In vCenter 6.5 vSphere web client, if I logon as any user other than administrator#vsphere.local, I can't get to a few areas like Administration > Single sign on > Configuration.
I swear I did something to get my other user accounts access before, but if it's not just to give administrator access to 'global access', then I can't remember. vCenter died recently and I had to recreate it.
I'm trying to give otherUser#vsphere.local and an Active Directory group full access to do everything that administrator#vsphere.local can do.
Anyone know how to do this?
Note: I have the vCenter Server Appliance.
There's separate roles and permissions for vCenter and Appliance configurations (such as SSO). Make sure you're properly setting the permissions for those users/groups there as well.
Example of the SSO permissions: link
Related
I'm not able to access any tabs in AAD. What could be the issue?
Please check if below points can be worked around in your case.
Buttions or options being greyed out maybe because , you may not have had global admin rights/user administrator rights on the azure AD tenant. There are a few roles which can create users within the directory. You may not have any roles within the directory which permit the operations.
Reference: github issue.
Even in Azure AD free edition ,one should be able to create the users if you have proper roles .
On completion of the first 30 days of Microsoft Azure’s free trial,
your ‘Free Trial’ Azure Subscription will be disabled. To fix this,
the subscription needs to be changed to the ‘Pay-As-You-Go’ plan
instead of the ‘Free Trial’ plan which it is currently on.
For example :For applications under Enterprise application, one of the following roles: Global Administrator, Cloud Application
Administrator, Application Administrator, or owner of the service
principal.
You can check Azure AD built-in roles, and by checking the
description of role , assign the required one to manage identity .
You can Assign Azure AD roles to users to manage the identities
if you have global or role administrator rights. Approach the
admin to assign the roles .Also see custom roles in Azure AD
if needed.
Please check if this issue in - Microsoft Q&A can relate .
If issue still remains you can raise a support request in troubleshoot+support blade.
(Revised based on comments below)
I know there's a ton of posts like this online and I've browsed many and found no useful help.
I have setup and configured SSRS many times and have not had this problem. The setup is similar to other servers in the past (all stand alone servers - no AD). I can log into Report Manager from a browser on the local server but when I try to access from my remote dev machine or from deploying a report from VS I get the above message.
This is how I'm trying to login which works on other servers but not this one.
http://Server IP/Reports
-Username: Administrator
-Password: admin password
I get the above error even though this is exactly the same as on other servers.
I should mention that I connect using a VPN to the network so I have access to the private IPs as well.
I also tried using he private IP
I also tried MachineName\Administrator
I also tried creating an SQL user with admin privileges and that did not work either.
This is a screenshot from a server where everything is working as expected. Administrators had default permissions (Content Manager). Users has browse:
This is a screenshot from the server that’s having permission issues. I assigned all roles to both admin accounts
and then I added all roles to both admin accounts:
Now I can deploy from VS using the username "administrator".
and I made a little progress (i think...) trying to access report manager from my pc. From IE (run as admin) on my local pc I try to access report manager from this URL
http://server ip/Reports/browse/
-Username: Administrator
-Password: admin password
And now I gain access to server manager but cannot see any content. When I click on the home button I get this error:
Any recommendations?
I would like to automate deployment and it requires to update settings for Azure AD Application registration.
So far I am able to :
create an Azure AD Appregistration and Service Principal with certificate (thx MS documentation)
then use command Connect-AzureAD with previous service Principal with its certificate
use command like Get-AzureADApplication -ObjectId 11111111-2222-3333-4444-555555555555
In previous bullet ObjectId 11111111-2222-3333-4444-555555555555 match with application i created on first bullet
However i am unable to execute command like:
Get-AzureADApplication -Filter "DisplayName eq '$aADApplicationame'"
and $aADApplicationame matches with application created previously
Set-AzureADApplication -ObjectId $aADApplication.ObjectId -ReplyUrls $ReplyUrls
Get-AzADServicePrincipal
I get following error message
Set-AzureADApplication : Error occurred while executing SetApplication
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation
Based on my research, i set up some API permissions as follow:
Unfortunately no luck and still get insufficient privilege although all permissions were granted.
Do you know if I miss something ? Is there any specific permissions i should add to make it works ?
Regards.
As mentioned by another reply, you could give the Global Administrator role to the service principal, it is correct, but the permission of Global Administrator is too large in this case, it may cause some security issues.
In this case, the commands Get-AzureADApplication and Set-AzureADApplication you used essentially call the Azure AD Graph API, so to solve the issue, a better solution is to add the permission of Azure AD Graph API, please follow the steps below.
