Is any way I can create a dynamic Azure AD group with service principals as dynamic members? I can only select users which is quite frustrating.
Currently, it is impossible.
Please refer to this feedback. If you really need this, you could vote up this feedback.
Related
Can managed identity be configured for accessing Azure resources across different Azure subscriptions?
Could you point me out in right direction, isn't Azure federation supposed to take care of this?
Seems not feasible based on my R & D as well.
Do I seem to be overestimating this Azure AD feature.
Accounts in any organizational directory?
Based on your and my comment:
Comment Question: is those subscriptions on same Azure AD tenants?
Comment Answer: No. Thinks of all together different Business Org. Different subscription
My Answer to your question is:
Managed identities exist in the Azure AD tenant as service principals. It is therefore can only be assigned access to any subscription connected to that Azure AD tenant.
So in short, if the subscriptions are connected to different Azure AD tenants, it wont be possible to achieve what you are asking about as far as I know.
EDIT
In addition to your comment
Comment: Can managed identity be used if all tenants were in same subscription?
My answer is: Each subscription can only belong to one tenant. please check Microsoft doc https://learn.microsoft.com/en-us/microsoft-365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings?view=o365-worldwide
Note: if this is feasible by one or other way and there are answer that can show the opposite of my experience and knowledge, I will be glad to know that as well.
I would like to know what AD Groups from a "ResourceGroup" and "PeopleSearch" require access to Grafana, and at what role each group needs access.
Had a look at Microsoft Graph but not what I need.
Is this possible? I have searched but I don't find any solutions.
I managed to resolve this issue on my own.
Due to additional details in the screenshot I won't be able to share it but feel free to ask me for additional details.
Thanks.
I am currently trying to work out a concept for a roles and rights concept. Azure RBAC already has a few built-in roles but I am trying to create a few more custom roles. Are custom roles directly linked to the RBAC? And does anyone have any suggestions which roles I should definitely add? I'm not familiar with all applications in Azure at the moment since i have only been working with azure for a few weeks, so I would appreciate some suggestions. I am also trying to understand the hierarchy and structure behind Azure RBAC.
If anyone has worked out such a concept themselves or works a lot with azure rbac, feel free to share your experiences or results!
Azure role-based access control (Azure RBAC) helps manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.
Create your own custom roles. Just like built-in roles, assign custom roles to users, groups, and service principals at management group (in preview only), subscription, and resource group scopes.
Custom roles can be shared between subscriptions that trust the same Azure AD directory. There is a limit of 5,000 custom roles per directory. Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API.
I want to create an user in azure portal with read only access to all resources in all of my subscription.
This user should not be able to modify any thing in any of my available subscriptions.
Seems You are trying to add a user who should have read only access to all resources in all of your subscription beside This user should not be able to modify anything on the tenant.
So the best way is to add that user as Global Reader(Can read everything that a global administrator can, but not update anything.) Role
Which provides authority to access all resources in all of your
subscription but cannot modify anything among the available
subscriptions.
Hope this would help you.
This only covers Azure Active Directory resources. If you are trying to give read-only to Azure SUBSCRIPTION Resources, add the users to the Azure Role: "Readers".
The best recommendation here will be to add users with the reader permission to each subscription.
You would need to set your RBAC assignments per subscription. In case you have many subscriptions, you can automate this with a Logic App and doing requests to the Management API. Reference here. So on your logic app, you basically get a list of subscriptions, and then iterate them, and make the RBAC add assignment request for each of the subscriptions and for your given user(s).
I am trying to figure out how to create a windows azure active directory group and/or role from the web portal. Am I missing something obvious here or? I can create users, and assign them to the 2 built in roles, but how do I create a new role? or group?
Admittedly I haven't tried this yet, but the PowerShell extensions should be able to do this:
http://technet.microsoft.com/en-us/library/jj151815.aspx
Look under "Manage group and role membership" for details on the relevant commands.
I would also assume that the Graph API could handle it. I too was hoping that the Azure Management Portal would let us do it in their GUI.
Seems the way to add groups, etc is via the graph api or as suggested above by PS scripts. The graph api is amazingly powerful, albeit not as convenient as if this funcitonality lived within the Azure portal.
Basically you have 2 options:
create app roles and assign security groups to them (AAD Premium is
required)
enable security groups as claims (AAD Free is enough)
Follow this official manual: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps