Give access to IOT hub to an external developer in Azure - azure

I need to give access to Azure IoT hub to an external company. How do I do that?
I cant figure out how to add them in Azure active directory, while also trying to restrict their access only to the IOT hub.

If your intention is to grant others access to the Azure IoT hub and send messages, a simply IoT Hub device client shall be good enough.
I don't see the point of creating some user account in Azure AD.
You can create an new device client either in Azure Portal or with Device Explorer, either way, you need to share the "connection string" of the device with the external developers, by which they can connect to Azure IoT Hub to send/receive messages using azure-iot-sdk.
By the way, azure-iot-sdk has multiple platform(windows/linux/mbed, etc...), and multiple language(C#,java,C/C++,python etc...) support. So even with hardware developer, he or she can set things up pretty quickly.
That's how I share my Azure IoT Hub with others and hope it's helpful to you.

You can add an external user (a user from another Azure AD tenant) to your directory following the instructions documented here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-create-users-external/#add-external-users
Once you've added the external user to the directory, you can choose to grant them access to resources in your Azure subscription (they'll only have access to what you choose to grant them access to) just like you would any other resource.
In the following image, Peter Smith, from Fabrikam, Inc. (peter.smith#fabrikam.com) has been invited as an external user into Contoso Corp's tenant (contoso.com), and can be assigned the "Contributor" role for an IoT Hub:
The user, then, simply needs to sign in to the Azure portal (https://portal.azure.com), and switch to your company's Azure AD tenant. In the following image, Peter Smith, who is homed in the fabrikam.com tenant, can switch contexts to the Contoso Corp tenant because he is an external user there:
One the user has switched tenants, he'll be able to see any resources he's been granted access to in that tenant.

Related

GDAP - Azure AD Joined Local Device Administrator

this is very new so not sure if anyone knows or has had experience in this.
So context first... Microsoft is pushing MSP's to migrate over to Granular Delegated Administrative Privileges (GDAP) from Delegated Administrative Privileges (DAP) in their partner center to manage client tenants.
So instead of just either being a helpdesk admin or a global admin, through DAP, you can now granularly assign roles to security groups, where these security groups are then applied on a per tenant basis.
So one of the administrative roles titled: Azure AD Joined Local Device Administrator can be assigned as a role to the security group, which then applies to a client tenant.
Traditionally, a Azure AD Joined Local Device Administrator lets an azure account on a tenant to be a local admin on an azure joined device.
After performing the GDAP migration, the security group from my parent tenant (MSP's tenant) which has the Azure AD Joined Local Device Administrator role, is now appearing under all my client tenants, in the normal area where you check which users or groups are Azure AD Joined Local Device Administrator.
So in theory, I understand this as, now I SHOULD be able to use an azure account from my parent tenant as a local admin on a device that is Azure joined from another tenant. Of course though when testing this, it did not work.
This would be a game changer in my opinion for local admin management on devices .. but would like to find out if I have the right idea the way I'm understanding this and if anyone might know if this is going to be the case?
Sorry for the length of this, I just couldn't find any information yet out there. Happy to clarify anything that I may have muddled up in my explanation.

Having Azure Joined devices have local administrator access to only a specific device only

