The google cloud error reporting documentation states that the service account permission should be 'project > owner', this does work however this seems to be a possible security issue and bad practice. However I could not find any other permission level that allows to report errors with the error reporting library. If somebody has a more secure solution I would love to hear it.
You are right is a bad practice to use a project owner role in a service account. If you want to use your service account to report errors with the error reporting library you can update your service account in the console going to "IAM & admin" -> "ROLES" -> click to edit your service account and adding the "Error Reporting Admin" role, this should work for you.
Related
I have delegated access to Azure resources in a third-party tenant using Lighthouse, and this works fine via the portal; users receive the roles expected (typically Contributor).
However, they are unable to access Kudu (at webappname.scm.azurewebsites.net), receiving an error;
Selected user account does not exist in tenant 'Tenant Name' and
cannot access the application 'abfa0a7c-a6b6-4736-8310-5855508787cd'
in that tenant. The account needs to be added as an external user in
the tenant first. Please use a different account.
If the same user account is added as a guest to the third-party tenant and given the same role, they can access Kudu as expected.
It's clear that Kudu is expecting/demanding an account in the same tenant as the application, but Azure Lighthouse delegated permissions is all about not having to do that.
Is there something I'm missing, or another role that needs granting?
#PhilD, Thanks for the detailed description of the scenario. I have also posted this on your Q&A thread.
Currently, Kudu is not compatible with Lighthouse-delegated permissions.
Our product engineering team is working on it; however, we do not have an exact ETA to share.
We’re expecting it to be available in a few months. Please note that this timeline is just an estimate and is subject to change, depending on a myriad of factors.
I have relayed the feedback internally to our product engineering team and it’s being tracked.
-On a side note, as mentioned in this Kudu wiki :
“Only those with Contributor / Owner access (to be exact, with microsoft.web/sites/publish/action or, for slot, microsoft.web/sites/slots/publish/action) can access to Kudu (SCM).”
Much appreciate your valuable feedback on this. Thanks for your patience!
Trying to access azure active directory group information but experienced below error.
Tried many ways but cannot find out the exact reason.
Config Information:
I am provided my azure ad group Id , and connected with my email myemail#outlook.com
Seems you have configured your azure active directory logic app connector with your personal Microsoft Account. As per my understanding you couldn't achieve it with myemail#outlook.com you have login with YourOrgEmail#YourTenant.onmicrosoft.com email. See the screen shot below:
Your Case:
I have successfully reproduce your problem and configure with my Organizational email and got success. See the screen shot below:
Permission:
I have also noticed that permission also could be the issue. In that case you might encounter insufficient privilege: 401 error. So you need at least following permission:
Permission Type: Application
Permission Name: Group.Read.All
See the screen shot below:
For more details you could take look this official docs
I am trying to do some experimentation with MSAL JS and ADAL JS libraries. I was able to get MSAL JS working fine by doing configuration at Azure Active Directory => "App Registrations (preview)". However when I switched to ADAL JS I get an error about needing version 2.0, so I think I need to use the regular "App Registrations" screen.
However, when I click on the regular "App Registrations" button I get:
Access Denied
You do not have access
Looks like you don't have access
to this content. To get access, please contact the owner.
I think it's odd that I can access the "preview" app registrations screen but not the regular one.
I saw somewhere online somebody suggested making changes at "User Settings", but that screen gives me the same error message. Going to "Users" I see 0 users, and it won't let me add any (the plus is greyed out).
The account I am using is just a personal account, it is not tied to any organization so there is no admin. I assume I should have full permission or be able to give it to myself, but can't figure out how.
Getting a Trial Azure account fixed this problem, so it appears one is needed to use the "App Registrations" section.
It is still a little unclear why an account is not needed for the preview mode, however.
Also, it would be nice if Azure would show a proper message saying an account is needed instead of a error message, but that is a minor point.
I'm having a problem that I cannot find any information on anywhere on the Internet. I'm sharing an Azure directory with a number of my cohorts, and as such, any number of us might be working on a Resource in the Portal. However, when anyone creates a Bot Service, nobody else can access that Resource. Mind you, whoever creates the Bot Service can do whatever they want with it, but anyone else will see the error "Unable to find the bot with the specified id." (Written as is.)
We know that there's no problem with permissions, as everyone has full access to everything, and the problem only seems to be present for the Bot Service Resource.
UPDATE
All righty; so the problem's been solved. In order to avoid this error, I had to go to the dev.botframework.com website (where MSDN Bot Framework bots are hosted). Then, I went to the "Edit" section in the details panel on the bot's info page:
Next, I added the email addresses (corresponding to the appropriate Azure accounts) of the users who I wanted to have access to the bot to the Admin section's list of Owners:
And that's all there was to it. Would have been a lot simpler to figure out if there was a better error message! Jeeeeeeez.
I'm getting the following error when non-global admin users are trying to access graph explorer 2 within our tenant:
Additional technical information:
Correlation ID: 2346b0f5-bb5f-4138-8f9d-07fa96dcf02f
Timestamp: 2015-05-29 17:18:48Z
AADSTS90093: Calling principal cannot consent due to lack of permissions.
From within Azure we have "users may give applications permission to access their data" set to use. We also have "users may add integrated applications" to yes.
Just wanted to check which URL you are going to. We have 2 "graph explorers" - one is for exploring Azure AD Graph API, while the other (called API explorer) is for exploring the Office 365 unified API.
If you are going to https://graphexplorer2.cloudapp.net - this is (AAD) graph explorer, and should not require admin permissions. Please let us know if this is what you are using and if this is causing issues.
If on the other hand you are going to https://graphexplorer2.azurewebsites.net - this is the API explorer, and due to the number of APIs it requires access to, it currently requires admin consent. We'll look into a way to reduce the number of scopes that this requires access to, to get to a place where users can consent (but that's not the case currently).
Hope this helps,
I ran into this issue today and here what I did:
Login to your AD application in classic portal
(https://manage.windowsazure.com/)
Under "Configure" section, there
is "permissions to other applications", look at the "delegated
permissions" for "Window Azure Active Directory".
Make sure you pick
the correct permissions for your app. Normally, "Sign in and read
user profile" is enough for user to login.
For more information you
can take a look at this link
https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
I worked for Skype for business online use case (WEB API). I faced this issue for users not global admins. The users who added by global admin.
I managed to resolve the issue by passing extra parameter prompt=admin_consent.
var href = 'https://login.microsoftonline.com/common/oauth2/authorize?response_type=token&client_id=';
href += client_id + '&resource=https://webdir.online.lync.com&redirect_uri=' + window.location.href+'&prompt=admin_consent';
For more details visit link https://blogs.msdn.microsoft.com/exchangedev/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-office-365-exchange-online/