What I need is:
Administrator-level-1 (Can edit all simple users and administrators of level 2 and 3)
Administrator-level-2 (Can edit all simple users and administrators of level 3)
Administrator-level-3 (even less permissions)
By saying edit I mean change password at least. Tried to experiment with roles, permissions, Organization hierarchy etc. Is this possible?
You could create an Organization for each level and then can create a single Organization Role with the following permissions:
User / Update
Organization / Manage Users
Organization / View
Once that is done you assign the level admins to this role on the corresponding organizations.
Related
I need to create multiple users in same AD and need to isolate the resources created by one user from other user.Is it really possible.since I am new to Azure I am not aware that this is really possible.It would be great if some one render their hands to advice on this.
There is no absolute isolation, there are only certain restrictions.
The users created in the AAD tenant are all the Members by default, they have the default permissions e.g. Read all properties of groups, Read properties of registered and enterprise applications. So if user A created some resources e.g. group, application, the user B will also be able to read the properties of them.
There are some restrictions, like Manage properties, ownership, and membership of groups the user owns, Manage application properties, assignments, and credentials for owned applications. This means some properties of the resources can just be managed by the Owner of them.
For more details about the default user permissions, you could refer to https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
And if the user is assigned as the admin role in the tenant, he will have more permissions than the default users, see https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
I am trying to create new collection level custom group which members would see all projects under my organisation but could not set access rights in organisation or projects unless added to project admins. However, I do not find any place where I could restrict access to user access for this group members. Also I cannot find anything that would give automatically access to all projects. However, the project collection administrators group has this permission but it is not visible anywhere.
There is no such permission to control users would see all projects (exclude Public projects) under organisation. You have to add the users to the projects, at least add to Readers group, then they can see the team projects.
You could add a group rule, add the users in this group, and then assign all team projects to them.
More details of Permissions, please refer to the following link:
https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops&tabs=preview-page
Description
I am adding project's team members as Project Collection Administrators within the Organisation. To make this easier, I wanted to add the Project Team group as such [Team Name]\Team. To enable more people to be added as admins as the project grows. This appears to be allowed^ but I get an error "We are unable to add members to this group at this time. Please try again at a later time or contact support for help"
^ Link to DevOps Documentation:
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/manage-azure-active-directory-groups?view=azure-devops
Other Tries
I have tried doing it later and also added groups that belong to the organisation such as [org name]\[Team lead Developers] or [org name]\Project Collection Test Service Accounts. These are all allowed but not the group formed by Project Teams.
Steps to the issues
Add a project team group to one of the default organisation permissions groups such as the Project Collection Administrators.
Error is:
We are unable to add members to this group at this time. Please try
again at a later time or contact support for help
I expect the group to be added like any other group.
Any ideas to this issue?
Cheers.
This is as designed.
The Add operations between groups need to be at the same level or a high level group added to the lower level group. For example an organization group can be added to a project group,the reverse is not possible .
So, if the group is a project group, then this project group could not be added to an organization group.
For Project level administration (not Organization level), you can make a specific Team have Project Administration level permissions from this menu:
Project Settings > Security > (select team) > Permissions
and then set the following to Allow:
Edit project-level information
Essentially, your goal will be to copy any desired permits from the Project Administrators to the [team] permits.
Really, you can set all these permissions to "Allow" if you really want that [team] to have "full" access to administer.
This will give that team a lot of flexibility to administer within the Project space. It will not; however, let them administer licensing and other Org level items. From my experience, you cannot add [Team] to [Org] level groups; though, you can add [Org] groups to [Project] and [Team] level groups.
If you really want large groups to administer, and you have AD integration; then you can add an AD email distro or security group to the Project Collection Administrators group. That's not something I would ever do since that would be considered dangerous in my Company, but you may not have the same requirements for security, access, and cost controls.
We invite Azure B2B guest users to our AD in order for them to access a web application. Part of this process also adds them as members of a specific security group.
What I have noticed is that a B2B user can log in - (https://account.activedirectory.windowsazure.com) - and is able to see the other members of the group that they are members of.
Given that this information contains customer email addresses then it presents issues relating to GDPR.
The AD Administration Portal user settings are set to "restrict access to Azure AD admin portal"
Any ideas how we could restrict B2B users from being able to enumerate group membership in this manner ?
Let me list some facts
The below part is a manual step that is not related to adding B2B guest user
Part of this process also adds them as members of a specific security group.
When you create a security group, all members can see the list of available information of other members
As guest users on Azure are identified using their email, the email addresses of all members of a security group will be visible to other group members
The workaround for this is to create separate a security group for each domain (i.e each company or each group of users who have the same #xxxx.com at their email). Then gather all those groups in a single parent security group and assign access to that parent group
This way, all guest users will have the same resource access but each group will be able to see only information about members on their same subgroup
We want some users of one of our SharePoint site to manage permissions on their site but do not want them to give the permission called "Manage Permissions". Because if we do so, the users start assigning the built in permission level “Full Control” to themselves. How can we achieve this?
Please note that the users with the permission level "Manage Permissions" can create and change permission levels on the Web site [Ref: Microsoft]. What we want for them to only be able to create users, groups, and assign certain permissions on the site to those users and groups.
"we want for them ... and assign permissions"
you DO realize that they can just as easily be assigning Full Control to these groups? isn't that what you say you want to AVOID?
manage the permissions for them, and allow them to self manage the GROUP MEMBERS. that way they can add people to the "publishers" group... and net result is that the user has "publish" permissions.
solution 2 can be extrapolated for some very granular needs, but I don't explain how because I wouldn't recommend it.