I granted someone in my org a Storage Blob Data Contributor Role on an Azure Storage Account. The user is unable to add the Storage Account to Azure Storage Explorer (ASE).
Upon opening ASE (and being authenticated to the correct Azure Subscription), the Storage Account is not listed under Emulated & Attached.
Steps taken by user to attempt to connect:
Open ASE
Click Open Connect Dialog
Select ADLS Gen2 Container or Directory
Note: Account kind = StorageV2 (general purpose v2) which I think is considered ADLS Gen2
Select Sign-in with AAD, then Sign-in as needed
Name the connection and enter the Container URL
Issue:
For the user in question, at this point of the process, the Next button is grayed out.
(Its available to me in the screenshot as I have correct role).
As soon as I give the user Contribute access on the Account, they refresh and the Account shows up under the Emulated & Attached section of ASE. However, Contribute Role on the entire Account is too permissive in this case and was done only for troubleshooting.
Question:
How do users with Storage Blob Data Contributor Role interact with Storage Containers in ASE?
Note that, Storage Blob Data Contributor role is enough to interact with storage containers in ASE.
I tried to reproduce the same in my environment and got below results:
I created one general purpose v2 storage account and assigned "Storage Blob Data Contributor" role to one user like below:
Now I signed into Azure Storage Explorer with demo user account like below:
I followed same steps as you mentioned to connect storage container like below:
To connect, I selected Sign in using Azure AD account like below:
Make sure to select correct user and tenant like below:
When I entered connection name and container URL, the Next button is not grayed out for me like below:
After selecting Next, I got Summary screen to connect as below:
Now, I'm able to see the connection successfully under Emulated & Attached like below:
Reference:
Azure Storage Explorer troubleshooting guide | Microsoft
Related
We have an application which parses the Audit Logs emitted by Azure AD. More specifically we are parsing the 'Update application' log to detect when a new Role has been added to an Application (see example below).
We would like to find out more information about the "DirectAccessGrantTypes" and "ImpersonationAccessGrantTypes" fields. If someone can point us to documentation for this that would be great.
[{"EntitlementEncodingVersion":2,"EntitlementId":"654a4f1f-1b7f-4354-a6d6-fcf7346af0ec","IsDisabled":true,"Origin":0,"Name":"Data Manager","Description":"Manager for test app","Definition":null,"ClaimValue":"DataManager","ResourceScopeType":0,"IsPrivate":false,"UserConsentDisplayName":null,"UserConsentDescription":null,"DirectAccessGrantTypes":[20],"ImpersonationAccessGrantTypes":[],"EntitlementCategory":0,"DependentMicrosoftGraphPermissions":[]},{"EntitlementEncodingVersion":2,"EntitlementId":"3d03256d-cf0c-4553-b8af-98d7ebbee1f2","IsDisabled":false,"Origin":0,"Name":"Application Manager","Description":"Admin for test app","Definition":null,"ClaimValue":"ApplicationManager","ResourceScopeType":0,"IsPrivate":false,"UserConsentDisplayName":null,"UserConsentDescription":null,"DirectAccessGrantTypes":[20],"ImpersonationAccessGrantTypes":[],"EntitlementCategory":0,"DependentMicrosoftGraphPermissions":[]},{"EntitlementEncodingVersion":2,"EntitlementId":"88d0d3e3-b661-4760-aea3-f4548db1ff96","IsDisabled":false,"Origin":0,"Name":"Read","Description":"Allow users to add a admin consent","Definition":null,"ClaimValue":"Read","ResourceScopeType":0,"IsPrivate":false,"UserConsentDisplayName":null,"UserConsentDescription":null,"DirectAccessGrantTypes":[],"ImpersonationAccessGrantTypes":[{"Impersonator":29,"Impersonated":20}],"EntitlementCategory":0,"DependentMicrosoftGraphPermissions":[]}]
From article > View reports & logs in entitlement management - Azure AD | Microsoft Docs
When Azure AD receives a new request, it writes an audit record, in
which the Category is EntitlementManagement and the Activity is
typically User requests access package assignment. In the case of a
direct assignment created in the Azure portal, the Activity field of
the audit record is Administrator directly assigns user to access package, and the user performing the assignment is identified by the
ActorUserPrincipalName.
Application Impersonation is basically an administrator-managed, not user-managed permission.
Impersonate access grants logs gives information ex:count., of users given consent by the admin to access the application to impersonate user.
ImpersonationAccessGrantTypes gives count or info of access grants by admin on behalf of user whereas DirectAccessGrantTypes gives info about the users who directly access the application ,as they are already assigned by admin.
Reference:
Multiple Client applications authorisation to WebApi (microsoft.com)
I have a specific problem to which I couldn't find any answer online.
The situation is the following:
We created a Canvas app that connects to the Azure SQL database. We set the connection type to be AAD integrated.
Users that are members of the AD can see the data in the app, but guest users, even though we gave them all the rights and PowerApps plan, cannot see the data. they recieve the same authorization window as members, but when they click on allow, the app starts but no data is being pulled from the SQL database.
When we try to connect directly to the Azure SQL database with the guest user email and credentials (via SQL server management studio), everything works as expected and the guest can see all the tables.
When we use implicitly shared connection (with SQL server authentification), guests can see the data, but we need to use AAD integrated due to its security.
So far we tried:
Changing PA environment from sandbox to production
Adding special permissions in SQL database like database owner etc
Trying out different AAD guest user settings, eq- setting that guest users have the same privileges as members (picture below).
Nothing seems to work. I would be more than happy if you could tell me how to make this work or even push me in the right direction.
I've reproduced your problem in my side. Here's my experience.
After assigning powerapp license(I use O365 E5 here) to guest account and share the app to this account, I can visit the app but can't see the data in the table. I assume that it resulted from the connector hasn't been shared, but it's true that this connector can't be shared because of no 'share button'.
Then I tried to add access policy to my guest account with these two sql:
CREATE USER [tiny-wa_outlook.com#EXT##xx.onmicrosoft.com] FROM EXTERNAL PROVIDER;
GRANT SELECT ON dbo.tinyTest TO [tiny-wa_outlook.com#EXT##xx.onmicrosoft.com];
Pls note here, I used the User Principal Name here(can find the principal name in azure ad->users), I also tested to use 'tiny-wa#outlook.com' in the sql but after executing successfully, it didn't work.
So I think you can try to use the sql above to add your guests accounts and make them can access the powerapp.
Here's some related docs:
create contained users mapped to azure ad identities
Share app resources
add table permission to user
==========================UPDATE==========================
Share my experience of this troubleshot.
First I need to create a power app but I found that after creating the connector with sql server azure ad authentication, it can't connect to the sql server, the error message is like 'Credentials are missing or not valid. inner exception: The credentials provided for the SQL source are invalid', solution is add my admin account as sql server instance Active Directory Admin.
Then I choose a table and successfully create a sample app. With the creating account, I can visit the app but other accounts can't. Here needs to share the app and it's related connectors to other users. But other accounts still can't reach the app because of no license. Because sql server connector is premium connector, so I assign O365 E3 license here. I met an error when assign license, the user's 'Usage location' can't be null or it can't assign license in M365 admin center.
Then I met similar error with Op, the difference is that both member account and guest account can't see the data in app. I try to find the way to share the connector to these uses but failed, I haven't made sure if those connectors without share button can be shared to others. So I have no options to study if this kind of connectors are authenticated in other ways so they don't need to be shared at all.
Next actions is using the account which used to create the sql server and database to sign in database and execute the sqls above.
Then the member account can see data in the power app while the guest account can't see. The reason is I used xx#outlook.com as the parameter in the sql, when I used xx_outlook.com#EXT##xx.onmicrosoft.com, it worked finally.
Hope this can also help you.
===================================================
For creating my demo app: First, I'm sure my environment isn't a sandbox(the environment in the screenshot below). And I think it's easy to create a demo app, and my app is simple, just choose to create an app from data and then select sql server as the connector, next I choose auzre ad auth and click the connector, enter server name and database name then choose a table, after that my app has created. That table has one row of data so when I signed in the app with the creating account, I see it in the screen while other accounts(member or guests) can't.
My sql server instance and database are created long time ago, but I'm sure I followed this tutorial to create them.
This appears to still be a limitation to access to Azure SQL via PA connector for guest users:
https://powerusers.microsoft.com/t5/Power-Apps-Ideas/Azure-SQL-to-PowerApps-Connector-AAD-doesn-t-work-for-guest/idi-p/1637817
If the "guest" does NOT have a PowerApps Per-App/Per-User plan, they cannot use your PowerApps with SQL data source (Note: SQL is a premium connector).
