I have created SPN for Azure devops pipeline and I need to access multiple subscription resources in a powershell task/deploymentScript ARM.I am using below command to switch between subscriptions
#Linking appinsight with storage account in Secondary Region
Get-AzSubscription -SubscriptionId $secSubscriptionId | Set-AzContext
This command works from my local powershell (as I have access to both subscriptions). But with CICD another subscription is not visible.I get below error even though both subs are under same tenant.
2020-05-12T17:17:14.9377680Z ##[error]Subscription XXXXXXX was not found in tenant ***. Please verify that the subscription exists in this tenant.
when you created the service principal, did you give it access to resources in both subscriptions?
Related
I have an Azure subscription with ACR and App Configuration services.
I am implementing a pipeline that access Azure through DevOps Service Connection that has Contributor role for both resources. However, using Az Client task pipeline cannot see or access those resources.
If I execute "az resources list" I don't see those resources even though Service Connection has access to them.
I have the same setup working on my personal subscription. What am I missing?
Tried to reproduce same scenario in my personal subscription and it worked with the same level of access for Service Connection.
Also it works in PowerShell console with a user account with the same permissions.
I have an Azure AD tenant which is not associated to a subscription. When I login from the Azure portal I am able see and get to it using "switch directories".
When I log in from PowerShell, I do not see it, it only shows my subscription not by Azure AD tenant.
How do I connect to the Azure AD tenant which has no subscription?
Neither the Azure AD PowerShell nor the Azure PowerShell modules require that the tenant have an Azure subscription in order to connect.
If you are using the Azure AD PowerShell module, you simply connect:
Connect-AzureAD
If you are using a user account which is a member of multiple tenants, it's best to be explicit about which tenant you'd like to connect to:
Connect-AzureAD -TenantId "{other-tenant-id}"
For registering and managing apps in Azure AD I recommend using the Azure AD PowerShell module. However, if you need/want to use the Azure PowerShell module instead, the process is very similar:
Connect-AzAccount
And, if you need to be explicit:
Connect-AzAccount -TenantId "{other-tenant-id}"
I am trying to create a nested ARM-template to deploy resources to subscriptions in different Azure AD tenants.
For guidance I used this site: Deploy Azure resources to more than one subscription or resource group
There it says "If the specified subscription exists in a different Azure Active Directory tenant, you must add guest users from another directory." which leads me to believe that this should be possible.
I have an account in Tenant A (6f16...) which is Azure AD Global Administrator and Contributor to the CSP Subscription (04c5...) which is assigned to Tenant A.
I have added this account in Tenant B (1ffc...) as "New guest user" and assigned him as Contributor to the Pay-As-You-Go Subscription (ebda...) and also made him Global Administrator in the Azure AD from Tenant B.
To keep it simple I used the first example template on the site which should deploy two storage accounts in two different resource groups and two different subscriptions.
In the parameters file I indicated for 'secondSubscriptionID' the subscription ID (ebda...) assigned to Tenant B (1ffc...) and an existing resource group in that subscription for 'secondResourceGroup':
...
"secondResourceGroup": {
"value": "existing-resource-group-in-Ten-B" },
"secondSubscriptionID": {
"value": "ebda..." },
...
I am trying to deploy it through Azure CLI:
az login -u <emailaddress> -p <pw>
az account set --subscription 04c5...
az group deployment create --resource-group "existing-resource-group-in-Ten-A" `
--template-file stor.temp.json --parameters #stor.para.json
I receive this error message:
Azure Error: CrossTenantDeploymentNotPermitted
Message: The template deployment tries to deploy resources to subscription 'ebda...'.
However, the current tenant '6f16...' is not authorized to
deploy resources to that subscription.
Please see https://aka.ms/arm-template/#resources for usage details.
I received the same error message in the Azure Portal or with PowerShell. I also tried it with with other tenants/subscriptions.
Am I missing some permissions? Is this even supported?
Is there a better way to deploy resources to multiple tenants than this one?
You login into tenant A and set subscription to 0c45 to tenant A but
you reference subscription ebda in tenant B in your ARM Templates.
You have to login and set Tenant B / subscription ebda.
https://github.com/MicrosoftDocs/azure-docs-cli/issues/667
az login --username <myEmailAddress> -t <tenantIDofTenantB>
az account set --subscription <TenantBSubscriptionId>
az group deployment create ......
