I want to set multiple email ids in "Email Azure Resource Manager Role" while setting Monitoring Alerts through Azure Portal. I am not sure how to configure multiple user using above action. Could you please help.
In the Email Azure Resource Manager Role, there are just three options, Owner, Contributor, Reader. I am not sure what you mean set multiple email ids in "Email Azure Resource Manager Role". If you select a role e.g. Owner, it will email all the members with the Owner role of the specific resource. In this scenario, if you want to add multiple emails, you need to add them as an Owner role in the Access control (IAM) in the portal(they need to be in the same tenant of your subscription), see this link.
If you want to just want to send emails to some other ones, you may need to create an email group and add the emails addresses which you need to the group. Then use the email group address in the Email option due to it could just accept one address.
Related
We have an Azure account all users/developers access the Azure resources by the organization email id for example emailid#abc.com.
As the organization has grown it has split the business into 2 different organizations now and all the users/developers email id is changed to emailid#xyz.com.
What is the recommended solution to seamlessly replace emailid#abc.com to emailid#xyz.com so that users/developers can access azure resources with no issues. The users / Developer has also subscribed there email id for job success and failure alerts.
#abc.com is the primary domain in your Azure tenant. You can add your new custom domain name (#xyz.com) using the Azure Active Directory portal or O365 admin center.
Then set #xyz.com as the primary domain for all users. In this way, users can directly use the account with the new domain name to access Azure resources.
We invite Azure B2B guest users to our AD in order for them to access a web application. Part of this process also adds them as members of a specific security group.
What I have noticed is that a B2B user can log in - (https://account.activedirectory.windowsazure.com) - and is able to see the other members of the group that they are members of.
Given that this information contains customer email addresses then it presents issues relating to GDPR.
The AD Administration Portal user settings are set to "restrict access to Azure AD admin portal"
Any ideas how we could restrict B2B users from being able to enumerate group membership in this manner ?
Let me list some facts
The below part is a manual step that is not related to adding B2B guest user
Part of this process also adds them as members of a specific security group.
When you create a security group, all members can see the list of available information of other members
As guest users on Azure are identified using their email, the email addresses of all members of a security group will be visible to other group members
The workaround for this is to create separate a security group for each domain (i.e each company or each group of users who have the same #xxxx.com at their email). Then gather all those groups in a single parent security group and assign access to that parent group
This way, all guest users will have the same resource access but each group will be able to see only information about members on their same subgroup
I am trying to create new alert to send notification at new permission created but i didn't get what i want .
This what i am talking about:
As I understand, I think you are asking for an alert to be generated when an role assignment is made in your subscription. If yes,
You may use Azure Monitor for your use case.
In Azure Monitor blade, you need to create an alert as follows
a. Specify the target resource (in your case, your subscription),
b. Define an alert criteria (when you configure signal, choose administrative activity log > create role assignments / delete role assignments)
c. Create an action group. You can specify an email address to which the alerts will be sent
Once setup, every time a new role is assigned, an email alert will be sent to the email id specified in the Action Group
You may explore Event Grids also for your scenario
I have two azure subscriptions, one personal, tied to my Microsoft ID, and another under a different Microsoft ID for a charitable organization where I am the one-man IT/web dev guy. I created the org's azure account/subscription myself. I can't figure out how to create websites, etc. under my personal MS ID login without logging in and out of the separate microsoft IDs to manage both sets of Azure resources.
Logging in with the org's MS ID, in the azure portal I've made my personal ID a subscription admin (Subscriptions>Access Control>Add my personal MS ID, then right clicked to make co-administrator. This is confirmed since now a right click shows "Remove co-admin" so that implies it's correctly set up as a subscription co-admin. That user is also in the Owner Role.
Step 2, in the Active Directory for the org subscription, Users and Groups>All Users>New User, added my personal MS ID. Then I select that user, click Directory Role on the left menu, and selected Global Administrator radio button and save.
So now my personal MS ID user is a subscription co-admin and a AD Global admin in the org's azure portal.
To check, if I then go to any resource group or App Service and look at Access control I see my personal MS ID user listed as an Owner for that resource and all other resources. So everything looks good.
So if I log out of the org ID and log in with my personal MS ID and go to the Azure portal, I see my usual personal Azure account resources. But I don't understand how to either see and manage those resources in the org's Azure subscription or how to switch subscriptions, or switch directories (it's not listed on the top right), and when creating a new resource, I have no option for the org's subscription to use. How do I see/manage those resources in the org's directory? Is this even possible? Or do I need to log out and log in with the org's MS ID, which is a major annoyance since it also logs me out of outlook etc. when I switch IDs.
Azure Subscriptions are "housed" within a specific Azure Active Directory Tenant. You should treat an AAD Tenant as the top level object structure, in that each Tenant is entirely separated from each other Tenant.
If you had multiple subscriptions within a single tenant, you would be able to sign in one time, and gain access to all those subscriptions.
However, since these subscriptions look like they are in different Tenants, there is no way to avoid logging in two times to access the two subscriptions. To expand on this, there would be no way to avoid logging in two times to access any unique objects across these two Tenants.
For me, the answer was
Access Azure portal login page
Click "Sign in as a different user"
type the exact same email address
select "School or Work account" option.
This one was tied to the Azure AD and they reset my password through there. Not sure it really helps you cos signing in and out all the time still a thing, but it took me far too long to get this right so thought i'd share.
I am trying to give other users access to my resources in the Azure portal. I am trying to add them as a Contributor, but it seems like they are not able to see the resources when they login to the Azure portal.
Here's the access control list for the VM:
Any ideas why they can't see the resource when they login to the portal?
They are a Contributor.
When you add a user to an Azure subscription, s/he is also added to the directory if s/he isn't already there. This is considered an "invitation" that must be accepted before the user can get access. Tell the person to check their email, if this is the first time the email address has been added to a subscription in the directory. (Note that personal subscriptions are usually created along with a new directory whereas company subscriptions are usually in the company's directory.)
After accepting the invitation, s/he will need to switch to the directory before the subscription will be visible. You can do that in the top-right, like Juunas mentioned in the comment above. Here's a link to the directory switcher: https://portal.azure.com/#menu/account.
Steps to reproduce-
As owner:
Go to Resource Group you want to give access to:
Go to IAM:
Go to 'Add ROLE ASSIGNMENTS'
Search the name you want to give access to:
Select the Role (Contributor in your case)
Click Add and they will recieve an email.