Determine exactly which type of license the guest has. Then, either your organization or the guest (or guest's org) must purchase one of these licenses. $5/$10/$20 per month depending on your use case.
REF
I have registered an app in AAD and as a admin I want to provide permission for user to read or access the data of particular group list not all group available in my MS team account. How can be achieve this any idea?
No. Azure AD app doesn't provide such a feature that scopes Microsoft Graph application permissions to specific Microsoft Teams/Groups.
The client credential flow is used to as an authorization grant typically when the client is acting on its own behalf. When you give Group.Read.All or Files.Read.All or other similar application permissions, it means the client has access to all the files/groups across the entire tenant.
You can achieve this by implement the business logic in your code. For example, providing a configuration file which includes the particular groups'/teams' object ids. And then restrict the access for users to only these groups/teams by checking if the object ids (which users are trying to access) are in the configuration file.
I'm working on improving the user experience for our org when logging into snowflake. We have adfs sso enabled and are provisioning mapping users to roles using azure ad. I had a colleague attempt to sign in with SSO who didn't have a user account created in snowflake and they were greeted with
"The signed in user <user#email.com> is not assigned to a role for the application (Snowflake)".
My question is, is it possible to have users sign into snowflake without being mapped to a default role, perhaps only have the public role assigned, and without being synced with azure ad.
If it is, i'd appreciate any pointers to documentation i can reference. The goal is to get all users that can SSO, to by default be able to login
AD group syncing occurs every 40 minutes in Microsoft, and I don't believe it's possible to force a sync or change this time frame. In addition, like the OP mentioned Snowflake cannot connect to an on-prem ADFS server so all users must be in Azure AD.
AD group syncing is somewhat configurable via the "Scope" (see Step 15 of this tutorial)
If your Scope is set to "Sync only assigned users and groups", you can either
Change the scope to "Sync all users and groups" (may cause issues if you don't want to import all this data into Snowflake)
or
Confirm that your desired users' AD group is one of those assigned to be synced to Snowflake (requires manually assigning these users, or that all of these users are part of the same AD group that you choose to sync to Snowflake).
By seeing the error its not allowing user who don't have appropriate role for the application.
In these why can't we create generic stored procedure to assign default role and instance to new user based on the group they belong to.! Each time if we add any new user then we have to run stored procedure to assign default role and object prior to his login to snowflake.
I am using Redgate Data Platform Studio to transfer data from on-premise SQL Server to Azure-hosted SQL Server. This web-based application has the ability to use an Azure Storage account (for data transfer purpose) simply by logging into my company's ADFS. The web application can successfully see storage accounts inside a subscription (let's call it Subscription A) owned by my ADFS user, when I log in to my company's active directory (via ADFS). Let's call my company's AD Directory A.
I also have subscription B owned by a Microsoft account NOT related to my company's Active Directory. This subscription B is managed by another Azure AD Tenant B, with that Microsoft account as the Service Administrator & Owner. To link the two directories, I used B2B State 3 configuration described here. So in Directory B, my Directory A user shows up as Guest User with the Source=External Azure Active Directory.
For the storage accounts in Directory B, I grant the built-in role "Storage Blob Data Contributor" and "Storage Account Contributor" to the Guest User (source=external AAD Directory A). Therefore, in both Microsoft Azure Storage Explorer as well as in portal.azure.com I can see storage accounts inside Subscription B.
BUT if I log in to the Redgate application using Directory A credential (via my company's ADFS), only storage account inside Subscription A shows up in the Redgate application. I already tried giving the guest user in Directory B the following roles to the user, even at the highest Subscription B level, but no luck:
As Co-Administrator
As Contributor
As Storage Account Contributor
As Storage Blob Data Owner
My question: is this the application's limitation of not being able to access subscription in another directory (B), or is there some configuration either in directory A/B and/or subscription A/B that I need to set?
Is this the application's limitation of not being able to access subscription in another directory?
As per my official document and my understanding you cannot assign your subscription among many directory.
As said on official document "Multiple subscriptions can trust the
same Azure AD directory, but each subscription can only trust a single directory".
See the below screen shot and refer here
Note: When you associate a subscription to a different directory, users that have roles assigned using role-based access control (RBAC)
will lose their access. Classic subscription administrators
(Service Administrator and Co-Administrators) will also lose
access. Please check the Important Note here
If you want to know more details please refer this docs