We have an Azure Active Directory Enterprise Application which we have invited users to use. We can invite any email address and they can sign up, then they can go to myapps.microsoft.com and see the app, this is all working great.
However, one problem is on the right side of the myapps.microsoft.com (aka https://account.activedirectory.windowsazure.com/r#/applications) on the right hand side there's a group icon:
I click on this groups icon and then All Users, I can see every single user inside our instance of Azure AD, how can I prevent this?
You can enable Guest user permissions are limited from portal.azure.com -> Azure Active Directory -> User settings -> External collaboration settings. This should prevent guests from seeing other users. If this is not enabled, guests can see a full user list at e.g. portal.azure.com.
Related
We have Azure DevOps portal for our organization and our Active Directory is connected to it. I have enough privileges to add new users to the DevOps portal.
Recently I have seen that whenever I am trying to add new users I am getting the below error:
The user is added to the AAD. He is an active user and belongs to the same organization. I have cleared the cache and tested it.
Still, I am unable to add the user because of the issue.
Is there anything that I can do to rectify this, before approaching the support?
You are trying to invite a use from outside your directory. ...
To solve this issue, you need to grant the Guest Inviter role to your account in Azure AD(Active Directory).
You could navigate to Azure Portal -> Azure Active Directory -> Roles and administrators -> Search Guest Inviter.
Then you could assign the Guest Inviter role to your account.
In this case, you could invite the user successfully.
For more detailed info , you could refer to this doc about Add external users to your organization.
It's been a couple of hours since your question posted. Does it work now? Your statement that the user is in your AAD, plus the error message that the user is outside your directory, suggests the possibility that maybe waiting might fix it.
I need to let someone access a SQL Database and have no time to study and catch up with all the constantly morphing AD stuff so I want to make her one of the existing subscription Co-Administrators added 9 years ago. I just want to add her (ie her Microsoft account) as a Classic Administrator.
Under IAM, Classic Administrators, I clicked Add, Co-Administrator, and a list of five email-like strings showed up. (I don't know whether these represent e-mail addresses or Microsoft accounts.)
How do I add another Microsoft account to this list so that I can make her a Co-Administrator?
If the Microsoft account (i.e the email address you see in the list in your question) is not existing in the same azure ad tenant of the subscription , you need to invite her (i.e. the Microsoft account) to the tenant first, navigate to the Azure Active Directory in the portal -> Users -> New Guest User, note don't forget to accept the invitation email.
Then the Microsoft account will be a guest user in your tenant, just navigate to your subscription and add co-administrator, you can search for the Microsoft account (i.e. the email address).
I need to let someone access a SQL Database
I am not sure you mean to let her access the SQL database in a management tier or data tier. If you what her to access the data tier e.g. do operations on the data in the tables, you will also need to configure the Active Directory admin in the SQL Server, navigate to the SQL Server in the portal -> Active Directory admin -> Set admin -> invite the user you what -> Save, more details see this link: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure
As a POC, I created a guest user, ex: 'OwnerABC#website.com' and made the user a Group Owner. According to the documentation and my group settings, I should be able to add members/modify changes with the group as the Group Owner, but I'm unable to do so. When I login as 'OwnerABC#website.com' in Azure Portal UI, I change to the correct tenant and I do not see any groups or users.
I also tried going to myapps.microsoft.com and I try adding a user. The search returns empty for any user I want to add to the group that I'm the owner of. It then gives me an unexpected error page.
enter image description here
What other privileges does the Group Owner need or is there somewhere else that a Group Owner, who is not a global administrator, need to go to make changes to the group?
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-manage-groups
Most probably the "User Settings" for "External Users" in your Azure Active Directory is set to "Yes" for "Guest users permissions are limited" setting. When this setting is set to "Yes" by default Guest users aren't able to do certain tasks like enumerating users, groups and other directory resources.
See screenshots below for checking this setting and description.
