I'm a dev. I have
WEBSITE CONTRIBUTOR
Role on my azure function that our infrastructure team created. I can't see any functions listed in my function app in the portal and this ajax request fails when I try to expand the functions list in the side nav in the azure portal:
Request URL:
https://management.azure.com/subscriptions/{{my-enterprise-subscription-id-here}}/resourceGroups/mclintdevnc-ase-rg/providers/Microsoft.Web/hostingEnvironments/mclintdevnc-aseweb?api-version=2016-09-01
Request Method:
GET
Status Code:
403
The response body on this request contains this:
{"error":{"code":"AuthorizationFailed","message":"The client '{{my-organizational-username-here}}' with object id '{{my-organizationao-user-id-here}}' does not have authorization to perform action 'Microsoft.Web/hostingEnvironments/read' over scope '/subscriptions/{{my-enterprise-subscription-id-here}}/resourceGroups/mclintdevnc-ase-rg/providers/Microsoft.Web/hostingEnvironments/mclintdevnc-aseweb'."}}
So what privledges do i need on my function app to be able to do things like see the functions, enable disable individual functions, and generate api keys for a function?
Here is the screen show of what I'm getting:
When I deploy the same code to an azure function on my personal account (which I'm an administrator for) I see this:
I'm sure I wont get administrator role in my organizations subscription, so what is the minimal set of privileges I can have so i can see my functions and perform basic configuration on them?
As a reader level permission, you are restricted to check inside a related function implementation in function app. However, you can go to Platform Features tab and navigate to All Settings to check out all setting related to Function App (similar to web app), though as expected reader permission limits you to modify any setting.
For example, if a user is assigned the Reader role, they will not be able to view the functions within a function app. The portal will display (No access).
You can make a custom role for your use case.
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles
Website Contributor means you can "manage websites(not web plans), but not access them". Reader role gives you the right to read everything, but you cannot contribute. These roles are Built-in roles for Azure resources. You can find all of the Azure built-in RBAC in Microsoft docs https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Your organization administrator can create a custom role for you if it's needed to be a Website Contributor and reader at the same time.
Related
I found sample code from Microsoft docs but it doesn't seem to work.
If anyone has any insight that would be helpful.
Also the broad question is if that is even possible.
As the NodeJS uses Tedious library, it's not clear if Tedious is able to support AAD connection.
Sample code was taken from: https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-nodejs?tabs=windows
It has the code sample with type: azure-active-directory-msi-app-service which I think should work.
The error I am getting is 'Security token could not be authenticated or authorized.'
The managed-identity user is added to the resources, with permissions
The code was working after adding a 'reader' role for principle user in sql server.
The steps that are required to connect SQL Server through AAD - Managed identity for NodeJS project are as below:
Create sql-server with sql-server database in an azure resource.
Create an azure-web app within the same azure resource.
Create a principle user in the web app.
This can be done by going to the azure web app > Settings > Identity menu > System-assigned tab and turning on the toggle.
In the sql-db create the user with the same name as principle user that was created in step 3. The name is same as web-app.
Also assign db_reader, db_writer, and ddladmin roles to the user.
You may use the below script to create and assign role to the user. (One thing to consider if it fails to create the user, you might need to rename the app-service name as in my case it was not allowing me to create the User saying it already exists).
**CREATE USER [<identity-name>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<identity-name>];
ALTER ROLE db_datawriter ADD MEMBER [<identity-name>];
ALTER ROLE db_ddladmin ADD MEMBER [<identity-name>];**
Add the reader role to the principle user in the sql server. (The one that I was missing).
This can be done by going to the Sql server resource(in Azure)> Access control (IAM)
Select Reader and select member/user (principle user with the app name), and assign the role reader to that user/member.
After all these configuration part is done, use the code from microsoft docs. For me lower node version was not working so needed to upgrade the node version.(14 in my case).
https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-nodejs?tabs=windows
Also the connection was successful only in the deployed version.
