Cannot Add Account Owner to Azure EA Enrollment - azure

I need some help with this and I couldn't find any solution on the internet.
I need to change the ownership for an Azure Gov Subscription under an Enterprise Agreement Enrollment so first I need to create the new Account following the related Microsoft Documentation
The current "Account Owner" is the Initial Account gov.admin#govtenant.onmicrosoft.com
It's a work account in our "Azure AD Free" tenant and I have full control over it
It's also a Global Administrator in that tenant
The new account to add (gov.user#govtenant.onmicrosoft.com) is also a "Global Administrator" and exists in the same tenant
When I try to add it, the portal returns this error:
The login information provided is not a valid user.
If you believe you have received this message in error, please contact customer support.
But when I try to add an account from the tenant that we have in Azure Commercial (with "Azure AD for Office 365") ...
... the error seems to be correct.
The enrollment is in a cloud that is different from that of the user.
So far, I know that the "gov.admin#govtenant.onmicrosoft.com" account was signied up to the EA portal using an email from the Comercial Tenant (comtenant)
Also "govtenant" is a custom domain for the Comercial Tenant
So, what am I doing wrong?
Any help will be appreciated!

Related

I'm closed out of my Azure DevOps organization

I created an Azure Devops organization using my hotmail account.
For this reason, I am the owner of this organization.
Then I wanted to bind this organization to an Azure Active Directory, so I went here and I attached my Azure AD
Then by mistake I added a new user to my Organization, however I chose a user belonging to another Azure AD so he is seen as an external user here.
Finally, I removed the hotmail user from the users page. As a result, the hotmail user is still the owner
, however he is not a member of the organization any more, so I can't enter any more:
Of course I may click "Request Access", however this request will be sent to the same hotmail account who is owner but is NOT a user... deadlock!
Can you help me please with an hint, I need to access my repos and Azure devops pipelines.
Thank you very much
I found it. This is the article which solved this problem.
Briefly, for organizations connected to Azure AD if the Owner and all other Project Collection Administrators are inactive in Azure AD, you can transfer ownership to another user.

How do you migrate trial content from Video Indexer to a Paid account?

I have a number of videos in my Video Indexer Trial account that I would like to move over to a Paid account. I tried following the instructions in https://learn.microsoft.com/en-us/azure/media-services/video-indexer/connect-to-azure#import-your-content-from-the-trial-account but this appears to only work if you setup your trial account with Azure AD.
Since I setup the Trial account with a Personal Microsoft Account, I don't see an option to import my existing content into a new account. I've setup everything manually in Azure for a new account (including Azure AD), but I don't want to lose the content from my Trial account.
Is there a way to import the Trial account content from Video Indexer into a paid account when your trial account was setup with a Personal Account? Thanks.
There is a way to import your media between different accounts, even if you are using two different authentication methods(Personal Microsoft Account/Gamil and Azure AD).
Use this link to learn how to invite your Azure AD user into your Personal Microsoft Account as a contributor and appoint yourself to be an owner in the account.
Then access your AAD account, choose the trail account you wish to move to be a paid account, click the 'create unlimited account' this time you should have the option to check the "import my media' checkbox.
Our recommendation is to follow the Prerequisites list section as described here
in order to make sure the user has all the correct permissions on the account.
Connecting to Azure can also be done with a manual Flow. This will require the user to be with either an Owner role, or both Contributor and User Access Administrator roles as described in this link

Don't have access in Azure Portal to create new items

I was added as a global administrator to a company's Azure AD directory. When I try to create a new web app I get the following message:
You are currently signed into the '-company- (Default Directory)' directory which does not have any subscriptions. You have other directories you can switch to or you can sign up for a new subscription.
When I try to sign up for a new subscription it wants me to enter my payment information, which I do not want to do. I want to use the company's existing subscription.
I also cannot see the App Service that the admin of the account just created in the portal.
It seems like I'm not fully configured, but we thought adding me as Global Administrator should give me exactly what he has, which is what we want. What else do we need to do so we have the same access, and can see each other's items?
In new Azure Portal, you should be added as a Co-Owner through the RBAC system. You should contact your Account Administrator(AA) who could grant the permission to your subscription. More information about how to add an admin for a subscription please refer to this article.
More information about RBAC please refer to this article.
You are the admin of the Azure AD directory, but not any subscriptions in that directory (assuming there are subscriptions). Directory admins don't have access to subscriptions by default. A subscription admin will need to grant you access to a subscription.
Note that directories can be created without subscriptions, so not every directory has an Azure subscription.
Also, a credit card is required to create a new subscription and you can't reference an existing company account without the company's Azure account admin doing that for you. Unfortunately, only one account can have access to do that today.

