We're a very small company, for unknown reasons our internal app infrastructure (based on PaaS VMs) was set up on the Azure subscription for a "personal" Windows Live account of an internal email address, with only that one user in the AD. (We also use the "correct" Azure instance, the AD is synced from the remnant of our old on-prem infrastructure and our Office 365 is based on it.)
We're about to recruit a second developer, I want to give him some level of access to our app infrastructure but not the global admin that sharing the existing single account would provide. I've experimentally added another user to the Azure AD as a global admin (so it should have access to everything) but when I log in with that user it takes me to the portal for the default free personal Azure instance you get if there's nothing set up. If I paste in a URL for a resource in the account it's global admin for I get "You do not have access" (403). (Audit trail of the user in Azure AD shows it logged in.)
Is there an inherent restriction on this type of account (in which case I'll have to bite the bullet and migrate the infrastructure where it belongs) or should I be able to expect this user to be able to access the right portal - and if so what do I need to do to get that to happen?
Having Global Admin role in Azure AD does not give you access to Azure resources, only to manage users etc. in Azure AD.
You need to add e.g. Owner/Contributor role on the subscription to the user through the Access Control (IAM) tab.
Related
I have a rather (hopefully) theoretical question regarding the secure usage of Service Pricipals in Azure (Enterprise Applications)
Introduction
we currently deploy our DevOps Code via Azure Service Principals.
AppRegistration/Enterprise App is created
Secret is generated
Permission (i.e. Contributor) to the Ressource Group is granted in Azure
Service Connection is made in Devops
everything works fine.
Assumption
By default the Service Principal (Enterprise Application) is not restricted to a specific user/group (Assignment Required => "no").
My assumption is now, that every user in the AAD-Tenant is able to login to the Enterprise Application as well.
I i.e. do this by using the "Graph Powershell API"-EnterpriseApp.
I can either use a Secret or use my User Credentials to access the Service Principal and its permissions
Security issue?
coming back to our DevOps configuration:
The Service Principal has Contributor Permission on the dedicated Resource Group
Assignment Required is set to no (default configuration)
if I (as a malicious user) have the Application ID, i could simply logon to the Service Principal and receive the Token.
Question:
With this token and my login to the App, do i also have the Contributor Permissions of the App and could now manipulate the whole Resource Group?
Since i'm not an Azure Developer - but only an Azure AD Admin - my knowledge regarding this is limited,
so i'm not able to test it.
Can someone maybe either provide code or prove that my assumptions are wrong or correct?!
Thanks
Yes, the SPN can manage the resources within the resource group if it has Contributor - it is no different than a normal (human) identity.
Consider if the SPN actually needs Contributor or if you can limit it with another role or even make a custom role.
Furthermore, monitor the sign-ins using the Azure AD sign-in logs:
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins
You can also use CanNotDelete resource lock, which means that the service principal cannot delete resource as it is only Contributor:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
You might want to look into the Conditional Access to strengthen your environment:
https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identities-overview
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/workload-identity
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review
Take a look here:
https://infosecwriteups.com/a-lab-for-practicing-azure-service-principal-abuse-bd000e6c48eb
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/disable-user-sign-in-portal
https://learn.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-9.3.0#example-3-connect-to-azure-using-a-service-principal-account
My assumption is now, that every user in the AAD-Tenant is able to login to the Enterprise Application as well.
No. They would need the client secret or the rights to generate a new one. Which requires that they are owners of the App Registration. In the App Registration on the Owners tab it says:
The users listed here can view and edit this application registration. Additionally, any user (may not be listed here) with administrative privileges to manage any application (e.g., Global Administrator, Cloud App Administrator etc.) can view and edit the application registrations.
I was logged in to my AzureDevops account using my hotmail account.I then went to Organization Settings and then connected my Org to Azure AD.
After i logged out and logged in back again with the same account, i don't see anymore my projects which i was working on. I have disconnected my Azure AD and also tried switching directories but i am no longer able to see that particular organization anymore.
Any idea how to fix this or why this happened
Please check below points :
Try logging on to https://.visualstudio.com to see you can see the organization and projects, as stated in this.
Check Troubleshoot connecting to a project
You may not able to signin or access your organization unless your work or school account has the same email address as your Microsoft account.
Although you can add new work accounts to your organization, they're
treated as new users.
If you want to access all your work, including its history, you must
use the same sign-in addresses that you used before your organization
was connected to your Azure AD.
For that Add your Microsoft account as a member to your Azure AD Or
ask the owner of the organization who has proper permissions to map
any disconnected members to their Azure AD identities Or invite them
as guests into the Azure AD.
Invited user should use corresponding account, work/school account
for AAD based, personal account for the other.
So basically the user who makes the connection must confirm the following statements are true.
User exists in Azure AD as a member. If the user is an Azure AD guest, rather than member
User must have project collection administrator or owner of the organization
User must also have Azure Service Administrator or Coadministrator permissions for the Azure subscription that's linked to your organization in Azure DevOps.
User isn't using the Microsoft account identity that matches the Azure AD identity. For example, if the Microsoft account that users are currently using is jamalhartnett#fabrikam.com, the Azure AD identity they'll use after connecting is also jamalhartnett#fabrikam.com. Use a single identity that spans both applications, rather than two separate identities using the same email.
Add your work account as an administrator in your Azure DevOps organization
The AAD tenant should be same as the DevOps tenant to connect & Transfer the ownership of the organization to your work account.
