Manage / debug virtual machines on someone elses azure subscription - azure

I have two users, A and B. Both users have azure subscriptions. User A creates a VM, running some software, but wants to grant User B access to administer / debug this virtual machine.
Weve added User B as an owner of the virtual machine on User A's subcription, but they are not able to see the virtual machine.
Is there a way of doing this?
If there is, are we going about
it the right way?

Is there a way of doing this?
Yes, we can do this, we can invite user B to manager user A resource group.
are we going about it the right way?
We can do it via Azure portal.
1.Invite a guest via Azure portal, like this:
After that completed, Azure will send a email to that email address, user B should accept it, then we can find user B add to your Azure AD users list.
2.Grant resource group permission to this account,like this:
After that, user B reload Azure portal, then will find another directory in his portal, we can change it via portal. change to that directory, user B will find the resource group.
We can change another directory via Azure portal like this:
In this way, we can share an Azure resource group to another user out of your Azure AD.
About Azure built-in roles, please refer to this article.
By the way, as Peter said, we can't use user B account to login your Azure VM.

Don't try and administer the virtual machine using the web console. Get User A to provide the IP address they're using to log onto the machine to user B. Make sure that user B has an account on the virtual machine, and connect to that machine via RDP (username/password) or ssh (certificate/key) depending on your flavour.
RBAC manages authorization for Azure only, not the machines created within Azure.

Related

Azure Active Directory + Active Directory

can you guys help me with a question?
I have an ADDS created on Azure and a Windows Server 2019 (Active Directory) virtual machine hosted at Azure either.
I'm having problems to change the attributes and using the logon hours options trought the user's account... "You do not have permission to change the logon hours attribute, your changes won't be saved".
At Windows Server 2019, i have the enterprise admin permission.
At Azure, i have the administrator permition and still having theses issues.
Can someone give me a clue to solve this?
Thanks.
• In Azure ADDS, you will have to add your signing in ID to the Windows Server VM, i.e., the Azure ADDS DC to the Azure AD DC Administrators group in your Azure AD tenant. Once, you have added your user ID in this group, you will be able to configure the ‘logon hours’ attribute in the managed domain joined Windows Server VM.
• Also, though you are the administrator, but it is not clear what permissions you are assigned. As a result, you need to be assigned the ‘Domain Services Contributor’ Azure role for creating the required Azure ADDS resources along with ‘Application Administrator’ and ‘Groups Administrator’ Azure AD roles in your tenant.
Thus, if you ensure that the above changes are done, you will surely be able to change the ‘logon hours’ attribute. Please find the below snapshot for your reference: -
To know more about this, kindly follow the below links: -
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-management-vm#administrative-tasks-you-can-perform-on-a-managed-domain
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance-advanced#prerequisites

Having Azure Joined devices have local administrator access to only a specific device only

Good afternoon, I am fairly new to Azure AD in general; I know my way around but I am stumped on something for a client of ours.
We have a client who has devices joined to Azure AD. They wish to create local administrator accounts on specific computers that only specific people can access and only that administrative account can be used on that workstation for administrative rights (just like a regular device local admin account)
For example:
CON-01 (PC name) should have a local admin account that's in Azure AD named JohnDoe_adm#contoso.com that can do elevated admin privileges' but this JohnDoe_adm#contoso.com account should not be allowed to have local administrative rights on CON-02. And vice versa. JaneDoe_adm#contoso.com should only have local administrative rights to CON-02 but her login can't be used on CON-01 for elevated permissions.
Devices will not be connected to the local AD frequently for policy updates (and we want to avoid VPN connection to the local AD DC). Client strictly wants these devices joined via Azure AD Joined but to have administrative accounts managed through Azure AD.
The clients accounts are synchronized in Azure with their local AD.
I saw that with a premium license for Azure you can add local administrators group on Azure AD joined devices but doing so will allow that user to have local administrative access on all devices that are joined and we are trying to prevent that.
Would it be possible to create a group called CONOTSO/CON-01 Local Administrators in Azure AD; and add JohnDoe_adm#contoso.com to this group and go onto CON-01 and manually apply CONOTSO/CON-01 Local Administrators group under Administrators in lusrmgr.msc on the workstation CON-01 ?
Or any suggestions to make this process easier to achieve what I am looking for?
Any advice is appreciated! Thanks!
You can do that, just not in the GUI. :-)
On an individual computer you can use "Net Group Administrators /Add AzureAD\JohnDoe_adm" to give that account admin rights to the machine.
You'll have to do that for each machine.
• Yes, you can create an Azure AD user, for example in this scenario, johndoe_adm#contoso.com as a member of the local administrators’ group on Azure AD joined devices. For that purpose, you will have to create a policy under ‘Endpoint Protection’ in Intune management portal for ‘local user/group membership’ for managing local admins of Windows 10/11 client devices. Please follow the below snapshots for more information: -
As shown in the above policy, you can create a policy for ‘local user group membership’. In it, you can create a profile for Windows 10/11 by selecting the appropriate option and selecting the correct local users’ group to be managed through it as shown below: -
Once the above options have been selected, then you can have the option of selecting Azure AD users or groups in the respective selected local administrators group so that the Azure AD users can be a member of local administrators’ group on client system as below: -
Thus, in this way, you can add an Azure AD user/group as a member of local administrators’ group on the Azure AD joined and Intune MDM managed and complaint system by assigning this policy on the said device groups.
• Also, please note that as you are saying that a particular Azure AD user, i.e., ABC should be a member of a local administrators’ group on an Azure AD joined device, viz., XYZ which is readily possible as per stated above but you also want that this user ABC should not be a member of another Azure AD joined device’s local administrators’ group, then for this purpose, you will have to create a separate Azure AD user for every Azure AD joined device and create one profile likewise for every Azure AD user/group as well as for every device that is going to be a part of the local administrators’ group on the client system which can be very hectic and time consuming given the options available in Intune MDM.
Thus, I would suggest you create a single Azure AD user for the purpose of adding it in the local administrators’ group on every Azure AD joined and Intune MDM managed Windows 10/11 device and further create a profile as shown above and deploy it on all the Windows 10/11 devices to be managed through Intune and required accordingly. Also, do keep the credentials of that Azure AD user with yourself only to maintain a level of confidentiality.
For more detailed information on the above, kindly refer the below link: -
https://www.anoopcnair.com/manage-local-admins-using-intune-group-mgmt/#:~:text=The%20local%20user%20group%20management,or%20Windows%2011%20local%20group.