Hope this is helpful !! :)
I want to make the user login in my custom application and Get the list of Tenants and Once I Get i want to make other Graph API calls like getting list of Azure Resource Groups etc
I want to build a similar experience just like we see in Microsoft Documentation (Try It) section. So that to get details from Users Azure Account i wont have to create Azure AD application in their Subscription
For e.g.
I need to schedule two cloud functions to run at a predefined time using Cloud Scheduler. However, when I click on the Cloud Scheduler tab it shows the below error message.
You don't have permission to enable Cloud Scheduler (appengine.applications.create, serviceusage.services.enable)
So I asked the project owner to grant me access to the below roles:
Cloud Scheduler admin
AppEngine Admin
Service Usage Admin
However, even after this I'm still getting the same message as before.
Below are the current roles that I have access to:
App Engine Admin
BigQuery Data Viewer
BigQuery User
Cloud Scheduler Admin
Cloud SQL Admin
Editor
Service Usage Admin
Storage Admin
Kindly let me know if I'm missing something here.
You don't need to be the project Owner.
You need these permission:
appengine.applications.create
serviceusage.services.enable
Predefined roles for first permission:
roles/owner
roles/appengine.appCreator
Predefined roles for second permission:
roles/owner
roles/editor
roles/serviceusage.serviceUsageAdmin
Since you already are an Editor, you only need to request App Engine Creator role for the first permission.
For you to be able to perform the configuration of Cloud Scheduler, you need to be the Project Owner.
Could you please give it a try asking your administrator to make you the Project Owner?
Understanding roles
This should fix your issue and solve your case. In case it doesn't, let me know if you are facing the same error.
Please, let me know if it worked!
If you are using target HTTP Method in your Cloud Scheduler, you can add Auth Header (Add OAuth token) with a particular or spesific service account.
I have a working app using the Azure REST API, and would like to extend it to gather information on Azure RI's (Reserved Instances). Regardless of whether I use the "Try It" link on the doc page (https://learn.microsoft.com/en-us/rest/api/reserved-vm-instances/reservationorder/list), or via API call from my app, I get the same error. The user in question is the global admin for the account.
{
"error": {
"code": "AuthorizationFailed",
"message": "The client 'admin-user#domain.com' with object id 'e127xxxx-f0b7-4b52-802f-yyyyb171zzzz' does not have authorization to perform action 'Microsoft.Capacity/reservationOrders/read' over scope '/providers/Microsoft.Capacity'."
}
}
Ideas? If this is an RBAC issue, it seems kind of pointless to provide a "Try It" link with no information about pre-reqs for getting this to work.
Thanks.
Well, global admin role only works for Azure AD, you need owner\contributor role to perform that call (you specifically need Microsoft.Capacity/reservationOrders/read permission).
You can also create a custom role to apply least privilege principle
https://learn.microsoft.com/en-us/azure/role-based-access-control/overview
https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles
By default, the person that bought the reservation and the account administrator have the Owner role on the reservation. So person who bought reservation or administrator need to give you or your app access to reservations. You can do it Azure Portal. Go to reservations then chose reservation, go to reservation order and delegate access. You can chose any type of role which you want (reader for example). After that your user/app has access to all reservations under that reservation order. Unfortunately you need to perform that operation for all reservation orders.
I have an Azure Active Directory Application (and associated Service Principal). That Service Principal needs to be able to add and remove members from an Azure Active Directory Group...so I have added Read and write directory data under Application Permissions:
And I have code that uses the Client ID and Client Secret to get an Authentication Token an perform these operations using the Azure Graph API.
However, this permission is far too broad. I need the Application/Service Principal to only have the ability to add and remove members from specific groups (not all)...and not the ability to perform other types of operations.
Is there a way to do this?
Thank you.
There is a preview feature that partly fits your requirement: "Group.ReadWrite.All". It lets your principal create and update groups and their navigation properties (incl. members). It does not however reduce the permissions to modify only certain groups.
AAD permission scopes are described here: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
Preview features may be subject to change and you'll have to agree to reduced service terms etc.: https://azure.microsoft.com/en-us/services/preview/