Why as a co-administrator of a subscription am I unable to edit the Active Directory?

A customer made me a co-administrator of his Azure subscription. However, I am unable to edit his Active Directory, ie add/edit users, create applications, etc.
Why can't I access that? I'm thinking perhaps the Subscription is owned by the AD and not the other way around.
What do each of the role levels in AD allow? There's
Global Admin
Billing Admin
Service Admin
User Admin
Password Admin
I believe the primary reason for this error is because when a co-admin with Microsoft account is added to a subscription, it gets added into the subscription AD as Guest user type. In order for you to get access to that AD so that you can perform the operations on the AD, you user type needs to be changed to Member from Guest. I had exact same issue with one of the users of our product and the steps described below solved the problem.
To change the user type, one would need to use AD PowerShell Cmdlets. The process is rather convoluted and needs to be done by your customer.
First, check with your customer if they themselves are using Microsoft Account for signing in into the portal. If they are, then they would need to create a user in their Azure AD. Please see this thread for why this is needed: PowerShell - Connecting to Azure Active Directory using Microsoft Account.
Next, they would need to sign in using this user account because one would need to change user password on the 1st login.
Install AD Modules. You may find these links useful for that purpose: https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx#bkmk_installmodule, http://www.microsoft.com/en-us/download/details.aspx?id=41950 (Please choose 64 bit version) and http://go.microsoft.com/fwlink/p/?linkid=236297.
Launch PowerShell and execute the following commands:
.
$cred = Get-Credential #In the window that shows up, please specify the local AD user credentials.
connect-msolservice -Credential $cred
(Get-MsolUser -SearchString "your microsoft account email address").UserType #This should output "Guest". If it doesn’t, please stop and do not proceed further as there might be some other issue.
(Get-MsolUser -SearchString "your microsoft account email address") | Set-MsolUser -UserType Member
(Get-MsolUser -SearchString "your microsoft account email address").UserType #This should now output "Member"
If somehow the problem still persists, ask your customer to login into the portal, delete your user record from AD users list and add it again. That should also take care of this problem.
The answer was that I needed to be set up as a Global Administrator in the Azure AD domain.
Both answers above seem to be correct in it's own way.
As a starter subscription administrator does not automatically make you an Azure AD administrator. You'd need explicit role grant on the target Azure AD.
Second aspect is the type of the account used. If it's in current Azure AD or Microsoft Live account all is well.
In case that account is part of an external Azure AD, by default user type is "Guest"(can login, but cannot control event if assigned "Global admin"). Therefore PowerShell commands highlighted above should be executed to change user type to "Member".
Some more helpful info can be found here (it is mentioned as a Visual Studio Team Services issue, but actually applies to most Azure related services).

Azure Subscription URL Contains Other Admin's Email Address?

I have two businesses and each has an Azure subscription. I'm an admin for each using my same MS email account.
Bill is only involved in one of the subscriptions, but when I log into my subscription "Local Happenings" (to which Bill should have no access) I still see his email address in the URL.
This picture shows it better:
https://db.tt/kvuccFOO
I'm wondering why this is, and if it could potentially be a problem.
My fear is that if he decides to cancel his business's account, then he will cancel mine or something.
I tried again to create a new subscription to verify I wasn't already logged into his subscription (I used a different browser), but it still shows his email address in the URL.
Anyone have any ideas?
UPDATE 1:
https://db.tt/QHJrfIno
I see that my subscription is under his "default directory". I never selected this when creating my subscription. How do I change this, and is it the culprit?
What shows under the "Active Directory" tab in the management portal for each Subscription? When you say "MS email account" is that an old hotmail-type account or one registered via Office 365 or Azure?
The fact that the account showing in the URL has #XXX.onmicrosoft.com address suggests there is a link back to an Azure Active Directory (AAD) instance. If this is shared between the subscriptions (potentially as a login from it was used to create on of the subscriptions) then this would be the cause.
You need to make sure a non-AAD account is an admin on the subscription so that removal of an associated Azure AD instance will not orphan the subscription.
Have a read of the AAD documentation here for more information: http://msdn.microsoft.com/library/azure/dn629581.aspx

Resources