I am trying to create a new Blazor server app and configure it to use a new Azure Active Directory that I recently created. I have found a couple tutorials online showing how to do this, including one from Microsoft, but I keep encountering an error that says "The user account doesn't have the required permissions to access the domain."
I read online that I needed to verify that my user account is assigned to the Global Administrator role, which I did and it is. I have tried to create 3 different active directories in Azure to see if it was a fluke, but I have received the same error message each time.
Any help that you are able to provide would be greatly appreciated.
Make sure that you have signed in to Visual Studio with an admin account of the domain (here it should be "thomasagarza#yahoo.com").
After adding the account, you can apply filter for it (select the domain it is an member in). Make sure you have added it as the guest of that domain and assign Global Admin role to it.
Then all the related domains will be listed when you create a new project with Work or School Accounts Authentication. Select the domain which "thomasagarza#yahoo.com" is the admin in and click on OK. Generally you won't be required to enter your credential again in this step.
Please note if you have a custom domain for your AAD tenant and have made it primary, the domain listed here will be the custom domain name. In this case, if you manually set the domain as the format "***.onmicrosoft.com", you will get the error you are facing.
Related
We have Azure DevOps portal for our organization and our Active Directory is connected to it. I have enough privileges to add new users to the DevOps portal.
Recently I have seen that whenever I am trying to add new users I am getting the below error:
The user is added to the AAD. He is an active user and belongs to the same organization. I have cleared the cache and tested it.
Still, I am unable to add the user because of the issue.
Is there anything that I can do to rectify this, before approaching the support?
You are trying to invite a use from outside your directory. ...
To solve this issue, you need to grant the Guest Inviter role to your account in Azure AD(Active Directory).
You could navigate to Azure Portal -> Azure Active Directory -> Roles and administrators -> Search Guest Inviter.
Then you could assign the Guest Inviter role to your account.
In this case, you could invite the user successfully.
For more detailed info , you could refer to this doc about Add external users to your organization.
It's been a couple of hours since your question posted. Does it work now? Your statement that the user is in your AAD, plus the error message that the user is outside your directory, suggests the possibility that maybe waiting might fix it.
Do you know if there is a way to disable the only verified custom domains usage when new create a new Azure Active Directory user.For example i want to create a user that is using gmail. I have tried to add gmail as custom domain and verify it, but noticed that the steps are related to the dns records of the domain so i cannot do this. I know i can use the invitation service, but i want to directly to create the user without invitation. So did someone experienced this, and if soo i am open for advices.
Have a nice day and stay safe.
It is not possible to create a user in Azure Active Directory that is using Gmail. In order to create a user in Azure Active Directory you need to add your domain and verify in Azure Portal.
You need to get your domain name by Go daddy etc... then you need to add in Azure Active directory and verify it. After that you can create a user name under that domain.
I recommend you to go through this two documents to get more detailed information.
I am almost new to Azure. My client had created an Azure account and sent invitation to me. I had accepted her invitation to join her Azure portal. However when I log in with my username, it shows me "No subscription". My client is saying she has given me every access rights, but I am not able to do anything there. Even I am not sure if I have really joined her Azure portal.
Here is the image if when I tried to access Free Services.
For what i understand is that the current directory you are working in doesn't have the rights that you are expecting. And your client has added you to another subscription with all the required rights. All you need to do is switch your directory to the one which has the subscription provided by your client.
Just Click on your profile avatar(or name) on the top right of the portal.
Select the option Switch Directory form the pop-up.
And choose your concerned directory + Subscription.
I have purchased an SSL cert for my site and the cert has three steps you need to do in order to have it fully configured. The first step is "Key Vault Status" which I then click on and it shows the following error:
You do not have permission to get the service prinicipal information needed to assign a Key Vault to your certificate. Please login with an account which is either the owner of the subscription or an admin of the Active Directory to configure Key Vault settings.
This is very confusing because I am the owner of this subscription and I also went and created a new Key Vault just in case it was due to not having one created in the first place. In addition I checked the Access Control for this cert and I am also listed as Owner.
Any help is appreciated.
Ok, so I finally got to the bottom of it - I'll outline the story here as this was the solution but may not work for everyone.
When I first created my Azure account I did so under email address 1
A few years later I had migrated most of my email to email address 2. To get status updates and other things I transferred the subscription to email address 2.
Every other service has worked fine accept for this SSL issue as well as not being able to buy a support plan (it popped open an email app to send to email address 1)
In speaking with the AzureSupport twitter account they agreed that it was strange and arranged for a one time ticket for support.
The support agent asked me to check my Access Policies for the Key Vault I had created. This showed that email 1 is indeed a user in the Azure Active Direction and they mentioned that I'd need to have the admin add it. Since I had noticed the irregularities with email address 1 showing up in the URL and in the email for adding support I logged into Azure using email address 1 and went to Azure Active Directory->Users under that account.
I then selected the guest account, selected Directory Role, and added a new role of Application Administrator. Now all of it is working as expected!
My subscription was attached to employer Active Directory and I can't change my role in it.
I solve this problem by creating my own Active Directory and by moving subscription to this AD.
I am new to Azure. I am getting myself confused very fast. My company has a project on Azure. We are looking to grant access to our external developers so they can log into our account and build a product for us ( setup a VM with mysql dbs and build an application ).
The only options I see are to invite users from another Active Directory or users who are in my own Active Directory? Is there no option to simply create a sign in credential for a user with say " email at gmail dot com" ?
What am I missing? I have created a Resource group but still can't invite anyone of our external consultants in there.
You can invite any user to manage your resources or your subscription.
There are 3 conditions for it:
You have the right to add it to your Azure AD
you are the owner of the subscription
The 'Guest user' already has an Azure account or a Microsoft Account
Then you have to go to:
Resources/Subscriptions
Access Control
Select a role (i.e. Contributor)
Type in the Account/Email of your external team member
check the checkbox and send the invitation
If you want to create generic users you can go straight forward to your AD and create a user i.e. developer1#contoso.onmicrosoft.com and add this user to the resource/subscription. Don't forget to take note of the credentials you created
So you would use Azure RBAC for that. Just click on the Resource Group > Access Control > Add.
You could also consult this blogpost for best practises.
If you just need them to develop and access SQL or a web App, you can pass the publish profile and SQL connection string to them.
Also, you can setup continous integration for the web App or virtual machine and pass git or GitHub or whatever source control you are using and pass the URL for the project, then they will commit the source code and fire a new build