Go to Azure Portal > Azure Active Directory > User Settings > Manage External Collaboration Settings (under External Users)
On clicking "Manage external collaboration settings" you should see
So now you have 2 possible ways to achieve what you're looking to do:
Change this setting to "No". Once you've changed the setting, try to login to Azure Portal as the external user OwnerABC#website.com again and you should be able to see other users. (Just give it a couple of minutes after changing the setting for this to reflect. It took a little time in my case at least)
As you can understand the setting above is generic and applies to all guest users in your directory. If you want to do something special only for this guest user, then don't change the setting and let it stay at "Yes", but assign an appropriate "Directory role" to user OwnerABC#website.com. This way only this guest user gets to see other users and not all other users.
Assigning a "Directory role" can be done by navigating to Azure AD > Users > Specific User (OwnerABC#website.com) > Directory role > Add role
I have two azure subscriptions, one personal, tied to my Microsoft ID, and another under a different Microsoft ID for a charitable organization where I am the one-man IT/web dev guy. I created the org's azure account/subscription myself. I can't figure out how to create websites, etc. under my personal MS ID login without logging in and out of the separate microsoft IDs to manage both sets of Azure resources.
Logging in with the org's MS ID, in the azure portal I've made my personal ID a subscription admin (Subscriptions>Access Control>Add my personal MS ID, then right clicked to make co-administrator. This is confirmed since now a right click shows "Remove co-admin" so that implies it's correctly set up as a subscription co-admin. That user is also in the Owner Role.
Step 2, in the Active Directory for the org subscription, Users and Groups>All Users>New User, added my personal MS ID. Then I select that user, click Directory Role on the left menu, and selected Global Administrator radio button and save.
So now my personal MS ID user is a subscription co-admin and a AD Global admin in the org's azure portal.
To check, if I then go to any resource group or App Service and look at Access control I see my personal MS ID user listed as an Owner for that resource and all other resources. So everything looks good.
So if I log out of the org ID and log in with my personal MS ID and go to the Azure portal, I see my usual personal Azure account resources. But I don't understand how to either see and manage those resources in the org's Azure subscription or how to switch subscriptions, or switch directories (it's not listed on the top right), and when creating a new resource, I have no option for the org's subscription to use. How do I see/manage those resources in the org's directory? Is this even possible? Or do I need to log out and log in with the org's MS ID, which is a major annoyance since it also logs me out of outlook etc. when I switch IDs.
Azure Subscriptions are "housed" within a specific Azure Active Directory Tenant. You should treat an AAD Tenant as the top level object structure, in that each Tenant is entirely separated from each other Tenant.
If you had multiple subscriptions within a single tenant, you would be able to sign in one time, and gain access to all those subscriptions.
However, since these subscriptions look like they are in different Tenants, there is no way to avoid logging in two times to access the two subscriptions. To expand on this, there would be no way to avoid logging in two times to access any unique objects across these two Tenants.
For me, the answer was
Access Azure portal login page
Click "Sign in as a different user"
type the exact same email address
select "School or Work account" option.
This one was tied to the Azure AD and they reset my password through there. Not sure it really helps you cos signing in and out all the time still a thing, but it took me far too long to get this right so thought i'd share.
I have an active directory in MS Azure. I want my colleague to use the same directory so that we can do some RND on the same. I have already created user for them using their hotmail id. I have also changed the user role to "Global Admin" for them. They cant see any option to access the same active directory after log in. Is there any way they will give the url like
https://manage.windowsazure.com/#IamNewInAzurehotmail.onmicrosoft.com#Workspaces/All/dashboard
and log in with their hotmail account.
You need to add him in Administrators List in setting option of Azure Panel.
Steps:
Login to Azure Portal with Root administrator.
Go to left panel and select Setting.
Go to Administrators tab in right side pane.
Click on Add button in task pane and add his hotmail or Organisation ID for Co- Administrator, Select the subscription in which you want to allow him.
Click on tick mark to apply these settings.