Managing Default Azure Directory - azure

I signed up for an azure subscription and a default directory was provisioned for my subscription.
i cannot manage the default directory (e.g. create user or groups) via the azure portal. the portal replies with: "You do not have permission to access these resources."
while i understand that a admin role for an azure subscription is not the same as the admin role to manage an azure active directory; i am unable to find any MS guidance on how to assign the AD global admin role to my azure admin/subscription identity.

You have to be a Global Administrator in the directory to create users. Oddly though, you should already be one. When you sign-up for an Azure subscription you are automatically added to the default directory as a Global Administrator. At least that is how it used to work - perhaps it changed.
Anyway, this has the information you need and should get you going.

Related

Azure subscription not showing up for a new user added to the active directory

I have added a new user to the Azure active directory which is associated with Azure subscription. The user is added with the Global Administrator role.
However, when the user tries to login to the portal, no subscription is showing up. Tried logging off and logging in multiple times, but the subscription is not showing up.
Having rights to Azure AD doesn't necessarily give you rights to an Azure Subscription; they are separate. You can either Elevate access for Global Admins to manage your Azure subscriptions, or you can go the the Azure Subscription IAM settings and add the new user to a role.

Azure Add App Registrations you don't have Permission

I'm trying to register an application in Azure following these instructions in the link below.
I go to "App Registrations > New Registration" get the error "Access Denied You don’t have permission to register applications".
My user permission in the Azure Portal is Owner.
I can't find what permissions I need to set for my user so I can add a new app registration.
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
Owner role is an Azure RBAC role and is not the same as Azure AD directory roles which you need to register apps.
Azure RBAC roles apply to subscriptions and resources within them.
Azure AD tenants are above subscriptions.
Your Azure AD admin needs to give you at minimum Application Developer directory role.
Since I had access to more directory's I was just on the wrong one.
So in my case that was my problem and by switching directory to the correct one where I had access my problem was solved.
First I checked that I was given the access mentioned above.

Can not create a Run as account and I do have owner rights in the subscription

I found out that you need to have owner rights of your subscription to add a Run as account in an Automation account. But as I search in my services I can see that my role inside the subscription is as an owner. Still i can't create a run as account because i don't have enough permissions ?
Is it enough to only have the owner rights of the subscriptions or do I need any more permissions ?
The issue was caused by you do not have the permission to create the AAD App.
If you want to configure Run As accounts, you also need to have the permission to create the AAD App.
For more details about the permissions, refer to this link.
Except for the permissions equivalent to the Owner role for Microsoft. Automation resources, you need to check these:
In the Azure portal, under Azure Active Directory > MANAGE > App registrations, if App registrations is set to Yes, non-admin users in your Azure AD tenant can register Active Directory applications. If App registrations is set to No, the user who performs this action must be a global administrator in Azure AD.
Ref: https://learn.microsoft.com/en-us/azure/automation/automation-create-standalone-account#permissions-required-to-create-an-automation-account

How to grant subscription access to an azure registered application?

I am trying to set up octopus to deploy resources to azure.
Under azure active directory I've added a new app registration, and have generated a key and hooked up octopus with the correct Application ID, Tenant ID and key
The organisation has multiple azure subscriptions corresponding to the environments, so I've noticed if I use the Subscription ID of my "Visual Studio Professional MSDN" subscription it works and creates the resources, however if I try to use any of the other organisation Subscription IDs I get the following error:
Login-AzureRmAccount : The provided account c0b2.......76a6 does not
have access to subscription ID "f06.......2aa3". Please try logging in
with different credentials or a different subscription ID.
I have looked through all the settings of the Application Registration and granted it every "Windows Azure Active Directory" permission available, but still no luck.
How do I go about granting permissions to this Application Registration so that it can access the relevant subscriptions?
You need to give the app a role on the subscription/resource group/resource you want it to be able to access.
So for example, you can go to the Access Control (IAM) tab of the subscription, and give the app the Contributor role, which allows the app to read and modify anything in the subscription.
You can also give a more limited role if desired.
Roles can also be applied at a lower scope, like a resource group.
More info in the docs: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

How to Delete Multiple Azure Active Directories and restore to original state?

I have a Microsoft Azure pay-as-you-go subscription. When I first started to try Azure, I created a lot of trial directories and services. Now I would like to cleanup my account, but I am unable to delete the Active Directory because I am a user in that directory. How can I cleanup my azure and restore it to a first time use state?
The error message is:
User akisha#akisha.com is a Service administrator for subscription Access to Azure Active Directory and cannot be removed.
Firstly you should know the followings about deleting an Azure AD directory:
Only the user who has been assigned the "Global Administrator role" can delete the directory. By default, the user who signs up for Azure subscription will get this role.
Any other users in the directory except the global administrator should be deleted before you delete the directory. Any applications should be deleted as well.
You cannot delete the Azure AD directory on the Azure portal if there're still Azure subscriptions be associated with this directory.
A work and school account cannot delete his/her home directory (which the account be created in). Only the guest user (the external user added from another directory or the Microsoft account) can delete the directory.
Just think about the following two scenarios:
1. You use an work and school account (Azure AD account) to sign up for Azure
When you sign up for the Azure subscription, you already have an Azure AD directory which contains the default domain. Your sign up account will both be assigned the Service Administrator role for Azure and the Global Administrator role for Azure AD. In this case, you cannot delete this default directory because this is the home directory of that account.
2. You use an Microsoft Account(outlook, hotmail, etc) to sign up for Azure
In this scenario, this account is a guest user in the default directory (directory A) . Assume that he/she creates another directory lately (directory B). By default, the Azure subscription will be associated with the directory A and you cannot delete it as note above. However, you can change the associated directory to directory B on the Settings note (Azure classic portal). After doing this , you will be able to delete the directory A because the association has been removed.
I wrote a blog page on how to delete an active directory tenant. I have updated the process to use the new portal and the newer AzureAD PowerShell cmdlets.
https://blog.nicholasrogoff.com/2017/01/20/how-to-delete-an-azure-active-directory-add-tenant/
If you just want to clear out all the users, applications and other stuff then you can use PowerShell commands like
Get-AzureADGroup | Remove-AzureADGroup
Get-AzureADUser | Remove-AzureADUser
etc..
To fully remove the AD Tenant you do need to clear it out and my blog explains how to do this with Principals and Applications, but the principle is the same for all objects.

Resources