1.Navigate to the API permissions of your AD App -> select Azure Active Directory Graph(not Microsoft Graph).
2.Select Application permissions(not Delegated permissions) -> Application.ReadWrite.All -> click Add permissions.
3.At last, click the Grant admin consent for xxx button.
After a while, try the commands again, it will work fine.
Update:
After I check the doc, I find there are already some new commands released by MS which call the Microsoft Graph, haven't seen them before.
e.g. In your case, you can use Get-AzureADMSApplication instead of Get-AzureADApplication.
Get-AzureADMSApplication -Filter "DisplayName eq 'joyttt'"
Use Set-AzureADMSApplication instead of Set-AzureADApplication.
Set-AzureADMSApplication -ObjectId <object-id> -Web #{ RedirectUris = "https://mynewapp.contoso.com/" }
For Get-AzADServicePrincipal, there is no equivalent currently, there should be one in the future. When using the commands above, the permissions of Microsoft Graph will work, no need to use Azure AD Graph, but you should use Application permission, not Delegated permission (you used the Delegated permission in your question.)
You are facing this issue because Powershell cmdlet works differently than compared to MS Graph. Instead of permissions, Powershell require roles to do this operations. Please add Global Administrator role to your service principle and then try the Connect-AzureAD so that, the issue will be fixed.
For more details, you may refer to Assigning administrator roles in Azure Active Directory.
I was also facing similar issue, make sure are doing below two things:
Set Run as account for azure automation account
In newly created app registration for azure automation account after setting Run as account, make sure you add Cloud application administrator role explicitly.
Add API permission for Application.ReadWrite.All (Microsoft graph)
In my case the app registration was showing cloud application administrator role under Roles and Administrator screen, which I thought gives the new app registration required permission but that was not the case. PowerShell script only worked after we assigned the cloud application administrator role explicitly.
In the beginning thanks for previous posts it gave a lot of inspiration according topic. Problem occurred in our case at automated bicep mechanism that is supposed to add API permissions for Microsoft Graph.
Error: Authorization_RequestDenied
Solution:
We needed to give Enterprise Application running mechanism Microsoft Graph (not Azure Active Directory Graph it will be deprecated) Application permissions:
Application.ReadWrite.All
AppRoleAssignment.ReadWrite.All
Directory.ReadWrite.All
When I try to deploy my SQL Server Analysis Services project to the server, I get the error message No mapping between user and security ids was done. I don't get where this is coming from!
I've checked the user credentials on the Data Source. I've previously deployed projects to the same server with the same credentials with no problems.
When I google this problem, I get a lot of hits for things to do with Active Directory, but nothing that directly links to SSAS. Where does this error spring from?
This error occurs when there are users defined in a role that are either not known to the server (i.e. a local account on the machine the project was designed on) or no longer available in the Active Directory. To solve this:
Open the cube in BIDS / Visual Studio
Go to the Roles node in the Solution Explorer
Per role, go to the tab "memberships"
Per member defined, check to see if that member still exists in the AD.
In my experience, it's advisable not to use local users in Roles, nor personal accounts. Instead, grant the rights to a role to a group, then add and remove users to that group in the Active Directory as needed.
I have 2 domains with a two way trust between them. I want to modify a group on one of the domains but running on the other domain.
Lets say the domain I am running my script on is mydomain.com, and I would like to add a user to yourdomain.com
I tried through VBScript as well as DSMod, but get permission denied
dsmod group "CN=DCComics,OU=Comics,DC=yourdomain,DC=com" -addmbr "CN=Dark Knight,OU=Comics,DC=yourdomain,DC=com"
When I run the above, I get this
dsmod failed:CN=DCComics,OU=Comics,DC=yourdomain,DC=com:Insufficient access rights to perform the operation.
I'm able to query data on yourdomain.com and I have checked the trusts are working just fine. I have logged in as administrator on mydomain.com.
Ideally I am looking to do this in VBScript, so I wrote this just to test:
user = "LDAP://CN=Clark Kent,OU=Comics,DC=yourdomain,DC=com"
group = "LDAP://CN=DCComics,OU=Comics,DC=yourdomain,DC=com"
Dim objgroup
SET objGroup = GETOBJECT(group)
objGroup.Add(user)
Once again, I get an error about permissions:
C:\tmp\foo.vbs(6, 1) Microsoft VBScript runtime error: Permission denied
Any guidance where I need to muck about with permissions for this? Might I add, I am still learning about AD, so please be gentle :)
Thanks
Being an admin in mydomain.com does not make you an admin in Yourdomain.com - trust or no trust. You need your mydomain\account added to the Administrators group in yourdomain.com