I'm trying to use az against my Azure account. My account has two directories: one for personal (default) and one for business. I need to "switch to" the business directory so that az has access to the correct resources. However, I cannot find any way to achieve this via the command line, so when I do az group list I see the resource groups from my personal directory, not the business one.
How can I switch Azure directory from the CLI?
Subscription and directory is not the same. You can have access to several subscriptions in your work directory for example.
To login to a different (non-default) directory, use the --tenant option with the az login command, passing the FQDN for the directory, e.g.
az login --tenant yourdir.onmicrosoft.com
You can find the FQDN in Azure Portal when listing the directories.
When logged into a directory, you can see list of all your available subscriptions.
# List of the tenants:
az account tenant list
[
{
"id": "/tenants/91358f27-xxxx-xxxxxxxxxxx",
"tenantId": "91358f27-xxxx-xxxxxxxxxxx"
},
{
"id": "/tenants/cf39b7bf-xxxx-xxxxxxxxxxx",
"tenantId": "cf39b7bf-xxxx-xxxxxxxxxxx"
}
]
# Select the tenant ID:
az login --tenant cf39b7bf-xxxx-xxxxxxxxxxx --allow-no-subscriptions
# Set a validated subscription:
az account set --subscription "Pago por uso"
# Verify
az account list -o table
Ugh, nevermind. For some reason the CLI calls them subscriptions when the portal calls them directories. So I needed az account set --subscription $SUBSCRIPTION_ID
Related
I want to login to azure to run these commands on a web app:-
az login
az account set --subscription "Pay-As-You-Go"
az webapp identity assign --name "****" --resource-group "****"
az keyvault set-policy --name "****" --object-id "***" --secret-permissions get list
where we are managing our customers' azure through the Microsoft Partner Centre, as follow:-
when I click on a Customer >> then click on "view all resources on Azure portal" :-
then when I click on "View My Access" i will get this :-
But when I try to login to azure using PowerShell C:\Program Files\Microsoft SDKs\Azure\.NET SDK\v2.9>az login using the same username i login to the UI, I will get this error:-
You have logged in. Now let us find all the subscriptions to which you
have access... No subscriptions were found for 'None'. If this is
expected, use '--allow-no-subscriptions' to have tenant level access
so I am confused because using the UI I can access the customer + create web apps for the customer.. so why when I login to azure using PowerShell I got the above error that i do not have subscription?
It seems like the customer does not have licensed subscriptions, mentioned in the snippets you shared:
Try using below command instead:
az login --allow-no-subscriptions
Alternatively, if you have Tenand Id handy, you can use below command:
az login --tenant TENANT_ID
I'm trying to switch tenants from the command line interface on my Windows 10 computer.
The answers provided here don't seem to work at all
I've also tried the following
az logout
az login --use-device-code (because of 2FA)
az login --username [my user name] -t [tenant id]
az login --tenant [tenant id]
az login --tenant [tenant name]
az account set --subscription [subscription id]
All these commands are completed successfully, however, when I run Get-AzSubscription command, I still see the tenentID of a different tenant I use than the one I want to log into.
How can one successfully switch tenants from the command line interface using Microsoft Azure with 2FA while developing cloud native apps on a Windows 10 PC?
You should not use Get-AzSubscription to get the subscription information.
Get-AzSubscription is in Az.Accounts Powershell module.
But az login is in Azure CLI module. Switching tenants using az login doesn't effect on the results of Get-AzSubscription.
You can see the tenant information immediately after logging in using az login --allow-no-subscriptions --tenant xxxx.onmicrosoft.com.
You can also use az account show to get the details of a subscription and the tenant information.
I created a keyvault and secrets from the MS docs and confirmed that I can list the keyvault and secrets from an Azure CLI session. When somebody else granted my access to another keyvault in our Azure tenant, I am not able to list that vault from the Azure CLI.
The CLI command I am using is : 'az keyvault list'
I have compared the individual policies applied in two vaults, and have 'owner' role access to both. I can see the vaults and secrets when I use a browser to navigate to the azure portal.
Thanks in advance for any suggestions on what I should check.
I suppose the keyvault is in another subscription in your Azure AD tenant, in Azure CLI, you could just use az keyvault list to list the keyvaults in the default subscription, if you want to do operations in another subscription, you need to set the subscription with it.
Navigate to the keyvault which you want to list in the portal, copy the Subscription ID like below.
Then run the command below before you list the keyvaults.
az account set --subscription <Subscription ID>
az keyvault list
In my case, my login had expired, but unlike with other commands, I did not get a warning to that effect. It simply returned the [] empty list.
Renewing my login with az login allowed az keyvault list to work.
In my case I had to go to the subscription / RG where the key-vault was and give the user / service principal the Reader role. You can do that by clicking on the subscription/RG and then selecting "Access Control (IAM)" on the left side. And then add the role assignment. Instructions - https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current
Following the instructions for the Azure CLI "quickstart" on creating a blob.
It looks like something in the default storage account is blocking the ability to create new containers; yet, the "defaultAction" is Allow:
The following Azure CLI:
az storage container create --account-name meaningfulname --name nancy --auth-mode login
... results in the error explaining the network rules of the Storage Account might be the cause:
The request may be blocked by network rules of storage account. Please check network rule set using 'az storage account show -n accountname --query networkRuleSet'.