Good afternoon, I am fairly new to Azure AD in general; I know my way around but I am stumped on something for a client of ours.
We have a client who has devices joined to Azure AD. They wish to create local administrator accounts on specific computers that only specific people can access and only that administrative account can be used on that workstation for administrative rights (just like a regular device local admin account)
For example:
CON-01 (PC name) should have a local admin account that's in Azure AD named JohnDoe_adm#contoso.com that can do elevated admin privileges' but this JohnDoe_adm#contoso.com account should not be allowed to have local administrative rights on CON-02. And vice versa. JaneDoe_adm#contoso.com should only have local administrative rights to CON-02 but her login can't be used on CON-01 for elevated permissions.
Devices will not be connected to the local AD frequently for policy updates (and we want to avoid VPN connection to the local AD DC). Client strictly wants these devices joined via Azure AD Joined but to have administrative accounts managed through Azure AD.
The clients accounts are synchronized in Azure with their local AD.
I saw that with a premium license for Azure you can add local administrators group on Azure AD joined devices but doing so will allow that user to have local administrative access on all devices that are joined and we are trying to prevent that.
Would it be possible to create a group called CONOTSO/CON-01 Local Administrators in Azure AD; and add JohnDoe_adm#contoso.com to this group and go onto CON-01 and manually apply CONOTSO/CON-01 Local Administrators group under Administrators in lusrmgr.msc on the workstation CON-01 ?
Or any suggestions to make this process easier to achieve what I am looking for?
Any advice is appreciated! Thanks!
You can do that, just not in the GUI. :-)
On an individual computer you can use "Net Group Administrators /Add AzureAD\JohnDoe_adm" to give that account admin rights to the machine.
You'll have to do that for each machine.
• Yes, you can create an Azure AD user, for example in this scenario, johndoe_adm#contoso.com as a member of the local administrators’ group on Azure AD joined devices. For that purpose, you will have to create a policy under ‘Endpoint Protection’ in Intune management portal for ‘local user/group membership’ for managing local admins of Windows 10/11 client devices. Please follow the below snapshots for more information: -
As shown in the above policy, you can create a policy for ‘local user group membership’. In it, you can create a profile for Windows 10/11 by selecting the appropriate option and selecting the correct local users’ group to be managed through it as shown below: -
Once the above options have been selected, then you can have the option of selecting Azure AD users or groups in the respective selected local administrators group so that the Azure AD users can be a member of local administrators’ group on client system as below: -
Thus, in this way, you can add an Azure AD user/group as a member of local administrators’ group on the Azure AD joined and Intune MDM managed and complaint system by assigning this policy on the said device groups.
• Also, please note that as you are saying that a particular Azure AD user, i.e., ABC should be a member of a local administrators’ group on an Azure AD joined device, viz., XYZ which is readily possible as per stated above but you also want that this user ABC should not be a member of another Azure AD joined device’s local administrators’ group, then for this purpose, you will have to create a separate Azure AD user for every Azure AD joined device and create one profile likewise for every Azure AD user/group as well as for every device that is going to be a part of the local administrators’ group on the client system which can be very hectic and time consuming given the options available in Intune MDM.
Thus, I would suggest you create a single Azure AD user for the purpose of adding it in the local administrators’ group on every Azure AD joined and Intune MDM managed Windows 10/11 device and further create a profile as shown above and deploy it on all the Windows 10/11 devices to be managed through Intune and required accordingly. Also, do keep the credentials of that Azure AD user with yourself only to maintain a level of confidentiality.
For more detailed information on the above, kindly refer the below link: -
https://www.anoopcnair.com/manage-local-admins-using-intune-group-mgmt/#:~:text=The%20local%20user%20group%20management,or%20Windows%2011%20local%20group.

