A client of mine created a resource group in Azure. He made me an owner on the resource group but if I try to create database, function app, service app or any other resource it indicates I have insufficient permissions. He is willing to give me the access I need, but I can't figure out what needs to be changed.
As I felt into the same issue maybe it can still help someone. This other question and this MSDN blog article can be handy.
Related
I want to create an user in azure portal with read only access to all resources in all of my subscription.
This user should not be able to modify any thing in any of my available subscriptions.
Seems You are trying to add a user who should have read only access to all resources in all of your subscription beside This user should not be able to modify anything on the tenant.
So the best way is to add that user as Global Reader(Can read everything that a global administrator can, but not update anything.) Role
Which provides authority to access all resources in all of your
subscription but cannot modify anything among the available
subscriptions.
Hope this would help you.
This only covers Azure Active Directory resources. If you are trying to give read-only to Azure SUBSCRIPTION Resources, add the users to the Azure Role: "Readers".
The best recommendation here will be to add users with the reader permission to each subscription.
You would need to set your RBAC assignments per subscription. In case you have many subscriptions, you can automate this with a Logic App and doing requests to the Management API. Reference here. So on your logic app, you basically get a list of subscriptions, and then iterate them, and make the RBAC add assignment request for each of the subscriptions and for your given user(s).
How do I change the Owner? I want to be able to change the owner of the app because the other person is too busy. Please help. Thanks!
Any LUIS app is defined by its Azure resources, which is determined by the owner's subscription. You have to keep in mind that LUIS allows the transfer of ownership of your subscription but not transferring ownership of a resource.
If you want to transfer ownership of your subscription, then you need to follow the steps below:
For users who have migrated - authoring resource migrated apps: As the owner of the resource, you can add a contributor.
For users who have not migrated yet: Export your app as a JSON file. Another LUIS user can import the app, thereby becoming the app owner. The new app will have a different app ID.
Also, you can move your LUIS app under these scenarios:
Move apps between LUIS authoring resources.
Move resource to a new resource group or subscription.
Move resource within same subscription or across subscriptions.
Hope this helps.
Just after think twice, I think LUIS App Collaborator perhaps can help your problem.
Ask the owner login the app, go to MANAGE > Application Settings > Collaborators, just add other people as collaborator. Then other people can login the LUIS app on their own to work together.
i have a scenario where a partner has deployed a Bot in their test subscription and now they need to deploy the entire architecture
Q and A
LUIS
Cosmos DB for State Bot Service etc
to the Clients own subscription.
Whats the best way to do this?
Thanks
For your questions,
You should have the access to the Client Azure Subscription,
so that you can migrate the resources to the Client Azure Subscription.
Thank you.
Eng Soon Cheah is correct, you would actually need to able to have access to the client's Azure subscription.
You can take a look at the official docs on how to move a resource group here.
And here's a succinct blog that shows how to move to a resource to a subscription that you have access to.
Double check the official doc's check list of things to move a resource, as you might be in the situation where you'd need to contact Support instead of self-service.
I want to find or create an azure role that has the same capabilities as an Owner, or at the very least a contributer. But this role should not have access to create azure resources.
I've been going through the pre-defined roles that exist.
this makes no sense in Azure RBAC context. you cant edit but not create resources, because this is being governed by the same permission: resource/write.
you can achieve something like that by having a role that can do anything except writes, but that would mean that it cannot edit resources, which is not what you are after, probably.
technically you can grant contributor permissions to each individual resource, that way user wont be able to create new resources, only modify existing ones (he would be able to delete resource).
I have the same requirements, and I managed to configure it by taking the Contributor role as base and adding
"Microsoft.Resources/*/write"
in notActions section of role JSON configuration.
What it does is that it prevents deployments. Every resource creation is a deployment.
As far as I have tested every "edit" operation on resources works, even deployment slot creation for Web Apps, but you can disable that too if you need.
I am trying to setup some Azure application insights web tests on a coworker's azure account. He gave me Reader & Application Insights Component Contributor, then Owner roles for that resource group. No luck. As the owner I then went and gave myself all the other roles, one by one, and logging off and back on each time and it still says 'No Access' and the '+Add Web Test' button is still greyed out. I also see 'No Access' for alert rules, but I haven't gotten that far yet. This seems like a bug. Any ideas? Thanks!
P.S. I did see the same problem discussed here but with no resolution.
Since webtests are an Azure resources themselves. So in order to gain access you will need contributor level access at the ResourceGroup under which your AI resource exists.
Hope this helps.