Conditional access policy for accessing vm in Azure portal

Scenario
An invited guest user should be able to connect to a vm via Bastion, but only, if the user resides in a certain country/location.
What did we do so far
We've created a named location for a specific country
That has been added as a condition to a conditional access policy
We've included a user group in which the guest user has been assigned to
For "Cloud apps or actions" we really don't know what to set there for our problem. Any constellation didn't help
The policy didn't work so far. We were able to connect from several countries which weren't specified.
Any advice? Thanks in advance.
There is an app called 'Microsoft Azure Management' that you can select here but note this will block the user from the Azure portal entirely and not just to Azure Bastion. There is no way to limit conditional access to just the Azure Bastion service at this time.
https://learn.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management

How can I add an Azure DevOps Organization user if the organization owner is just a guest of the linked Azure AD and not a domain member?

I have an Azure Devops organization that is linked to an Azure Active Directory. This organization has projects and pipelines for deploying applications to App Services in the linked Azure AD.
Recently, one of my user account (the one with the Visual Studio Enterprise Subscription) was made the organization owner and all other project users were deleted. However, my account that is now the only user in the Azure DevOps organization is just a guest account type of the linked Azure Ad, and not an actual member of the Azure AD.
I need to add new users back to the organization but since my user account is just a guest of the linked Azure AD, when I try to add users, I get an info dialog that states that since I am only a Guest of the Azure AD domain, I can't see the domain members I want to add and so the add user process fails.
As I stated earlier, my account is the Organization Owner. I also assigned my guest user account to the Global Administrators role in the linked Azure AD, but I still cannot add domain users to the Azure DevOps organization.
This organization has production code in the repo as well as build and deployment pipelines that I do not want to lose access to or lose the ability to deploy to the App Services in the linked Azure AD, so I am concerned about taking any action until I know exactly what I need to do to be able to add users from the linked Azure AD into the organization.
Any advice as to how I can add users from the linked Azure AD back to this organization would be greatly appreciated.
This is just a guess, but DevOps could be looking at your userType and show the message based on that.
Global admin would definitely allow you to list the users.
You could try using PowerShell to change your userType from Guest to Member.
E.g. with AAD PowerShell v2:
Set-AzureADUser -ObjectId 'your-user-object-id-in-tenant' -UserType 'Member'
It's actually something that isn't super-well-known.
Guest/member and local/external user are two different things.
External users just become Guests by default, which restricts what they can do.
Add the guest users to Azure AD directly, before you try to give them access in DevOps. After adding a new guest user, that new guest can be given access to DevOps by your subscription admin.
Or create yourself a domain user in your Azure AD with the proper privileges too.
e.g. If your Azure AD domains is "MyMsdnAzureADDomain.onmicrosoft.com" (or a Custom Doamin like "mycompany.com" if you have such domain registered in Azure).
A) Create new domain user in MyMsdnAzureADDomain.onmicrosoft.com
The new user is would be MyNewUser#MyMsdnAzureADDomain.onmicrosoft.com
B) Give that new user full admin in Azure AD and your DevOps (or tailor your permissions to your needs).
C) Login into Azure using that new user to manage your DevOps.

Azure VM - Start / Power-On with RDP or PowerShell

Kid went off to college - wants to use his Surface RT to access a VM I created for him on Azure.
Anyone have a way to power the VM on & off without giving him the keys to my Azure account?
If there isn't a way to do it in PS or RDP is there script I could put on a .NET site that he could http to to start and stop the VM?
Create or Add user account for him, then give the user VM contributor role. When he logs in to the portal with his credentials he should only have access to stop and start VM.
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#virtual-machine-contributor
Agree with Hannel, you can create an Azure AD user for your kid, then grant he the resource permission, he can logs in Azure portal to start or stop that VM.
You can create Azure AD account follow this article.
Then you can grant permission to that account, like this:
You can give he the owner role to he, also you can select Virtual Machine Contribute (Can manage virtual machines, but not the virtual network or storage account to which they are connected)to he, more information about Azure built-in roles, please refer to this article.
Also you can define a new role to he, about Custom roles please refer to this article.
Hope this helps.

Resources