I have resource in Azure subscription #1 and I want to grant permissions to Azure AD application from subscription #2. Both subscription have separate AAD tenants.
I've created application in subscription #2, marked it as multi-tenant and added certificate credentials to it. There're a few instructions on how to create multi-tenant apps that can login users from multiple tenants. But I don't need any of these logins and don't want to host any API for it. All I need is for users in other subscriptions being able to grant my app permissions to the resources.
I can't figure out how can I link (give consent) to app from another subscription/AAD tenant. My understanding there should be a way for me to reference AppId from app in subscription #2 and create new service principal for it unders subscription #1.
I've tried in subscription #1 New-AzureADServicePrincipal -AppId <AppIdFromSubscription2>
Fails with "Code: Request_ResourceNotFound, Message: Resource 'ServicePrincipal_888ad8a8-8888-4652-8b8b-c141fa1e7191' does not exist or one of its queried
"
New-AzureADServicePrincipal with AppId from another subscription does work.
I had silly mistake on my end, I've been using my #outlook.com account for my subscription and Connect-AzureAD logged me under some MSA tenant, which I have no permissions to modify. Once I specified TenantId with Connect-AzureAD, New-AzureADServicePrincipal worked fine.
Related
I am building an application which will use Azure B2C as the identity system. It will include some local accounts, and some federated accounts for Enterprise SSO logins.
The application will have “application tenants”, representing customer organization/company.
I’d like a user to be able to grant users access to one or more application tenants (in case some users will manage multiple company accounts within the app).
There will also be multiple roles within the app (e.g. read only, full admin).
What is the recommended way to map a B2C User to “app tenants” and roles?
Create AAD group per tenant and role and check membership?
Custom attribute for tenantid(s)?
Or must I map users to tenants & roles in app DB/ outside of B2C?
Is this scenario described in any docs that might point me in the right direction?
Thanks!
I'm testing my SCIM integration with Azure AD. I created an app in Azure active directory, provisioning credentials are OK, but Add user option is not active (faded out).
When I create Databricks scim intergration, it's ok and it works. Any ideas?
This could be due lack of permissions or appropiate role being assigned. Ensure you're assigned one (Tenant or application scoped) or be added as owner of the application.
How can I give additional roles to the default Google App Engine (GAE) service account:
Specifically, I want to give "Cloud SQL client" role to the default app engine service account. When I try to modify the role I get this message:
As it was answered in the comment section by #John Hanley, to add roles to a service account, go to IAM & Admin -> IAM, find your service account in the table and edit it to grant necessary roles.
In addition, please have a look st the documentation Understanding service accounts section Granting access to service accounts:
Granting access to a service account to access a resource is similar
to granting access to any other identity. For example, if you have an
application running on Compute Engine and you want the application to
only have access to create objects in Cloud Storage. You can create a service account for the application and grant it the Storage Object
Creator role.
Learn about Granting roles to all types of members, including
service accounts.
I am trying to create a new service principal using the command below using azure cli v2.0.
az ad sp create-for-rbac --name ServicePrincipalName
Changing "ServicePrincipalName" to a valid URI of "http://ServicePrincipalName", which is the required format used for service principal names
Found an existing application instance of "abcd-8f27-47cf-9976-xkkfigif5e1de". We will patch it
Insufficient privileges to complete the operation.
I am not sure what privileges the Azure Admin of my tenant should assign to my user so i can create a servicePrincipal any guidelines or document pointers please
First, you have to know what this command will do. The command az ad sp create-for-rbac --name ServicePrincipalName will create an AD App(app registration) along with a service principal in your tenant, the AD App will have an Application ID URI named http://ServicePrincipalName, a Display name named ServicePrincipalName. Then the command will add the service principal to your subscription as a Contributor.
The error you got means there is already an AD App with the Application ID URI equals http://ServicePrincipalName existing in your tenant. And you are not the Owner of the AD App. (Note: in the tenant, the Display name is not unique, but the Application ID URI is.)
To solve the issue and use this command successfully, follow the tips below.
1.Change the ServicePrincipalName to a different one. (Or if your admin allow you to use the existing AD App mentioned above, just let him add your user account as an Owner to the AD App. - not recommend)
2.If your account's User type is just a Member in the tenant. Make sure in the portal -> AAD -> User settings -> Users can register applications is Yes. If your account is a Guest , except the Users can register applications need to be Yes, also User settings -> External collaboration settings -> Guest users permissions are limited need to be No.
3.Your user account should be the Owner of the subscription. Otherwise you can create the service principal successfully, but you cannot add it to the subscription.
I am using a visualstudio account in Azure. i have created a new user and given admin access to the active directory to this user. I also added this user as the owner to the subscriptions i had.
I now login as this into the new portal. I can see the subscription that i have. However i do not see the icon for Azure ActiveDirectory. Therefore i try to login to the old portal. This time I get stopped by a "No subscriptions found" prompt which does not let me for farther.
What is going on? why is there such discrepency between the two sites?
The classic (i.e. old) site only works with the old access model (service admin and co-admin), and requires at least one subscription to get into the site. The new site uses the fine-grained RBAC model (owner, contributor, etc...), and does not require any subscription just to get in to the site.
Adding a user as an 'Owner' in the new Azure portal does not make them a co-administrator, and thus, does not give them access to the classic portal:
The owners you added through the Azure portal cannot manage services in the Azure classic portal.
In order for your new user to get into the classic Azure portal, they need to have service admin or co-admin access to an Azure subscription. You can do one of the following:
Add the new user as a co-admin to your existing subscription (you would do this in the classic portal)
Make the new user the service admin for the subscription
Transfer the entire subscription to the new user (which also makes the new user the account admin)