i have a scenario where a partner has deployed a Bot in their test subscription and now they need to deploy the entire architecture
Q and A
LUIS
Cosmos DB for State Bot Service etc
to the Clients own subscription.
Whats the best way to do this?
Thanks
For your questions,
You should have the access to the Client Azure Subscription,
so that you can migrate the resources to the Client Azure Subscription.
Thank you.
Eng Soon Cheah is correct, you would actually need to able to have access to the client's Azure subscription.
You can take a look at the official docs on how to move a resource group here.
And here's a succinct blog that shows how to move to a resource to a subscription that you have access to.
Double check the official doc's check list of things to move a resource, as you might be in the situation where you'd need to contact Support instead of self-service.
Related
We just started recently using App Configuration Service in Azure for some of our applications.
As part of the setup, we removed Access Keys as a possible authentication method. This works pretty well, we have assigned dataowner rights to our team so that they can manage the service and everyone is happy.
We came up with the brilliant idea of using the app config service in our build and release yaml pipelines. We found a suitable task, but the user that is attached to the service connection that we use in Azure Devops to deploy to Azure does not have the rights to access the configuration store.
We want to be able to assign this right in the arm template we created for the app config service. The issue though is that we cannot find the principle id assigned to that user.
Honestly, I am not that experienced with AAD, so I am probably missing something here. The ServicePrincipleId does not work, whenever I try to use it, azure tells me that that user does not exist. I get redirected to an app-registration page whenever I try to manage the service connection, which I don't understand either.
Next steps for me will be to get our admin to manually assign this right to the Service Connection User and see if I can extract the principle Id from that role assignment.
My question(s) would be, why doesn't the service principle work? How do I extract the principle id from the service connection?
Could you please try below steps?
In Azure DevOps, go to the project that contains your target pipeline. In the lower-left corner, select Project settings.
Select Service connections.
Select Manage Service Principal.
From there, you should be able to find the objectId of your Service Principal, which uniquely identifies your SP.
Also these posts are great resources to learn about AAD Apps and Service Principals:
https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals
https://stackoverflow.com/questions/54066287/azure-service-principal-id-vs-application-id#:~:text=objectId%20will%20be%20a%20unique,will%20be%20same%20as%20appId%20.
So I'm wanting to send emails from a Microsoft account using OAuth2 and everything I am reading says I need to setup some things in Azure Active Directory (for app registration to get a client secret and all this stuff) which I can do when I follow their instructions but everything seems to be contingent on an active Azure subscription which seems to cost a heck of a lot of dollars and cents.
I can create an account for free but that's only for up to a year. So am I wrong in thinking I won't be able to do this unless I pay heaven-knows-what for an Azure subscription?
I'm going by these instructions:
https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
If you only want to register the application in Azure AD to obtain the client secret and other basic settings about the application, you do not need to subscribe.
I want to create an user in azure portal with read only access to all resources in all of my subscription.
This user should not be able to modify any thing in any of my available subscriptions.
Seems You are trying to add a user who should have read only access to all resources in all of your subscription beside This user should not be able to modify anything on the tenant.
So the best way is to add that user as Global Reader(Can read everything that a global administrator can, but not update anything.) Role
Which provides authority to access all resources in all of your
subscription but cannot modify anything among the available
subscriptions.
Hope this would help you.
This only covers Azure Active Directory resources. If you are trying to give read-only to Azure SUBSCRIPTION Resources, add the users to the Azure Role: "Readers".
The best recommendation here will be to add users with the reader permission to each subscription.
You would need to set your RBAC assignments per subscription. In case you have many subscriptions, you can automate this with a Logic App and doing requests to the Management API. Reference here. So on your logic app, you basically get a list of subscriptions, and then iterate them, and make the RBAC add assignment request for each of the subscriptions and for your given user(s).
How do I change the Owner? I want to be able to change the owner of the app because the other person is too busy. Please help. Thanks!
Any LUIS app is defined by its Azure resources, which is determined by the owner's subscription. You have to keep in mind that LUIS allows the transfer of ownership of your subscription but not transferring ownership of a resource.
If you want to transfer ownership of your subscription, then you need to follow the steps below:
For users who have migrated - authoring resource migrated apps: As the owner of the resource, you can add a contributor.
For users who have not migrated yet: Export your app as a JSON file. Another LUIS user can import the app, thereby becoming the app owner. The new app will have a different app ID.
Also, you can move your LUIS app under these scenarios:
Move apps between LUIS authoring resources.
Move resource to a new resource group or subscription.
Move resource within same subscription or across subscriptions.
Hope this helps.
Just after think twice, I think LUIS App Collaborator perhaps can help your problem.
Ask the owner login the app, go to MANAGE > Application Settings > Collaborators, just add other people as collaborator. Then other people can login the LUIS app on their own to work together.
A company that we hired to develop or software created an azure account where they have our database, API, etc. Recently we decided to have our own azure account and our plan is to move all the resources that are on the vendor azure account to our own.
It is possible to move all the services from the vendor account to ours? if so can you guys point me in the right direction?
The boundary for resources in Azure is the "Subscription". All you need to do is change the subscription for the resources.
In the Azure Portal, select the Resource Group with the resources that you want to move to your control. Then change the Subscription ID to yours.
You cannot move all types of resources. Some you will need to recreate. This link provides more details:
https://learn.microsoft.com/en-gb/azure/azure-resource-manager/resource-group-move-resources#services-that-enable-move