an application listed for this user under 'App registrations' -> 'Applications from personal account'. But that tab is no longer available after deleting and reopening the user :)
As per the New changes made in the Azure portal app registration
In the new experience, if your personal Microsoft account is also in
an Azure AD tenant, you will see three tabs--all applications in the
tenant, owned applications in the tenant as well as applications from
your personal account. So, if you believe that apps registered with
your personal Microsoft account are missing, check the Applications
from your personal account tab.
When you sign in using personal Microsoft accounts(e.g. Outlook, Live,
Xbox, etc.) with an Azure AD email address, we found out that when you
go to the Azure portal from the old experience, it signs you into a
different account with the same email in your Azure AD tenant. If you
still believe your applications are missing, sign out and sign in with
the right account.
The new app list shows applications that were registered through the
legacy app registrations experience in the Azure portal (apps that
sign in Azure AD accounts only) as well as apps registered though the
Application registration portal (apps that sign in both Azure AD and
personal Microsoft accounts).
If you know the application ID you can restore using Powershell
The error is due to using the v1 endpoint url. You need to use V2 endpoints in order to allow access from personal microsoft accounts.
Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Please go through the document
I didn't realize it was possible to restore a deleted Azure AD user (for 30 days). Once I restored the deleted AD user instead of creating the user again, the app appeared again in the user's 'Applications from personal account' under 'App registrations'.
I'd still love to move the app to the Azure AD proper, but from an earlier SO question I was told that's not possible. I guess we'll either keep this old account or create the app again (and have all our users reauthorize).
I am not able to see my DevOps organization after detaching it from the AAD on the left hand side panel after logging in, Though i can access it with a URL dev.azure.com/ and change the settings etc.
I only those organizations which are attached to the AAD. I also tried to switch my account type to Microsoft Account but the option is not there in the dropdown in the profile section.
I only see those organizations which are attached to the AAD.
According to your description, this should be an expected behavior. Since you organization is detached from the AAD. It will definitely not shown in the same list of those organizations still in AAD.
In other words, you are using the account which backed in AAD to login Azure DevOps.
To see this organization, you need to use personal account (Even it's totally the same name compared with work account) to login that Azure DevOps Organization.
but the option is not there in the dropdown in the profile section. Yes, there is no such option setting. You could take a look at our official doc here:
Why can't I sign in after I select "personal Microsoft account" or
"work or school account"?
Although both identities use the same sign-in address, they're
separate: they have different profiles, security settings, and
permissions. Sign out completely from Azure DevOps by completing the
following steps. Closing your browser might not sign you out
completely. Sign in again and select your other identity:
Close all browsers, including browsers that aren't running Azure
DevOps.
Open a private or incognito browsing session.
Go to this URL: https://aka.ms/vssignout.
You see a message that says, "Sign out in progress." After you sign
out, you're redirected to the Azure DevOps #dev.azure.microsoft.com
webpage.
If the sign-out page takes more than a minute to sign you out, close
the browser and continue.
Sign in to Azure DevOps again. Select your other identity.
Suggest you to use a InPrivate mode browser to login, then use your Microsoft Account to authenticate, also select personal account if you need to choose between a "work or school account" and my "personal account".
I am using free Azure AD and when a user tries to "Change password" in the Azure portal, it says:
"you can’t change your password here. Your organization doesn’t allow you to change your password on this site. Please change your password according to the method recommended by your organization, or ask your admin if you need help."
All I can find online is that a change was made and now this feature requires Password Writeback (a premium feature) to work however it is advertised as being available with free Azure AD https://azure.microsoft.com/en-ca/pricing/details/active-directory/ (Self-Service Password Change for cloud users).
Am I missing something here? Is there a possible workaround, or is this feature really not available to Azure AD/AD Connect environments without premium? Again, I am only looking to have users change passwords not reset them.
Password change (not reset) is available in Free edition of Azure AD.
This link has few of the the scenarios listed:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-licensing
https://learn.microsoft.com/en-us/azure/active-directory/user-help/active-directory-passwords-update-your-own-password#change-my-password
I have Azure AD and Microsoft identity configured successfully on in my APIM instance.
When I try to directly sign in with either identity provider to the Developer Portal (https://myapim.portal.azure-api.net/) of my APIM with the administrator account (which owns the Azure Subscription where APIM resides), the sign up screen is displayed and when I hit "sign up" I get:
User already registered
It seems a user with this email is already registered in the system. If you forgot your password, please try to restore it or contact our support team.
I currently have not found a way to get around the sign up step, even when I hit sign in again I get re-routed to sign up.
Signing in to Azure Portal first and then navigating across to Developer Portal just works fine - no sign up flow is invoked.
one remark: my MSA owning the Subscription is also linked into my AAD, therefore I could sign in with either way
In the end I used a functional/group account as APIM administrator - one we never would use to actually log on - then I was able to regularly login with my own account again.