When using Azure Key Vault management REST API or cmdlet Add-AzureRmKeyVaultNetworkRule to allow a virtual network to access a key vault, I get the following error:
The client '{guid}' with object id '{guid}' does not have authorization to perform
action 'microsoft.network/virtualnetworks/taggedTrafficConsumers/validate/action'
over scope '/subscriptions/{guid}/resourcegroups/{resource-group}/providers/microsoft.network/virtualnetworks/{vnet-name}/taggedTrafficConsumers/Microsoft.KeyVault'
What is wrong?
Your subscription is not giving Microsoft.KeyVault resource provider permission to access Microsoft.Network resources. The fix is to register your subscription to Microsoft.KeyVault again:
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.KeyVault
This will add required permissions for Microsoft.KeyVault and Microsoft.Network integrations, including the ability to limit access to a given Virtual Network.
For more information: https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-supported-services
This are the steps required to solve it:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#azure-portal
You just need to register the resource provider in the subscription, this doesn't only happens with Key Vault, my issue was with Sql Server as well :)
So I leave this answer here in case someone else needs it
This feels like a bug/limitation in both the Azure Portal and Azure CLI. We ran into this when trying to allow a subnet of a VNET in subscription X to access a storage account in subscription Y.
For us, the workaround was to look-up the name of the service principal that was mentioned in the error in our Azure AD directory using the "Search your tenant" box on the "Overview" tab of the directory (NOT the subscription but the Azure AD directory for the tenant). The name of the SP turned out to be "Storage Resource Provider" (yours may be different, so that's why you need to look it up in Azure AD), so we granted that SP "Owner" role (temporarily) in the other subscription. Then provisioning worked!
There should be a finer-grained set of permissions you need to grant than just "Owner" but when we granted just the "validate" permission, we got a new error:
Failed to save firewall and virtual network settings for storage account 'XXX'. Error: An operation is currently performing on this storage account that requires exclusive access.
Also experienced this error when adding a vnet to a storage-account in another subscription.
Fixed by adding a storage-account to the subscription using the portal. Then the vnet could be added to the storage-account.
Note: the result is the same as #fernacolo does with a powershell command.
I am able to execute Runbooks within my Azure tenant/subscription, but would like to use a single Azure Automation Account in my tenant to execute Runbooks against other tenants and their subscriptions.
I have found this article for running against multiple subscriptions, but is it possible to have a centralized Azure Automation Account in one tenant that can connect and execute against other tenants and their subscriptions?
https://blogs.technet.microsoft.com/knightly/2017/05/26/using-azure-automation-with-multiple-subscriptions/
Based on my knowledge, if your account is a Auzre AD account, it is possible. Also, your account is Microsoft account, you also could create a Azure AD account. More information about how to create a new Azure AD user please refer to this link.
You could create a credential and store your account and password in it.
You can retrieve the credential in a runbook using the Get-AutomationPSCredential activity and then use it with Add-AzureRmAccount to connect to your Azure subscription. The following commands work for me.
$cred = Get-AutomationPSCredential –Name "shuitest"
Add-AzureRmAccount –Credential $cred
Select-AzureRmSubscription –SubscriptionName "Your Subscription Name"
More information about this, you could refer to this link.
If you want to login multiple tenants in one runbook, you need to sign in separately and execute your PowerShell cmdlets.
So i stumbled upon this article which offers a guidance how to do what you want:
https://blogs.technet.microsoft.com/knightly/2017/05/26/using-azure-automation-with-multiple-subscriptions/
basically what I said, get appId and grant it permissions to perform actions on other subs
I was struggling with the same issue today, specifically how to authenticate cross-tenant. I solved the authentication part of it by having an Azure Automation Account in both of my tenants, both with a RunAs Account.
By default these will be called AzureRunAsConnection
Tenant01 is my main Tenant that holds the Automation Account that does all the work.
Tenant02 is "passive".
Use this script to export the certificate of Tenant02
import the certificate into Tenant01
in Tenant01 add an additional RunAs connection (e.g."AzureRunAsConnection02") and enter the ApplicationId, TenantId, CertificateThumbprint, SubscriptionId of the RunAs account from Tenant02
with identical RunAs accounts and certificates in both tenants you should now be able to switch between your Tenants in your runbook with:
Get-AutomationConnection -Name AzureRunAsConnection
Get-AutomationConnection -Name AzureRunAsConnection02
etc...