Set Service Hooks in TFS and create Azure Storage
I can't finish after setting:
Access denied: [XXX]\Project Collection Service Accounts requires the following usage rights on the StrongBox to perform this action: Create StrongBox Drawer
Maybe I need to have permissions?
Any idea how to solve this?
You need Edit subscriptions and View subscriptions permissions to set up a subscription.
By default, only project administrators have these permissions. To grant them to other users directly, you could also use tfssecurity.exe from the command line. For example:
tfssecurity /a+ /collection:https://dev.azure.com/fabrikam/DefaultCollection ServiceHooks PublisherSecurity/abcdef00-abcd-0000-0000-abcdef000000 ViewSubscriptions n:fabrikamfiber4#hotmail.com ALLOW
and
Copy
tfssecurity /a+ /collection:https://dev.azure.com/fabrikam/DefaultCollection ServiceHooks PublisherSecurity/abcdef00-abcd-0000-0000-abcdef000000 EditSubscriptions n:fabrikamfiber4#hotmail.com ALLOW
The GUID is the ID of the project. You can get it using the Projects REST API.
After this you should be able to create the service hook and save it.
Related
I have developed a logic app, which receives a post request with JSON Object and I create external user in azure active directory. Till here everything is fine. Now I want to grant permission to newly created user to access our sharepoint site. There is a solution using Plumsail action connector but I do not want to use it. I want to achieve this using microsoft graph api.
Can you help me to achieve this?
Best way I think is adding the user to a group (with the AD connector) or using dynamic group to pick up the user. Then you can have sharepoint license connected to the group and have sharepoint access on the group.
I've created and registered a web application via Azure Active Directory -> App Registrations.
Within my application manifest I've created a role (why there's no UI to do this is beyond me), and for now am planning on adding quite a few more.
However, I'm unable to assign users to the role I created via Azure Active Directory -> Enterprise Applications, as the Add, Edit, and Remove options are greyed out.
According to these docs, I need to be Global Admin to be able to set these. The only way I can do so is to keep pestering my network admin every time I want to assign users/groups to roles. This is obviously not a suitable solution, and as the registered application owner, it should be trivial for me to control the authorization levels of my application.
How is it possible for me to assign users & groups to the roles I create? If it's simply not possible without having to raise the issue with my global admin, what are my options?
Unfortunatelly, as per docs, you already went through, today only administrator can assign roles to an application.
There is a feature request to simplify that and Microsoft is working on a solution. If you give your vote, it will certainly make the request more important.
For time being it is only the Global Admin who can grant permissions to an Application.
I'm just starting on this, been going through the Microsoft documentation and the lightbulb hasn't come on yet...
How do I add a user to my subscription so they can login? From there I just need to limit them to Azure Media Services.
I've seen instructions on web for clicking a "Users" button from subscription, but I do not see that. I've tried adding a user through the Azure Active Directory as well with no luck...
Any ideas would be helpful.
Thanks!
James
OK, so I figured this out:
1) Add your user to Active Directory (I added guest user)
2) Go to subscriptions and to your IAM panel
3) Ensure that your new user has access to at least Read the subscription.
(When I did this it allowed me to view my Azure resources as other user)
4) From there I created a role in a JSON file and used New-AzureRmRoleDefinition -InputFile to import it. IMPORTANT: Make sure for permissions you have Microsoft.Media/* and Microsoft.Media/mediaservices/*
5) Once I did this I went to my Media Services IAM panel and added the user to my new Azure Media Services role.
6) Presto! It started working.
Thanks to all who responded to this thread!!!
I've tried adding a user through the Azure Active Directory as well
with no luck...
This is exactly what you need. Create a user in Azure Active Directory (at portal.azure.com) and grant them access to your subscription with the custom role to allow only Azure Media Services (I don't think there's a built-in role for that). To do that, follow the links (to create custom role, to create user and to assign user that role). I don't think you can create custom role using portal, so you will need REST API or powershell\CLI\SDK
Links:
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is
https://learn.microsoft.com/en-us/azure/active-directory/add-users-azure-active-directory
I am new to Azure. I am getting myself confused very fast. My company has a project on Azure. We are looking to grant access to our external developers so they can log into our account and build a product for us ( setup a VM with mysql dbs and build an application ).
The only options I see are to invite users from another Active Directory or users who are in my own Active Directory? Is there no option to simply create a sign in credential for a user with say " email at gmail dot com" ?
What am I missing? I have created a Resource group but still can't invite anyone of our external consultants in there.
You can invite any user to manage your resources or your subscription.
There are 3 conditions for it:
You have the right to add it to your Azure AD
you are the owner of the subscription
The 'Guest user' already has an Azure account or a Microsoft Account
Then you have to go to:
Resources/Subscriptions
Access Control
Select a role (i.e. Contributor)
Type in the Account/Email of your external team member
check the checkbox and send the invitation
If you want to create generic users you can go straight forward to your AD and create a user i.e. developer1#contoso.onmicrosoft.com and add this user to the resource/subscription. Don't forget to take note of the credentials you created
So you would use Azure RBAC for that. Just click on the Resource Group > Access Control > Add.
You could also consult this blogpost for best practises.
If you just need them to develop and access SQL or a web App, you can pass the publish profile and SQL connection string to them.
Also, you can setup continous integration for the web App or virtual machine and pass git or GitHub or whatever source control you are using and pass the URL for the project, then they will commit the source code and fire a new build
I have an Azure Active Directory Application (and associated Service Principal). That Service Principal needs to be able to add and remove members from an Azure Active Directory Group...so I have added Read and write directory data under Application Permissions:
And I have code that uses the Client ID and Client Secret to get an Authentication Token an perform these operations using the Azure Graph API.
However, this permission is far too broad. I need the Application/Service Principal to only have the ability to add and remove members from specific groups (not all)...and not the ability to perform other types of operations.
Is there a way to do this?
Thank you.
There is a preview feature that partly fits your requirement: "Group.ReadWrite.All". It lets your principal create and update groups and their navigation properties (incl. members). It does not however reduce the permissions to modify only certain groups.
AAD permission scopes are described here: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
Preview features may be subject to change and you'll have to agree to reduced service terms etc.: https://azure.microsoft.com/en-us/services/preview/