Please see if you have followed the Prerequisites to Connect organization to Azure Active Directory
FAQ: to be refered
why dont i see my organization in the azure portal
why do i have to choose between a work or school account and my personal account
what if we cant use the same sign in addresses
Note: No other user than the owner of the organization will be able to see the organization under the “Azure DevOps organizations”
service in the Azure portal. Also, Azure DevOps does not support
multiple owners, like Azure services that support Role Based Access
Control (RBAC) do. An Azure DevOps organization will only have a
single owner at a time :reference
Please try to access https://aex.dev.azure.com/ and change domain to see if your organization is present in the list.
Or
You may need to open a support case on the Developer Community to help you out or raise a support request through azure portal.
References:
Lost organization after disconnecting it from Azure Active Directory-Stack Overflow
What not to do when Connecting Azure DevOps to
AzureAD |Josh Corrick |
Restore project - Azure DevOps Services | Microsoft Docs
I have used the free month trial offered by Azure with a personal Microsoft account in parallel with a professional account from my company. In this professional account I have limited access to certain resources (mostly VMs, storage and that), so I don't manage neither subscriptions nor Azure AD.
After several unsuccessfull login attemps in which I was asked to provided a 6 digit code when the Microsoft Authenticator gave me an 8 digit code, I've discovered that if I do the following:
Try to sign in in azure.portal.com with my personal account (fails)
Sign in with my company account.
Then, in the upper right I see my personal account as a directory, like usenamehotmail.onmicrosoft.com. However, when trying to access Azure AD to manage that directory I am shown a message that says I have no access.
My question is, why does this happen? Can I use the same credit card and create a pay as you go subscription with another personal Microsoft account?
If you using the external account to access Azure AD like outlook.com, hotmail.com and the account from other Azure AD tenant. it will cause the Access Denied(you don't have access).
There are two ways to resolve this issue
1. Log in to Azure Portal by using the account with Global Administrator Role for Azure AD. Navigate to the User settings tab, toggle the setting Guest users permissions are limited to No.
2. Log in to Azure Portal by using the account with Global Administrator Role and navigate to the Users and Groups tab, search for the external account, and change the Directory Role to Global Administrator.
I have an Azure Devops organization that is linked to an Azure Active Directory. This organization has projects and pipelines for deploying applications to App Services in the linked Azure AD.
Recently, one of my user account (the one with the Visual Studio Enterprise Subscription) was made the organization owner and all other project users were deleted. However, my account that is now the only user in the Azure DevOps organization is just a guest account type of the linked Azure Ad, and not an actual member of the Azure AD.
I need to add new users back to the organization but since my user account is just a guest of the linked Azure AD, when I try to add users, I get an info dialog that states that since I am only a Guest of the Azure AD domain, I can't see the domain members I want to add and so the add user process fails.
As I stated earlier, my account is the Organization Owner. I also assigned my guest user account to the Global Administrators role in the linked Azure AD, but I still cannot add domain users to the Azure DevOps organization.
This organization has production code in the repo as well as build and deployment pipelines that I do not want to lose access to or lose the ability to deploy to the App Services in the linked Azure AD, so I am concerned about taking any action until I know exactly what I need to do to be able to add users from the linked Azure AD into the organization.
Any advice as to how I can add users from the linked Azure AD back to this organization would be greatly appreciated.
This is just a guess, but DevOps could be looking at your userType and show the message based on that.
Global admin would definitely allow you to list the users.
You could try using PowerShell to change your userType from Guest to Member.
E.g. with AAD PowerShell v2:
Set-AzureADUser -ObjectId 'your-user-object-id-in-tenant' -UserType 'Member'
It's actually something that isn't super-well-known.
Guest/member and local/external user are two different things.
External users just become Guests by default, which restricts what they can do.
Add the guest users to Azure AD directly, before you try to give them access in DevOps. After adding a new guest user, that new guest can be given access to DevOps by your subscription admin.
Or create yourself a domain user in your Azure AD with the proper privileges too.
e.g. If your Azure AD domains is "MyMsdnAzureADDomain.onmicrosoft.com" (or a Custom Doamin like "mycompany.com" if you have such domain registered in Azure).
A) Create new domain user in MyMsdnAzureADDomain.onmicrosoft.com
The new user is would be MyNewUser#MyMsdnAzureADDomain.onmicrosoft.com
B) Give that new user full admin in Azure AD and your DevOps (or tailor your permissions to your needs).
C) Login into Azure using that new user to manage your DevOps.
Ive created a website in Azure and I want to allow users to login and use the app, but im slightly confused by azure active directory access. I want users to only have acces to the web app, not to the portal. Users will be from within my organisation and from outside it so its vitally important that access is locked down, If a user somehow ends up at the azure portal they must not be able to access it. If I set users up in our active directory, wont they be able to login to the azure portal too ? I want to take advantage of authentication as a service and hand over authentication and multi factor authentication to azure but everytjhing Ive read so far seems to suggest If i use azure active directory, users will be able to acess the Azure portal too, is this correct or am i misinterpreting the information ? Are there any step by step guides available for these sorts of scenarios ?
If i use azure active directory, users will be able to acess the Azure
portal too, is this correct or am i misinterpreting the information ?
No, your users will not have access to Azure Portal (rather Azure Subscription as Azure Portal is an application using which a user manages one or more Azure Subscriptions) unless you grant them permission to access it. In order for your users to have access to Azure Portal, you would need to grant them permissions explicitly to do so. In the new portal, you do it by assigning roles (e.g. Owner, Contributor, Reader etc.) and in the old portal you do it by making them co-administrators.
Unless you do this, when they login into Azure Portal all they will see is a message stating no Azure Subscriptions were found.