I have created some limited administrators in my Azure Active Directory. These should only be able to manage certain users. For this I added the users that should be managed to an administative unit and gave the administrators the "User Adminsitrator" role for the administrative unit. They can now edit/ manage all aspects of the users as intended. However, they cannot delete the users.
This should be possible. Here is the description of the user administrator role from Microsoft:
"Users with this role can create and manage all aspects of users and
groups. Additionally, this role includes the ability to manage support
tickets and monitors service health. Some restrictions apply. For
example, this role does not allow deleting a global administrator.
User account administrators can change passwords for users, helpdesk
administrators, and other user account administrators only".
The users in the administrative unit are of course not administrators.
If I assign the administrators the "user administrator" role for the whole AAD tenant, then they can delete users.
Here Microsoft also clearly describes that with this role you should have the right to delete users: https://learn.microsoft.com/de-de/azure/active-directory/roles/permissions-reference#user-administrator
Does anyone understand why this role does not work properly anymore if you assign it to an administrative unit?
Thanks in advance
The user administrator in a Administrative unit can manage all aspects of users and groups, and of course it also includes removing users from the Administrative unit.
However, it cannot delete the user within the scope of the tenant, because the user is created within the scope of the tenant, but the scope of the granted user administrator is limited to one or more Administrative units.
In addition, you only added the user in the Administrative unit instead of creating the user in the Administrative unit, so you definitely cannot delete the user in the tenant scope. Therefore, if you want to delete the user in the tenant scope, you can only grant the user the user administrator role within the tenant scope.
You have to be a Privileged Role Administrator or Global Administrator to add or remove administrative unit members (source).
User Administrator at the Directory level is not sufficient. Custom roles might be another option.
Creating and deleting users in the Directory is a different scope.
Related
I'm not able to access any tabs in AAD. What could be the issue?
Please check if below points can be worked around in your case.
Buttions or options being greyed out maybe because , you may not have had global admin rights/user administrator rights on the azure AD tenant. There are a few roles which can create users within the directory. You may not have any roles within the directory which permit the operations.
Reference: github issue.
Even in Azure AD free edition ,one should be able to create the users if you have proper roles .
On completion of the first 30 days of Microsoft Azure’s free trial,
your ‘Free Trial’ Azure Subscription will be disabled. To fix this,
the subscription needs to be changed to the ‘Pay-As-You-Go’ plan
instead of the ‘Free Trial’ plan which it is currently on.
For example :For applications under Enterprise application, one of the following roles: Global Administrator, Cloud Application
Administrator, Application Administrator, or owner of the service
principal.
You can check Azure AD built-in roles, and by checking the
description of role , assign the required one to manage identity .
You can Assign Azure AD roles to users to manage the identities
if you have global or role administrator rights. Approach the
admin to assign the roles .Also see custom roles in Azure AD
if needed.
Please check if this issue in - Microsoft Q&A can relate .
If issue still remains you can raise a support request in troubleshoot+support blade.
At first there is no authentication in mongodb, so I created one for one database with readWrite role.
Now I want to create more users for other databases but as this user doesn't have the privileges to create other users I'm stuck.
The documentation clearly says:
With access control enabled, ensure you have a user with userAdmin or userAdminAnyDatabase role in the admin database. This user can administrate user and roles such as: create users, grant or revoke roles from users, and create or modify customs roles.
If you haven't created such user, you cannot create it now with authentication and access rights enabled. I gues you need to restart the MongoDB server without authentication enabled, create that admin user, and restart the MongoDB server again with authentication enabled.
I highly recommend you read to complete documentation how to enable authentication first to understand the complete concept, before you follow it step by step. Otherwise it might be confusing and creating such state you are currently locked in and cannot continue with all actions.
We have an Azure AD Tenant and External users from different organizations are added as Guest in this tenant.
When sharing content with other users, Guest users from different organization can see each other. Is there a way to prevent this enumeration? I see that a new Feature is comming wherin Guest user cannot be #mentioned
Try to set guest user access is restricted to properties and memberships of their own directory objects. This restriction level is the highest. When guests are restricted, they can only view their own user profiles but not other users. See: restrict guest user access.
Log in to the Azure portal as an administrator, go to User settings>Manage external collaboration settings>Select Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)
I used Graph explorer->Logged in with Global administrator -> Modify Permissions-> chose User.ReadWriteAll,Group.ReadWriteAll,Directory.AccessAsUser.All and then select "access to your entire organization" and logged in again with global administrator
I get below error.
Selected user account does not exist in tenant 'Microsoft' and cannot
access the application 'de8bc8b5-d9f9-48b1-a8ad-b748da725064' in that
tenant. The account needs to be added as an external user in the
tenant first. Please use a different account.
How can I add permissions to global administrator user?
Since your account is a guest in the tenant, you could not use the account to query the tenant, even if you are a global admin.
For more details, refer to this post.
Credentials are only owned by a single tenant. The tenant is discovered by Graph Explorer based on domain. You cannot use Graph Explorer to query tenants your account is a guest on, it can only query the tenant that owns the account. The only way to use those creds with another tenant would be to force the OAuth uri to use that tenants ID instead of "common". This isn't supported by Explorer. You'd have to download the source an reengineer the auth process
I am not an admin of my azure active directory. Currently my web api application will able to read directory data when I or any user manually going to azure portal and click `Grant Permissions'.
I set Read directory data under DELEGATED PERMISSIONS.
But, I can't go to to each user and ask for same. Is there any way to do this at once for all users of my AD tenet? Thanks!
Because you are not an admin, no you cannot grant permissions on behalf of any other users. The most you can do is grant the application permissions equal to what your user can do, which is what the "Access the directory as the signed-in user" permission does.
However, depending on the data you are trying to read, you may be able to access that data without needing other users to consent. For example, any user has the ability to grant the application the ability to read basic information about all other users in the tenant. You will need to elaborate on your scenario.