ADF Shared SHIR permissions - azure

I'm trying to configure an ADF self-hosted integration runtime to be shared with another ADF in the same RG. I'm getting the following error:
(I removed the id specifics)
Error occurred when grant permission to [Object-ID]. Error: {"error":{"code":"AuthorizationFailed","message":"The client [My-Username] with object id [object-id] does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/[object-id]/resourcegroups/DataEngineering-RG/providers/Microsoft.DataFactory/factories/[Data Factory Name]/integrationRuntimes/[IR-Name]/providers/Microsoft.Authorization/roleAssignments/[Role Object ID]' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
Question- what role is required for me to be able to perform this action and at what level does that access need to be granted (eg. Subscription Level, RG level, ADF Level)?
Note: I have Azure Data Factory Contributor level access currently.
Thanks in advance

what role is required for me to be able to perform this action
You need the Owner or User Access Administrator role (maybe other roles, just check this doc, see the json file of each role, if the actions include Microsoft.Authorization/roleAssignments/write , it will be able to do the operation.)
You can also create a custom role which has Microsoft.Authorization/roleAssignments/write in its actions, it depends on your requirements.
and at what level does that access need to be granted (eg. Subscription Level, RG level, ADF Level)?
The three levels are all correct.
The RBAC role in Azure is inherited, e.g. if you assign the Owner role to your user account in the subscription, the account will also have the Owner role in all the resource groups/resources of the subscription. But if you just assign the user account in the ADF level, it will not be able to access other resources in the subscriptions.
So to fix the issue, just navigate to the ADF mentioned in the error message/RG/Subscription in the portal -> Access control (IAM) -> Add -> add your user account as an e.g Owner role, then it will work fine.

Related

what is the role assinged to the creater of the resource in azure

We have a tenant where all users are provided contributor access. Now, if i create a resource, what is the role assigned to me?
I can see that whatever resource I create, I still inherit contributor role only. But ideally, I should get owner role for the resources I create!!
What am I missing here? Can you please route me to relevant document if any. I dont see the clear information on this.
Lets say, by default all users are given a very restrictive role -> 'reader' role for all the resources.
Now, user can have all sorts of role on the resources created by him.. so this works in azure?
We have a tenant where all users are provided contributor access. Now,
if i create a resource, what is the role assigned to me?
You will get Contributor role. Because you did not explicitly assigned any role on the resource you created, you will inherit the role from the parent.
But ideally, I should get owner role for the resources I create!! What
am I missing here?
In order to get an owner role for the resource you crated, someone with owner or user access administrator role needs to grant you that role on the resource you created. You cannot grant yourself a higher role.
Lets say, by default all users are given a very restrictive role ->
'reader' role for all the resources. Now, user can have all sorts of
role on the resources created by him.. so this works in azure?
Explicit role assignment needs to be performed at the resource level.

How to block access to group of users with directory roles

In my tenant, I want to restrict access to few users to my application even they have directory admin roles.
I'm thinking of implementing conditional access policy. I have premium p2 license, is this sufficient to work with conditional access?
How to create policy to restrict access to admins? Any help is appreciated
I tried to reproduce the same in my environment and got below results:
I have created one Azure AD group named AppAdminCA by adding 'Application Admin' role to that group like below:
This means every user in that group has 'Application Admin' role. Note that, Application Admin role don't have access to modify conditional access policies.
To restrict access for these users to a specific application, you can create "Conditional access policy" like below:
Go to Azure Portal -> Azure Active Directory -> Security -> Conditional Access -> Policies -> New policy
In Users field, you can select either Users with Directory role or the above created group like below:
In Cloud apps field, select that particular application to which you want to block access as below:
In Access controls field, select Block access and click on Create by enabling the policy:
You can find the created conditional policy here:

Grant Read access to service principal to get ONLY subscription ids on Azure

I have over 50 Azure subscriptions under same tenant. I have created a service-principal under Azure active directory and provided the service principal 'reader' role to each subscriptions. When I make an API call from Postman I get all subscription ids but my concern is I am giving 'READ' access to all my resources on different subscriptions. I want to limit this service-principal will ONLY be able to list the subscription ids and nothing else.
I want to limit this service-principal will ONLY be able to list the
subscription ids and nothing else.
With "Reader" role, a user would be able to read all resources inside a subscription and not just subscription id.
I believe the solution to your problem is to create a custom role (let's call it SubscriptionPropertiesReader) and then give only the permission to perform read operation just at the subscription level. Based on the information provided here, I believe the permission you would want to include in this role is Microsoft.Resources/subscriptions/read.
The challenge obviously will be to create this custom role in each and every subscription and then assigning this role to your Service Principal in each subscription.

Azure AD Custom Role for Application Admin Role Assignment

My requirement is I need to add users/applications to Application Administrator Role.
As per the ms design, only Global Admin has permission to add assignments to this role. But I don't want to give the Global Admin to many members rather, I'm trying to create a custom role that grants them to add users/applications into the Application Admin Role.
When I tried to research more on the exact permissions. I found the below permission in Global Admin which I believe is needed for my requirement(custom role)
microsoft.directory/roleAssignments/allProperties/allTasks =>
Create and delete roleAssignments, and read and update all properties in Azure Active Directory.
However, the above permission is not able to use for any custom role
Is there any way to add the above permission to my custom role ?
So reached out to Microsoft support and they confirms right now the custom role is supported for the permissions including app reg and enterprise application. For role assignments, those permission aren't supported by custom roles.
My Workaround:
I created a group (security group) with role assignable and add that group to Application Administration Role. With this now I can manage the members (add/remove) from the group which inherited all the permissions from Application Administrator role

Azure Resource Group Access

How to restrict a user from accessing specific resource groups?
For example, I have 10 resource groups in a subscription out of which the user should be able to access only 3 resource groups where the user can do their operations.
When you create a new user for Azure, they have no permissions at all against any subscriptions, logging into portal will present an empty view with no resources.
If you add that user the reader permission they will then be able to read any resource in the subscription, but not modify anything. As would be expected. With reader permission on the subscription, they cannot create anything, resource groups or otherwise.
If that user is only given permissions to a resource group, with no permission on the subscription, then they will only see the resource group they have permissions in. They will then have whatever permissions they have been granted within that group.
Under the surface, every contributer and reader role has the "Microsoft.Resources/subscriptions/resourceGroups/read" action, meaning that anyone with any contributer or reader role can see all resource groups.
There is no built in role that has explicitly defined resourceGroups/write or resourceGroups/* permission.
The only groups with that permission implicitly applied are contributer and owner, which have "*" applied.
This means that only contributers and owners can create resource groups in a subscription.
It would be possible to create a custom role that denied resourceGroup/write
So, to answer your question, to limit a user only to being able to see specific resource groups, ensure that they don't have any access at the subscription level (any access at all at this level will allow them to see resource groups), and only apply permissions to the resource groups you wish them to see.
For example, I have 10 resource groups in a subscription out of which
the user should be able to access only 3 resource groups where the
user can do their operations.
The above is possible with the following steps
Add the user to the subscription. Dont assign any role at subscription level for this user.
Add the User as contributor to the selected three resource groups (in Access Control (IAM)) property thru role assignment.
The above two configuration will enable the user to only view and operate on the explicit three resource groups, other resource group will not appear in Azure portal.
Best practice would be to add the user to security Group and assign the security group to the roles.
Add the user to the Contributor role in those resource groups.
Go to the resource group, then open Access Control (IAM), and add the user to Contributor role. Repeat for each resource group.

Resources