I am almost new to Azure. My client had created an Azure account and sent invitation to me. I had accepted her invitation to join her Azure portal. However when I log in with my username, it shows me "No subscription". My client is saying she has given me every access rights, but I am not able to do anything there. Even I am not sure if I have really joined her Azure portal.
Here is the image if when I tried to access Free Services.
For what i understand is that the current directory you are working in doesn't have the rights that you are expecting. And your client has added you to another subscription with all the required rights. All you need to do is switch your directory to the one which has the subscription provided by your client.
Just Click on your profile avatar(or name) on the top right of the portal.
Select the option Switch Directory form the pop-up.
And choose your concerned directory + Subscription.
Related
We have Azure DevOps portal for our organization and our Active Directory is connected to it. I have enough privileges to add new users to the DevOps portal.
Recently I have seen that whenever I am trying to add new users I am getting the below error:
The user is added to the AAD. He is an active user and belongs to the same organization. I have cleared the cache and tested it.
Still, I am unable to add the user because of the issue.
Is there anything that I can do to rectify this, before approaching the support?
You are trying to invite a use from outside your directory. ...
To solve this issue, you need to grant the Guest Inviter role to your account in Azure AD(Active Directory).
You could navigate to Azure Portal -> Azure Active Directory -> Roles and administrators -> Search Guest Inviter.
Then you could assign the Guest Inviter role to your account.
In this case, you could invite the user successfully.
For more detailed info , you could refer to this doc about Add external users to your organization.
It's been a couple of hours since your question posted. Does it work now? Your statement that the user is in your AAD, plus the error message that the user is outside your directory, suggests the possibility that maybe waiting might fix it.
I have two azure subscriptions, one personal, tied to my Microsoft ID, and another under a different Microsoft ID for a charitable organization where I am the one-man IT/web dev guy. I created the org's azure account/subscription myself. I can't figure out how to create websites, etc. under my personal MS ID login without logging in and out of the separate microsoft IDs to manage both sets of Azure resources.
Logging in with the org's MS ID, in the azure portal I've made my personal ID a subscription admin (Subscriptions>Access Control>Add my personal MS ID, then right clicked to make co-administrator. This is confirmed since now a right click shows "Remove co-admin" so that implies it's correctly set up as a subscription co-admin. That user is also in the Owner Role.
Step 2, in the Active Directory for the org subscription, Users and Groups>All Users>New User, added my personal MS ID. Then I select that user, click Directory Role on the left menu, and selected Global Administrator radio button and save.
So now my personal MS ID user is a subscription co-admin and a AD Global admin in the org's azure portal.
To check, if I then go to any resource group or App Service and look at Access control I see my personal MS ID user listed as an Owner for that resource and all other resources. So everything looks good.
So if I log out of the org ID and log in with my personal MS ID and go to the Azure portal, I see my usual personal Azure account resources. But I don't understand how to either see and manage those resources in the org's Azure subscription or how to switch subscriptions, or switch directories (it's not listed on the top right), and when creating a new resource, I have no option for the org's subscription to use. How do I see/manage those resources in the org's directory? Is this even possible? Or do I need to log out and log in with the org's MS ID, which is a major annoyance since it also logs me out of outlook etc. when I switch IDs.
Azure Subscriptions are "housed" within a specific Azure Active Directory Tenant. You should treat an AAD Tenant as the top level object structure, in that each Tenant is entirely separated from each other Tenant.
If you had multiple subscriptions within a single tenant, you would be able to sign in one time, and gain access to all those subscriptions.
However, since these subscriptions look like they are in different Tenants, there is no way to avoid logging in two times to access the two subscriptions. To expand on this, there would be no way to avoid logging in two times to access any unique objects across these two Tenants.
For me, the answer was
Access Azure portal login page
Click "Sign in as a different user"
type the exact same email address
select "School or Work account" option.
