Is it possible to become Subscription Co-Admin in CSP subscription? My current role is Owner.
I have problem with some runbooks in RunAs Automation Account. Runbook fails to execute commands with Forbiden Error. I think that is because, Automation Account was created with account which is not Co-Admin.
Unfortunately, Azure CSP subscriptions have the limitation that they do not allow to manage add users as Co-Administrators from the Azure Portal. If not mistaken there is a process that can be done from the Azure Partner Center
https://learn.microsoft.com/en-us/partner-center/develop/how-to--associate-a-partner-center-account-with-an-active-azure-subscrption-account
Hope this is of help to you!
Related
How can we run one Azure Automation runbook for all our subscriptions in the same tenant? Currently, I am making use of one runbook which retrieves the resources in the tenant, but it is listing the resources only from one subscription whereas I have 3 subscriptions present.
How do I make sure it outputs all the resources from all subscriptions? Please help
The problem is that the runbook runs in the security context of an Azure automation account and that account is connected to a subscription and therefore only sees resources within that subscription.
https://learn.microsoft.com/en-us/azure/automation/automation-create-standalone-account
There is a "Azure management group" which works cross subscription
https://learn.microsoft.com/en-us/azure/governance/management-groups/overview
It may be possible to run the runbook in a context of a management group user that has access to all subscriptions. But I have never tried this so not sure if it would work.
I would suggest that you install and run the runbook in each subscription. Then combine the contents of each report.
I actually have a subscription linked to my company Azure Active Directory, but for security reasons, we are unable to use the AAD from the company.
So, the IT department told us that we can created our own Azure AD within the subscription, but, when I created the new tenant and try to link with the subscription, is not possible for the kind of subscription CSP.
Do you know how to create a AAD within an specific subscription or if it's not possible?
Regards.
It's not possible with the CSP subscription, but this link should help you a little further on your journey - https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
I have an office 365 Subscription that was created when i created my Dynamics 365 (CRM) trial version.
I also have a MSDN Enterprise Azure Subscription.
I'm trying to associate the office AZURE AD with my MSDN AZURE Subscription.
I'm trying to proceed as described in the below link
https://github.com/uglide/azure-content/blob/master/articles/billing-add-office-365-tenant-to-azure-subscription.md
But the link for the old azure management portal and I'm not able to find a way to add "New Directory" with the option to choose "Existing Directory"
Awaiting your valuable inputs.
Regards,
Clement
You can refer
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
https://learn.microsoft.com/en-us/azure/billing/billing-use-existing-office-365-account-azure-subscription
to know How to Associate or add Azure Subscription to Azure Active Directory. This should do the trick if you do not have any resources in the Azure Subscription that are dependent on the current tenant for the subscription.
So, what happens is that if you have anything on the current tenant for the Azure Subscription, that would be replicated to the tenant for the O365. All of the same would need to be re-created manually.
Only the Subscription Admin of the Azure Subscription would retain the access to the subscription.
If you should have resources and the access levels might be a question for you by the re-association of the Subscription to the O365 tenant, we would suggest you create a Billing & Subscription Ticket so that Microsoft support team could personally assist you in the entire process effectively.
I don't really understand why on this case. My company has an azure subscription for development/testing environment.
At the beginning I am co-admin on this subscription with my Microsoft account. Now I need to manage applications under Azure AD of that subscription. So my Microsoft Account is leveraged to Global Admin of this Azure AD.
But even my MS account is leveraged to Global Admin, I cannot see or have access to Azure AD.
After searching around and based on this article:
https://blogs.msdn.microsoft.com/dstfs/2015/12/23/issues-with-azure-active-directory-guest-users-in-aad-backed-visual-studio-team-services-accounts/
I am GUEST (user type) on Azure AD, so even I am global admin, I still cannot have access to this Azure AD.
From the link, this happens because:
One way you can become an AAD GUEST is when you are made a co-admin on an Azure subscription before being added to the AAD associated with it
It can be fixed by using powershell like #CtrlDo's answer. But you have to create an global admin with work/school account since this approach does not work with Microsoft account:
PowerShell - Connecting to Azure Active Directory using Microsoft Account
We have another approach which can be done in the UI that we think it's simpler:
Remove my account out of co-admins of subscription.
Remove my account out of Azure AD.
Add my account back to Azure AD as Global Admin.
Add my account back to be co-admin on subscription.
That does work perfectly
When you were added to the AAD, your user type might have been set to "guest"
See https://azure.microsoft.com/en-us/documentation/articles/active-directory-create-users/ for more information.
See https://blogs.msdn.microsoft.com/dstfs/2015/12/23/issues-with-azure-active-directory-guest-users-in-aad-backed-visual-studio-team-services-accounts/ for an older post on how to view the issue in powershell and fix it.
In Azure trial subscription my MSN email is associated with an other account with owner rights. But when I try to access Azure publishSettings it generates an error No Subscription fouund .
Please help me to resolve the issue. Do I need Co-administrator or Service Administrator rights along with owner rights ?
Service Administrator and Co-Administrator originated with the old portal at http://manage.windowsazure.com. The new portal, found at http://portal.azure.com, has introduced role based access control (RBAC), which provides the notion of Owner. You can find a lot of details about RBAC at https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/.
When RBAC was rolled out, Administrators where automatically added as Owners. It's possible to be an RBAC Owner in a subscription without being an Administrator, as Owner applies to ResourceGroups or Resources within a subscription.
The webpage you're trying to use has been available for a long time and from the looks of it has not have been updated to support RBAC. The download of the publish profile from that webpage is based on selecting a subscription, which an Owner of a ResourceGroup or Resource would not necessarily have full access to everything in the subscription.
That means if you have your account added as a Co-Administrator or Service Administrator, that webpage should work.
It could be the difference between Microsoft Account and Azure Active Directory Account. Check which you are using.
I suggest you to clear all cookies, cache and temporary internet files on browser or use InPrivate/Incognito mode. Login again and it will work.
Click the "Sign Out" button and then login with the account that is associated with your trial. Owner rights should be sufficient.
You may have found an answer but in searching for an answer I found this link which says the owners you added through the Azure portal cannot manage services in the Azure classic portal.
So I MUST add co-administrator IN the classic portal so they can administer classic portal
Worked immediately after added my New Portal global admin as a co-administrator in the classic portal
nigel.jones#kloud.com.au