Sharing resource groups on Microsoft Azure - azure

I am trying to share a resource group in Microsoft Azure, but the users I give ownership/admin privileges can't see the resources or resource group within their Azure portal (I grant permissions on the resource group). Am I missing something in granting permissions? I checked that both users are admins in the active directory too, but I'm not entirely sure if that matters.
The resource group only contains a simple WebApp, Gateway and associated SQL server/database. The main Azure account and the other azure account are both under the same Azure subscription (BizSpark).
I am new to Azure, so thanks for any help!

Turns out I was being silly and didn't change directories. Thanks BenV!
Make sure the other users have selected your directory from the drop-down in the top-right corner of the portal. – BenV

Related

Restricting Access to what users can see in the Azure portal

For users that are assigned only a resource contributor role (such as Storage File Data SMB Share Contributor) the desired outcome is for them to see only the storage resources in Azure to which they are assigned
With this role, users can still see, however, the Subscription ID, a list of devices in Azure Active Directory, can log into Microsoft Intune, etc.
We have tried enabling "Restrict access to Azure Admin Portal" but some details are still visible. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#restrict-member-users-default-permissions
I am looking for guidance on how to ensure restricted access for users with a resource contributor role assigned.
Ability to see the existence of an Azure subscription when you have any role assigned to a resource in the subscription is special behavior provided by ARM to allow users to browse to the resources they have access to...
The other items (devices in Azure AD, Intune) are not controlled by Azure RBAC roles. You should find that the users have the same permissions even if you remove their Azure RBAC role assignments.
These systems have independent authorization logic which may be granting some access to all users.

How to deploy an ARM Template without granting ownership over the entire subscription?

I want to use a service principal to deploy a single ARM template to our Azure account.
I cannot find documentation for how to grant the least possible privilege, but it appears the only way to make this work is to grant contributor on the subscription.
Is there a way to limit the role on my service principal to only deploy ARM Templates or at the very least limit it to a single resource group?
actually, for each template you can figure out the minimum possible permissions by looking at the template, they would be resourcetype + /write. and the permissions to create deployments Microsoft.Resources/deployments/write.
but its really easier to just give a person contributor over the resource group. if you are concerned about security you can use Privileged Identity Management in Azure AD
In the access control (IAM) section under a Resource group you can make the service principle you created 'Contributer'. this will make sure that that user can only deploy resources within that resource group. This way the account doesn't need any permissions on the subscription level.
When you go to the Access Control section click Add, and select "Add role Assignment"
In the panel that shows you can select the role "Contributer" and lookup the Service principle you created.
Then click 'Save' to finish and you should be good to go
I tend to make service connections (with separate Service Principles) in DevOps per environment this makes it clear what resources you can touch and prevents people from accidentally deploying to incorrect locations from a pipeline because the typed in the wrong resource group name.

How to grant subscription access to an azure registered application?

I am trying to set up octopus to deploy resources to azure.
Under azure active directory I've added a new app registration, and have generated a key and hooked up octopus with the correct Application ID, Tenant ID and key
The organisation has multiple azure subscriptions corresponding to the environments, so I've noticed if I use the Subscription ID of my "Visual Studio Professional MSDN" subscription it works and creates the resources, however if I try to use any of the other organisation Subscription IDs I get the following error:
Login-AzureRmAccount : The provided account c0b2.......76a6 does not
have access to subscription ID "f06.......2aa3". Please try logging in
with different credentials or a different subscription ID.
I have looked through all the settings of the Application Registration and granted it every "Windows Azure Active Directory" permission available, but still no luck.
How do I go about granting permissions to this Application Registration so that it can access the relevant subscriptions?
You need to give the app a role on the subscription/resource group/resource you want it to be able to access.
So for example, you can go to the Access Control (IAM) tab of the subscription, and give the app the Contributor role, which allows the app to read and modify anything in the subscription.
You can also give a more limited role if desired.
Roles can also be applied at a lower scope, like a resource group.
More info in the docs: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

How I can select a specific AD in IAM menu

When I select an IAM menu (Identity + Acces Management) I see a list of user accounts extracted from my Azure AD
But I have several AD.From what criteria Azure select an AD rather another one?
Hi assuming your question is that you have multiple Azure Active Directories, rather than multiple on-prem ADs that you need to sync - then via the preview management blades in the new portal can you change which Direcotry they list via the icon on the top right which shows your logged in user. From there simply select the Directory you wish to manage.
It is only able to grant the access to the users in the Azure Active Directory which the Azure subscription trust. It is not able to switch the Azure Active Directory to grant the access.
Each Azure subscription is associated with one Azure Active Directory (AD) directory. Users, groups, and applications from that directory can manage resources in the Azure subscription. Assign these access rights using the Azure portal, Azure command-line tools, and Azure Management APIs.
Grant access by assigning the appropriate RBAC role to users, groups, and applications at a certain scope. The scope of a role assignment can be a subscription, a resource group, or a single resource. A role assigned at a parent scope also grants access to the children contained within it. For example, a user with access to a resource group can manage all the resources it contains, like websites, virtual machines, and subnets.
The RBAC role that you assign dictates what resources the user, group, or application can manage within that scope.
Here are some helpful articles about Role-based access control and Azure subscription:
How Azure subscriptions are associated with Azure Active Directory
Get started with access management in the Azure portal
Use role assignments to manage access to your Azure subscription resources

"No subscriptions found for Azure Account"

In Azure trial subscription my MSN email is associated with an other account with owner rights. But when I try to access Azure publishSettings it generates an error No Subscription fouund .
Please help me to resolve the issue. Do I need Co-administrator or Service Administrator rights along with owner rights ?
Service Administrator and Co-Administrator originated with the old portal at http://manage.windowsazure.com. The new portal, found at http://portal.azure.com, has introduced role based access control (RBAC), which provides the notion of Owner. You can find a lot of details about RBAC at https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/.
When RBAC was rolled out, Administrators where automatically added as Owners. It's possible to be an RBAC Owner in a subscription without being an Administrator, as Owner applies to ResourceGroups or Resources within a subscription.
The webpage you're trying to use has been available for a long time and from the looks of it has not have been updated to support RBAC. The download of the publish profile from that webpage is based on selecting a subscription, which an Owner of a ResourceGroup or Resource would not necessarily have full access to everything in the subscription.
That means if you have your account added as a Co-Administrator or Service Administrator, that webpage should work.
It could be the difference between Microsoft Account and Azure Active Directory Account. Check which you are using.
I suggest you to clear all cookies, cache and temporary internet files on browser or use InPrivate/Incognito mode. Login again and it will work.
Click the "Sign Out" button and then login with the account that is associated with your trial. Owner rights should be sufficient.
You may have found an answer but in searching for an answer I found this link which says the owners you added through the Azure portal cannot manage services in the Azure classic portal.
So I MUST add co-administrator IN the classic portal so they can administer classic portal
Worked immediately after added my New Portal global admin as a co-administrator in the classic portal
nigel.jones#kloud.com.au

Resources