This one was tied to the Azure AD and they reset my password through there. Not sure it really helps you cos signing in and out all the time still a thing, but it took me far too long to get this right so thought i'd share.
I am new to Azure. I am getting myself confused very fast. My company has a project on Azure. We are looking to grant access to our external developers so they can log into our account and build a product for us ( setup a VM with mysql dbs and build an application ).
The only options I see are to invite users from another Active Directory or users who are in my own Active Directory? Is there no option to simply create a sign in credential for a user with say " email at gmail dot com" ?
What am I missing? I have created a Resource group but still can't invite anyone of our external consultants in there.
You can invite any user to manage your resources or your subscription.
There are 3 conditions for it:
You have the right to add it to your Azure AD
you are the owner of the subscription
The 'Guest user' already has an Azure account or a Microsoft Account
Then you have to go to:
Resources/Subscriptions
Access Control
Select a role (i.e. Contributor)
Type in the Account/Email of your external team member
check the checkbox and send the invitation
If you want to create generic users you can go straight forward to your AD and create a user i.e. developer1#contoso.onmicrosoft.com and add this user to the resource/subscription. Don't forget to take note of the credentials you created
So you would use Azure RBAC for that. Just click on the Resource Group > Access Control > Add.
You could also consult this blogpost for best practises.
If you just need them to develop and access SQL or a web App, you can pass the publish profile and SQL connection string to them.
Also, you can setup continous integration for the web App or virtual machine and pass git or GitHub or whatever source control you are using and pass the URL for the project, then they will commit the source code and fire a new build
I am trying to give other users access to my resources in the Azure portal. I am trying to add them as a Contributor, but it seems like they are not able to see the resources when they login to the Azure portal.
Here's the access control list for the VM:
Any ideas why they can't see the resource when they login to the portal?
They are a Contributor.
When you add a user to an Azure subscription, s/he is also added to the directory if s/he isn't already there. This is considered an "invitation" that must be accepted before the user can get access. Tell the person to check their email, if this is the first time the email address has been added to a subscription in the directory. (Note that personal subscriptions are usually created along with a new directory whereas company subscriptions are usually in the company's directory.)
After accepting the invitation, s/he will need to switch to the directory before the subscription will be visible. You can do that in the top-right, like Juunas mentioned in the comment above. Here's a link to the directory switcher: https://portal.azure.com/#menu/account.
Steps to reproduce-
As owner:
Go to Resource Group you want to give access to:
Go to IAM:
Go to 'Add ROLE ASSIGNMENTS'
Search the name you want to give access to:
Select the Role (Contributor in your case)
Click Add and they will recieve an email.
I have two businesses and each has an Azure subscription. I'm an admin for each using my same MS email account.
Bill is only involved in one of the subscriptions, but when I log into my subscription "Local Happenings" (to which Bill should have no access) I still see his email address in the URL.
This picture shows it better:
https://db.tt/kvuccFOO
I'm wondering why this is, and if it could potentially be a problem.
My fear is that if he decides to cancel his business's account, then he will cancel mine or something.
I tried again to create a new subscription to verify I wasn't already logged into his subscription (I used a different browser), but it still shows his email address in the URL.
Anyone have any ideas?
UPDATE 1:
https://db.tt/QHJrfIno
I see that my subscription is under his "default directory". I never selected this when creating my subscription. How do I change this, and is it the culprit?
What shows under the "Active Directory" tab in the management portal for each Subscription? When you say "MS email account" is that an old hotmail-type account or one registered via Office 365 or Azure?
The fact that the account showing in the URL has #XXX.onmicrosoft.com address suggests there is a link back to an Azure Active Directory (AAD) instance. If this is shared between the subscriptions (potentially as a login from it was used to create on of the subscriptions) then this would be the cause.
You need to make sure a non-AAD account is an admin on the subscription so that removal of an associated Azure AD instance will not orphan the subscription.
Have a read of the AAD documentation here for more information: http://msdn.microsoft.com/library/azure/dn629581.aspx