Kid went off to college - wants to use his Surface RT to access a VM I created for him on Azure.
Anyone have a way to power the VM on & off without giving him the keys to my Azure account?
If there isn't a way to do it in PS or RDP is there script I could put on a .NET site that he could http to to start and stop the VM?
Create or Add user account for him, then give the user VM contributor role. When he logs in to the portal with his credentials he should only have access to stop and start VM.
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#virtual-machine-contributor
Agree with Hannel, you can create an Azure AD user for your kid, then grant he the resource permission, he can logs in Azure portal to start or stop that VM.
You can create Azure AD account follow this article.
Then you can grant permission to that account, like this:
You can give he the owner role to he, also you can select Virtual Machine Contribute (Can manage virtual machines, but not the virtual network or storage account to which they are connected)to he, more information about Azure built-in roles, please refer to this article.
Also you can define a new role to he, about Custom roles please refer to this article.
Hope this helps.
Related
Stuff in Azure are secured with Service Accounts. In order for me to see stuff I need to download the Service Account certificate and then log in via the Azure CLI using the extracted certificate and the Service Account Application Id. So now I can see everything the Service Account can see, great. But it is a pain in the neck and slow. So my question: Can I use the same certificate and credentials to log into the Azure Portal website so I can browse around using the web browser instead?
Using a Service Principal for interactive logins to the Azure Portal is not possible - which is by design. In order to be able to see the same resources as the Service Principal through the Azure Portal, you would require a user account that holds the Azure RBAC Reader role against those resources that are in scope of the Service Principal role assignments.
As you mentioned performance being an issue with using the Service Principal login, you could try Azure Resource Graph queries. These are supported by Azure CLI, Azure PowerShell as well as all the major Azure SDK's. Obviously, this won't bring you the visual experience like the Azure Portal but might resolve the performance piece maybe.
However, requesting/creating a user account that has the corresponding RBAC roles assigned would be the only way to allow you to see the resources through the Azure Portal.
can you guys help me with a question?
I have an ADDS created on Azure and a Windows Server 2019 (Active Directory) virtual machine hosted at Azure either.
I'm having problems to change the attributes and using the logon hours options trought the user's account... "You do not have permission to change the logon hours attribute, your changes won't be saved".
At Windows Server 2019, i have the enterprise admin permission.
At Azure, i have the administrator permition and still having theses issues.
Can someone give me a clue to solve this?
Thanks.
• In Azure ADDS, you will have to add your signing in ID to the Windows Server VM, i.e., the Azure ADDS DC to the Azure AD DC Administrators group in your Azure AD tenant. Once, you have added your user ID in this group, you will be able to configure the ‘logon hours’ attribute in the managed domain joined Windows Server VM.
• Also, though you are the administrator, but it is not clear what permissions you are assigned. As a result, you need to be assigned the ‘Domain Services Contributor’ Azure role for creating the required Azure ADDS resources along with ‘Application Administrator’ and ‘Groups Administrator’ Azure AD roles in your tenant.
Thus, if you ensure that the above changes are done, you will surely be able to change the ‘logon hours’ attribute. Please find the below snapshot for your reference: -
To know more about this, kindly follow the below links: -
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-management-vm#administrative-tasks-you-can-perform-on-a-managed-domain
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance-advanced#prerequisites
My company has a Microsoft account (office365, mails, ...)
I plan to work with azure virtual machines.
There is something strange: all my virtual machines and all my azure resources (websites, ...) are private. My collegues cannot manage them. They can connect with ssh but they don’t see entry in there azure portal account.
Is there a way to share all the azure resources in the whole company, for all users ?
Thanks
You have to assign role to see azure resources. In azure we have a bunch of predefined roles for example - reader. If you assign reader role at the subscription level, so the member can read all resources located in that subscription, but can not make any changes. Here can you read more about roles based access control
Why users can connect to vm, but can't see in the portal? My bet is that VM ports are not blocked and all internet can connect to those VM's.
I have two users, A and B. Both users have azure subscriptions. User A creates a VM, running some software, but wants to grant User B access to administer / debug this virtual machine.
Weve added User B as an owner of the virtual machine on User A's subcription, but they are not able to see the virtual machine.
Is there a way of doing this?
If there is, are we going about
it the right way?
Is there a way of doing this?
Yes, we can do this, we can invite user B to manager user A resource group.
are we going about it the right way?
We can do it via Azure portal.
1.Invite a guest via Azure portal, like this:
After that completed, Azure will send a email to that email address, user B should accept it, then we can find user B add to your Azure AD users list.
2.Grant resource group permission to this account,like this:
After that, user B reload Azure portal, then will find another directory in his portal, we can change it via portal. change to that directory, user B will find the resource group.
We can change another directory via Azure portal like this:
In this way, we can share an Azure resource group to another user out of your Azure AD.
About Azure built-in roles, please refer to this article.
By the way, as Peter said, we can't use user B account to login your Azure VM.
Don't try and administer the virtual machine using the web console. Get User A to provide the IP address they're using to log onto the machine to user B. Make sure that user B has an account on the virtual machine, and connect to that machine via RDP (username/password) or ssh (certificate/key) depending on your flavour.
RBAC manages authorization for Azure only, not the machines created within Azure.
I have an VM running in Azure which I would like the client to be able to turn on/off easily. I tought this would be simple; just a PS-script that performs an startup/shutdown/dealloc. But it seems I can't generate a "Azure Publish Settings"-file that only gives access to that VM? At the moment it seems I can only control this at the subscription level?
The Azure Publish Settings file basically contains the access information for an entire Azure subscription. It does not specify access to a specific resource (e.g. VM) but to all resources inside of a subscription.
To limit access to a subset of resources in Azure, you should be looking at the new role-based access (RBAC) functionality, which is available in the Azure preview portal and the latest Azure PowerShell cmdlets.
How it works is that you create an Azure resource group, to which you can assign roles with specific rights, and to this role you can then assign individual users.
Check the following Azure documentation link for details on how to do this.