I'm just starting on this, been going through the Microsoft documentation and the lightbulb hasn't come on yet...
How do I add a user to my subscription so they can login? From there I just need to limit them to Azure Media Services.
I've seen instructions on web for clicking a "Users" button from subscription, but I do not see that. I've tried adding a user through the Azure Active Directory as well with no luck...
Any ideas would be helpful.
Thanks!
James
OK, so I figured this out:
1) Add your user to Active Directory (I added guest user)
2) Go to subscriptions and to your IAM panel
3) Ensure that your new user has access to at least Read the subscription.
(When I did this it allowed me to view my Azure resources as other user)
4) From there I created a role in a JSON file and used New-AzureRmRoleDefinition -InputFile to import it. IMPORTANT: Make sure for permissions you have Microsoft.Media/* and Microsoft.Media/mediaservices/*
5) Once I did this I went to my Media Services IAM panel and added the user to my new Azure Media Services role.
6) Presto! It started working.
Thanks to all who responded to this thread!!!
I've tried adding a user through the Azure Active Directory as well
with no luck...
This is exactly what you need. Create a user in Azure Active Directory (at portal.azure.com) and grant them access to your subscription with the custom role to allow only Azure Media Services (I don't think there's a built-in role for that). To do that, follow the links (to create custom role, to create user and to assign user that role). I don't think you can create custom role using portal, so you will need REST API or powershell\CLI\SDK
Links:
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is
https://learn.microsoft.com/en-us/azure/active-directory/add-users-azure-active-directory
Related
We have Azure DevOps portal for our organization and our Active Directory is connected to it. I have enough privileges to add new users to the DevOps portal.
Recently I have seen that whenever I am trying to add new users I am getting the below error:
The user is added to the AAD. He is an active user and belongs to the same organization. I have cleared the cache and tested it.
Still, I am unable to add the user because of the issue.
Is there anything that I can do to rectify this, before approaching the support?
You are trying to invite a use from outside your directory. ...
To solve this issue, you need to grant the Guest Inviter role to your account in Azure AD(Active Directory).
You could navigate to Azure Portal -> Azure Active Directory -> Roles and administrators -> Search Guest Inviter.
Then you could assign the Guest Inviter role to your account.
In this case, you could invite the user successfully.
For more detailed info , you could refer to this doc about Add external users to your organization.
It's been a couple of hours since your question posted. Does it work now? Your statement that the user is in your AAD, plus the error message that the user is outside your directory, suggests the possibility that maybe waiting might fix it.
I am almost new to Azure. My client had created an Azure account and sent invitation to me. I had accepted her invitation to join her Azure portal. However when I log in with my username, it shows me "No subscription". My client is saying she has given me every access rights, but I am not able to do anything there. Even I am not sure if I have really joined her Azure portal.
Here is the image if when I tried to access Free Services.
For what i understand is that the current directory you are working in doesn't have the rights that you are expecting. And your client has added you to another subscription with all the required rights. All you need to do is switch your directory to the one which has the subscription provided by your client.
Just Click on your profile avatar(or name) on the top right of the portal.
Select the option Switch Directory form the pop-up.
And choose your concerned directory + Subscription.
Searched through the SO, internet, docs and couldn't find the best answer for this. Might be that you will know the answer or will transfer me where appropriate.
In Azure we do have a Directory with 1 subscription assigned. Within this directory we have a user, this user:
* IS the OWNER of subscription
* IS NOT the AzureAD Administrator (user has not additional rights). This user is no able to add/remove users/groups with the currect Ad.
However what we found is that such a user CAN create ne directory, where he can be automatically assigned to Global Admin role (create/remove users/groups etc) and CAN move above memntioned subscription to newly created directory he owns and manage.
This is of course not what we expect as we want to have a control of any AD and user access management.
I couldn't find yet a way to deny all user within directory to create separate directory.
Do you have some experience with this and/or some advice?
Regards
Forget about it ;) Just found option "Restrict access to Azure AD administration portal" under AzureAD which restrict the access to AD itself.
I was added as a global administrator to a company's Azure AD directory. When I try to create a new web app I get the following message:
You are currently signed into the '-company- (Default Directory)' directory which does not have any subscriptions. You have other directories you can switch to or you can sign up for a new subscription.
When I try to sign up for a new subscription it wants me to enter my payment information, which I do not want to do. I want to use the company's existing subscription.
I also cannot see the App Service that the admin of the account just created in the portal.
It seems like I'm not fully configured, but we thought adding me as Global Administrator should give me exactly what he has, which is what we want. What else do we need to do so we have the same access, and can see each other's items?
In new Azure Portal, you should be added as a Co-Owner through the RBAC system. You should contact your Account Administrator(AA) who could grant the permission to your subscription. More information about how to add an admin for a subscription please refer to this article.
More information about RBAC please refer to this article.
You are the admin of the Azure AD directory, but not any subscriptions in that directory (assuming there are subscriptions). Directory admins don't have access to subscriptions by default. A subscription admin will need to grant you access to a subscription.
Note that directories can be created without subscriptions, so not every directory has an Azure subscription.
Also, a credit card is required to create a new subscription and you can't reference an existing company account without the company's Azure account admin doing that for you. Unfortunately, only one account can have access to do that today.
I am new to Azure. I am getting myself confused very fast. My company has a project on Azure. We are looking to grant access to our external developers so they can log into our account and build a product for us ( setup a VM with mysql dbs and build an application ).
The only options I see are to invite users from another Active Directory or users who are in my own Active Directory? Is there no option to simply create a sign in credential for a user with say " email at gmail dot com" ?
What am I missing? I have created a Resource group but still can't invite anyone of our external consultants in there.
You can invite any user to manage your resources or your subscription.
There are 3 conditions for it:
You have the right to add it to your Azure AD
you are the owner of the subscription
The 'Guest user' already has an Azure account or a Microsoft Account
Then you have to go to:
Resources/Subscriptions
Access Control
Select a role (i.e. Contributor)
Type in the Account/Email of your external team member
check the checkbox and send the invitation
If you want to create generic users you can go straight forward to your AD and create a user i.e. developer1#contoso.onmicrosoft.com and add this user to the resource/subscription. Don't forget to take note of the credentials you created
So you would use Azure RBAC for that. Just click on the Resource Group > Access Control > Add.
You could also consult this blogpost for best practises.
If you just need them to develop and access SQL or a web App, you can pass the publish profile and SQL connection string to them.
Also, you can setup continous integration for the web App or virtual machine and pass git or GitHub or whatever source control you are using and pass the URL for the project, then they will commit the source code and fire a new build