No longer able to see existing projects in Azure Devops after connecting AAD

I was logged in to my AzureDevops account using my hotmail account.I then went to Organization Settings and then connected my Org to Azure AD.
After i logged out and logged in back again with the same account, i don't see anymore my projects which i was working on. I have disconnected my Azure AD and also tried switching directories but i am no longer able to see that particular organization anymore.
Any idea how to fix this or why this happened
Please check below points :
Try logging on to https://.visualstudio.com to see you can see the organization and projects, as stated in this.
Check Troubleshoot connecting to a project
You may not able to signin or access your organization unless your work or school account has the same email address as your Microsoft account.
Although you can add new work accounts to your organization, they're
treated as new users.
If you want to access all your work, including its history, you must
use the same sign-in addresses that you used before your organization
was connected to your Azure AD.
For that Add your Microsoft account as a member to your Azure AD Or
ask the owner of the organization who has proper permissions to map
any disconnected members to their Azure AD identities Or invite them
as guests into the Azure AD.
Invited user should use corresponding account, work/school account
for AAD based, personal account for the other.
So basically the user who makes the connection must confirm the following statements are true.
User exists in Azure AD as a member. If the user is an Azure AD guest, rather than member
User must have project collection administrator or owner of the organization
User must also have Azure Service Administrator or Coadministrator permissions for the Azure subscription that's linked to your organization in Azure DevOps.
User isn't using the Microsoft account identity that matches the Azure AD identity. For example, if the Microsoft account that users are currently using is jamalhartnett#fabrikam.com, the Azure AD identity they'll use after connecting is also jamalhartnett#fabrikam.com. Use a single identity that spans both applications, rather than two separate identities using the same email.
Add your work account as an administrator in your Azure DevOps organization
The AAD tenant should be same as the DevOps tenant to connect & Transfer the ownership of the organization to your work account.
Please see if you have followed the Prerequisites to Connect organization to Azure Active Directory
FAQ: to be refered
why dont i see my organization in the azure portal
why do i have to choose between a work or school account and my personal account
what if we cant use the same sign in addresses
Note: No other user than the owner of the organization will be able to see the organization under the “Azure DevOps organizations”
service in the Azure portal. Also, Azure DevOps does not support
multiple owners, like Azure services that support Role Based Access
Control (RBAC) do. An Azure DevOps organization will only have a
single owner at a time :reference
Please try to access https://aex.dev.azure.com/ and change domain to see if your organization is present in the list.
Or
You may need to open a support case on the Developer Community to help you out or raise a support request through azure portal.
References:
Lost organization after disconnecting it from Azure Active Directory-Stack Overflow
What not to do when Connecting Azure DevOps to
AzureAD |Josh Corrick |
Restore project - Azure DevOps Services | Microsoft Docs

How to register Azure Onpremise Data Gateway in a specific subscription

When Installing Azure Data Gateway, I need to sign-in with an account to register the Azure Data Gateway within the Azure Subscription. Normally, this works great. But now I have access to multiple subscriptions (multiple customers). When I sign in, I cannot choose a specific tenant/subscription. It always registers the gateway in my own tenant.
Any idea's on how to get this done?
I've tried:
Delete Chrome signin information
Delete accounts in Credential Manager
first login with az login + az set-subscription
More information about the Azure Onpremise Data Gateway
https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-install#install-data-gateway
It's written in prerequisites that your account must belongs to single AD or directory.
I would suggest for life long perspective ask your client to create a service account and register data gateway with that service account.

Does Azure DevOps Services support tenant restrictions?

We've been told by Microsoft support that Azure DevOps Services supports tenant restrictions. While we have tenant restrictions enabled on a number of other services, it does't seem to apply to DevOps. Not only can we still log in to organizations outside of our tenant, we can also log in to our own organization and, if our corp email is added as a user in that org, the organization also shows up. I'd expect that our users would be blocked from logging into or accessing any external orgs.
I'm a little confused about why this isn't just working as expected and despite them saying Azure DevOps Services supports tenant restrictions, I'm not finding much documentation to back that up.
Have you been able to migrate to Azure DevOps Services and ensure that your users are only able to access orgs within your own tenant? How?
Azure DevOps Service supports the Azure Active Directory (Azure AD) tenant policy to restrict users from creating an organization in Azure DevOps. This policy is turned off, by default. You must be an Azure DevOps Administrator in Azure AD to manage this policy.
Check following link for more details:
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/azure-ad-tenant-policy-restrict-org-creation?view=azure-devops
Notice:
This policy is supported only for company owned (Azure Active
Directory) organizations. Users creating organization using their
personal account (MSA or GitHub) have no restrictions.
https://devblogs.microsoft.com/devops/policy-support-to-restrict-creating-new-azure-devops-organizations/
We finally received a more concrete answer to this question from Premier Support. Sounds like this wasn't entirely clear internally either. Azure DevOps Services supports TRv1 which provides tenant restrictions from client to proxy, but does not support TRv2 tenant restrictions which provides server to server restrictions. TRv1 will prevent you from authenticating against an org outside your tenant directly but does nothing to prevent the background authentication that happens if your account is configured to be able to access a secondary tenant's org. The server to server connection strips off the header information necessary to restrict you from accessing the secondary tenant. While this feature may be on their radar there is no expectation or firm timeline for it's release at this time.

Resources