If you want to change the default action to apply when no rule matches, please use 'az storage account update'.
Using the suggestion from the above message, the "show" command on the account-name gives:
> az storage account show -n meaningfulname --query networkRuleSet
{
"bypass": "AzureServices",
"defaultAction": "Allow",
"ipRules": [],
"virtualNetworkRules": []
}
I would think that the Azure CLI would be among the "services" that could bypass and do operations. And, the default action would seem to me to be quite permissive.
I've done to searching around by the error messages and commands (and variations). There does not appear to be much on what I don't know the quirks of the Azure CLI, so maybe this is so obvious that people haven't written anything up. I don't think I'm duplicating
Although the selected answer is different.
There can be another reason as in my case. You need to be in the role before you can create a container as stated by Microsoft documentation here
Before you create the container, assign the Storage Blob Data
Contributor role to yourself. Even though you are the account owner,
you need explicit permissions to perform data operations against the
storage account.
Also note that
Azure role assignments may take a few minutes to propagate.
Not sure if this would be helpful ...
If you update the "Firewalls and virtual networks" section of the Storage account and make it accessible for all networks , using CLI , it takes sometime to take effect. I have observed that it takes around 10 -30 seconds to take effect.
Try waiting for 30 seconds and then try the az container create statement. It should work.
Remove the --auth-mode login from your command. Use it like this:
az storage container create \
--account-name helloworld12345 \
--name images \
--public-access container
If we don't set --auth-mode, it uses the default auth-mode key. Which will query for the account key inside your storage account
https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-cli
Use --auth-mode login if you have required RBAC roles in your command. For more information about RBAC roles in storage, visit https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-cli.
The current networkRuleSet configuration is enough. I can not reproduce this issue with the same networkRuleSet configuration as you. So you may double-check if there is a typo for the storage account when creating a container or querying the networkRuleSet.
By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.
If you need to only allow access your storage account from some specific IP addresses or specific subnets and allow Azure services, you can add it like this,
{
"bypass": "AzureServices",
"defaultAction": "Deny",
"ipRules": [
{
"action": "Allow",
"ipAddressOrRange": "100.100.100.100"
}
],
"virtualNetworkRules": [
{
"action": "Allow",
"virtualNetworkResourceId": "subnetID"
}
]
}
With Azure CLI, Set the default rule to allow network access by default.
az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Deny
az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Allow
See Change the default network access rule for more details.
Edit
In this case, you set the --auth-mode parameter to login to authorize with Azure AD credentials. You need to ensure that the Azure AD security principal with which you sign in to Azure CLI has permission to do data operations against Blob or Queue storage. For more information about RBAC roles in Azure Storage, see Manage access rights to Azure Storage data with RBAC.
I am trying to create a nested ARM-template to deploy resources to subscriptions in different Azure AD tenants.
For guidance I used this site: Deploy Azure resources to more than one subscription or resource group
There it says "If the specified subscription exists in a different Azure Active Directory tenant, you must add guest users from another directory." which leads me to believe that this should be possible.
I have an account in Tenant A (6f16...) which is Azure AD Global Administrator and Contributor to the CSP Subscription (04c5...) which is assigned to Tenant A.
I have added this account in Tenant B (1ffc...) as "New guest user" and assigned him as Contributor to the Pay-As-You-Go Subscription (ebda...) and also made him Global Administrator in the Azure AD from Tenant B.
To keep it simple I used the first example template on the site which should deploy two storage accounts in two different resource groups and two different subscriptions.
In the parameters file I indicated for 'secondSubscriptionID' the subscription ID (ebda...) assigned to Tenant B (1ffc...) and an existing resource group in that subscription for 'secondResourceGroup':
...
"secondResourceGroup": {
"value": "existing-resource-group-in-Ten-B" },
"secondSubscriptionID": {
"value": "ebda..." },
...
I am trying to deploy it through Azure CLI:
az login -u <emailaddress> -p <pw>
az account set --subscription 04c5...
az group deployment create --resource-group "existing-resource-group-in-Ten-A" `
--template-file stor.temp.json --parameters #stor.para.json
I receive this error message:
Azure Error: CrossTenantDeploymentNotPermitted
Message: The template deployment tries to deploy resources to subscription 'ebda...'.
However, the current tenant '6f16...' is not authorized to
deploy resources to that subscription.
Please see https://aka.ms/arm-template/#resources for usage details.
I received the same error message in the Azure Portal or with PowerShell. I also tried it with with other tenants/subscriptions.
Am I missing some permissions? Is this even supported?
Is there a better way to deploy resources to multiple tenants than this one?
You login into tenant A and set subscription to 0c45 to tenant A but
you reference subscription ebda in tenant B in your ARM Templates.
You have to login and set Tenant B / subscription ebda.
https://github.com/MicrosoftDocs/azure-docs-cli/issues/667
az login --username <myEmailAddress> -t <tenantIDofTenantB>
az account set --subscription <TenantBSubscriptionId>
az group deployment create ......