I can register my app using az ad app create or using old portal https://apps.dev.microsoft.com/#/appList in my company's AAD, and I can review it using az ad app view
Now in Azure portal I can't view it.
It's understandable, that I don't have access to the Azure Active Directory pane in Azure Portal, but even when I copy&paste azure portal link directly to my app registration, it still says I don't have access to view it.
Why? Is it a bug in Azure Portal? What permission do I need in order to use Azure Portal?
This is not a bug, I can reproduce your issue on my side. Your tenant may set the Restrict access to Azure AD administration portal to Yes in User settings.
With the setting to Yes, the non-admin user will not be able to access the Azure AD admin portal, but the other client like PowerShell, CLI will work.
To fix the issue, you have two options.
1.Ask the Global admin of your tenant to give you an Administrator role, navigate to the Azure Active Directory in the portal -> Roles and administrators -> choose a role, click Add assignment -> add your account.
2.Ask the Global admin of your tenant to set the Restrict access to Azure AD administration portal setting to No.
Related
We have a static website in Storage account with BE in Function App.
We would like to use Azure AD for authentication.
When I register app, I can see 2 options:
Who can use this application or access this API?
Accounts in this organizational directory only (Single tenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Issue is that Azure AD we would like to authenticate against is in different tenant.
So we want something in between Any Azure AD and THIS Azure AD.
Is there a way to achieve that?
Register the app in the different tenant directly with the Single tenant option.
The fact that the app is hosted in a subscription linked to another tenant does not matter.
You'll need someone who has a user account in the other tenant to register the app in that tenant or they need to give your user access there.
You can switch the tenant that you are looking at in Azure portal from the top-right.
Click your username -> Switch directory -> Select the tenant from the list.
I created a Azure Active Directory via the Azure portal. Then, I registered an app in it. I can configure it, add permissions and the like via the azure portal. But the same app I created, I don't see on https://apps.dev.microsoft.com/
Shouldn't I be able to see and configure the app I made in AD at that portal, too?
The apps that appear in the Application Registration Portal are the ones where you are explicitly marked as an owner of the application. This is in contrast to the apps that appear in the Azure Portal which are all the applications registered in your tenant, independent of whether or not your are an owner.
If you are a normal user, and you create an application in the Azure Portal, you should see your application appear in a section called "Azure AD only applications"
Here is the owner information for "Email Scraper" from the Azure Portal.
However, if you are a Tenant Administrator and you create an application, you will not be marked as an owner of the application. Implicitly, Tenant Administrators are owners of all objects in the directory, and to reduce the object quota generated by admins, these explicit links are not created.
Here is an example of an app I created where I am the Tenant Administrator:
Therefore, you probably do not see your application in the App Registration Portal because you are not marked as an Owner of the application, probably because you are an Administrator who created the app, or you did not create the app to begin with. You can remedy this by simply adding yourself to the owner list in the Azure Portal.
Let me know if this helps!
Do we need Azure Active directory premium to do Role-based or Group based Authorization ?
I ask this question because my Azure portal is not giving me "Users" tab as mentioned in this link.
Group-based access is a Basic/Premium feature as defined here.
Using Azure Active Directory (Azure AD) with an Azure AD Premium or Azure AD Basic license, you can use groups to assign access to a SaaS application that's integrated with Azure AD.
You can only assign individual users to apps after you enable User assignment required to access app. But the Users tab should definitely be available though.
I don't really understand why on this case. My company has an azure subscription for development/testing environment.
At the beginning I am co-admin on this subscription with my Microsoft account. Now I need to manage applications under Azure AD of that subscription. So my Microsoft Account is leveraged to Global Admin of this Azure AD.
But even my MS account is leveraged to Global Admin, I cannot see or have access to Azure AD.
After searching around and based on this article:
https://blogs.msdn.microsoft.com/dstfs/2015/12/23/issues-with-azure-active-directory-guest-users-in-aad-backed-visual-studio-team-services-accounts/
I am GUEST (user type) on Azure AD, so even I am global admin, I still cannot have access to this Azure AD.
From the link, this happens because:
One way you can become an AAD GUEST is when you are made a co-admin on an Azure subscription before being added to the AAD associated with it
It can be fixed by using powershell like #CtrlDo's answer. But you have to create an global admin with work/school account since this approach does not work with Microsoft account:
PowerShell - Connecting to Azure Active Directory using Microsoft Account
We have another approach which can be done in the UI that we think it's simpler:
Remove my account out of co-admins of subscription.
Remove my account out of Azure AD.
Add my account back to Azure AD as Global Admin.
Add my account back to be co-admin on subscription.
That does work perfectly
When you were added to the AAD, your user type might have been set to "guest"
See https://azure.microsoft.com/en-us/documentation/articles/active-directory-create-users/ for more information.
See https://blogs.msdn.microsoft.com/dstfs/2015/12/23/issues-with-azure-active-directory-guest-users-in-aad-backed-visual-studio-team-services-accounts/ for an older post on how to view the issue in powershell and fix it.
I have an Windows Azure Subscription when the administrator has a Microsoft Account.
This account has a Default active directory and I need to configure my Office365 domain to authenticate my applications with corporate accounts.
I cant remove the default directory.
Thank you
The management portal will not let you do what you are asking. It will not let you associate your Azure account with an existing Windows Azure Active Directory (WAAD) instance, and manage it through the Azure portal. You can, however, still use your Office365 instance of WAAD to as an identity provider through Azure Access Control Service (ACS). For a good starting place on using ACS for adding claims based authentication to your web application look here. For instructions on how to provision a WAAD tenant as an IdP for ACS look here.