In portal.azure.com I have two subscriptions.
One of them is the subscription named "Access to Azure Active Directory". As far as I can understand, this subscription was created automatically via the Office 365 subscription I have.
My profile is a Global Administrator. However, I cannot access "Access to Azure Active Directory" subscription as a Global Administrator or with Global Administrator rights. More specifically, when I view "My permissions" in "Access to Azure Active Directory" subscription, it says "You are an administrator on the subscription".
But, when for example I try to view "Activity log" or "Access control (IAM)" in "Access to Azure Active Directory" subscription, it says "DisallowedOperation: The current subscription type is not permitted to perform operations on any provider namespace. Please use a different subscription."
So, how is it possible to be an administrator on "Access to Azure Active Directory" subscription and also not able to do any action as an administrator?
Any help would be much appreciated.
Regards, Nick
Usually, an Office 365 subscription includes a free subscription to Azure AD so that you can integrate Office 365 with Azure AD if you want to sync passwords or set up single sign-on with your on-premises environment. You could refer to this: Azure integration with Office 365. Before you can manage your Office 365 Apps in Azure AD, you need to Register your free Azure Active Directory subscription and Turning Integrated Apps on or off. Please refer to this: Integrated Apps and Azure AD for Office 365 administrators.
Related
As per below link, we can assign Global Administrator or Security Administrator role in Azure AD to an user and that provides full access to Microsoft Cloud App Security portal.
https://learn.microsoft.com/en-us/cloud-app-security/manage-admins#office-365-and-azure-ad-roles-with-access-to-cloud-app-security
However, with these roles users get privileged admin access to other features of Azure AD as well. We want restrict the role to provide full access in Microsoft Cloud App Security portal only. Is it possible to create a custom role with permissions only for Microsoft Cloud App Security?
Unfortunately it's not supported to create a custom AAD role with the full access permission of Microsoft Cloud App Security portal.
Currently, permissions for Application registrations and Enterprise applications are supported in custom roles. See the details here.
The full access permission of Microsoft Cloud App Security portal should be microsoft.directory/cloudAppSecurity/allProperties/allTasks. You can see that it's not listed in the page when I try to look for it in Azure portal.
You can query microsoft.directory/cloudAppSecurity/allProperties/allTasks in this page and choose the one with the least permissions to assign to users who need to be assigned the Cloud App Security portal administrator role.
Recently Microsoft has came up with a new role named "Cloud App Security Administrator". This role provides full admin access to MCAS without providing any privileged access other Azure AD configurations. Didn't find any documentation, but it is visible in Azure AD portal.
I've logged into Windows 10 using my office 365 account and running WindowsIdentity.GetCurrent() gives me AzureAD\\LocTrang and Sid.
When I look into ADSI CN=ForeignSecurityPrincipals I can see the Sid. But pulling down the users from office 365 Azure Active Directory I could not find any correlation between my office 365 account and what WindowsIdentity has given me.
I know they're not the same but I need to find the connection between office 365 account and my Windows account which I've logged in using my office 365 account.
You need to check the attributes used to match users when AAD Connect is run.
AAD Connect syncs AD users up to Azure AD.
Normally UPN is used.
You also need to check what attributes are synched up since if they are not synched, they won't be in Azure AD.
I am new to Azure and want to use "login with Microsoft" in one of my web apps.
For this I have created a new account on portal.azure.com.
When going to Azure Active Directory tab in account I am getting this error-
Access denied
You do not have access
Looks like you don't have access to this content. To get access, please contact the owner.
I found a similar question where they advice to login with Global Administrator permission for Azure AD.
Azure Active Directory - Access Denied in New Portal
But I don't know what is that Global Administrator permission for Azure AD is? I just signed up with my email and that's the one account all I have.
You need to create a "tenant" to do something with AD. Check the documentation
In short, login into azure portal, go here https://portal.azure.com/#create/Microsoft.AzureActiveDirectory and create new directory.
Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory like Exchange Online, SharePoint Online, and Skype for Business Online. The person who signs up for the Azure Active Directory tenant becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company. Global admins can reset the password for any user and all other administrators.
Note: n Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Company Administrator". It is "Global Administrator" in the Azure portal.
Details about the global administrator role
Assign a user to administrator roles in Azure Active Directory
You need to assign the co-admin as global administrator with using account admin user. Log in to new Azure Portal by using the account with Global Administrator permission for Azure AD. Navigate to the Azure Active Directory extension, from the Users and Groups tab, search for the external account, and change the Directory Role to Global Administrator.
I have a scenario that I am hoping someone can assist me with. I have a requirement to build an extranet in SharePoint Online (Office 365).
We have a main Office 365 Tenant. There are 15 member organisations that need access and these DO NOT have Office 365. on premise only.
So I can use Azure B2B to grant access to SharePoint Sites no problems. I need the social aspect and Yammer Fits PERFECTLY but identities are separate.
I can create and External Yammer Network and invite users but obviously these are a separate set of credentials to that of Azure AD.
Has anyone done such a thing and is there a way to grant Azure B2B users access to an external Yammer network?
Yammer should allow you to sync with your Azure Active Directory. This should allow users to have the same logins.
Here is some information I found on this matter:
https://products.office.com/en-gb/yammer/yammer-network-administration
My small company (about 100 users) is currently using Office 365. There have previously not been any domain controller. I am building an on premise domain controller and want to sync it with Azure Active Directory (Office 365). I used the sync service, with a small subset of users to no avail.
My main question: Can you sync FROM an Azure Active Directory to a new on premise Active Directory? My understanding is that it's the opposite - the on premise Active Directory is the "master" if you will. Is there a way to set it up the opposite? As in, Office 365 being the "master" or "seed" for an on premise?
At present, the Azure AD connect support the Password writeback, Group writeback and Device writeback.
You can refer the options features of Azure AD Connect from here.
At this point in time, synchronizing users FROM Azure AD to on-premises AD is NOT possible.
As Fei Xue pointed out, there are certain things (such as user passwords, groups and devices) that can be synchronized back to on-prem AD, but not users.
Depending on what you are trying to achieve, Azure Active Directory DS might be worth exploring as it allows you to create a VNet in Azure which has a AD-like support (LDAP, Active Directory domain join, NTLM, and Kerberos authentication).
More info on Azure AD DS: https://azure.microsoft.com/en-us/services/active-directory-ds/