I have granted access to a couple of users with different roles against resource group on Azure portal. User whom I have granted access rights do not see the resource group when they login to azure portal.
Have I missed something while granting access rights?
You are probably in the wrong Azure directory. You can solve this issue with the following steps.
Login to the azure portal here: https://portal.azure.com/ with your
credentials
Click the top right icon which shows a generic person
icon and opens a drop down about your profile/account
Click 'Switch Directory' and switch into the directory of the
organization where you have been granted access.
Look over to the left. You should now see the resources that you
were granted access to under 'All Resources'
I encountered the same issue. Portal just needed refreshing. Just switched the user directories and came back to the user directory I had given access to, then I could see the resource group under that user.
Honestly, Azure really does make stuff a lot harder than need be sometimes. In my case I needed to go to portal settings (gear icon in top bar), click on the default subscription filter and enable all subscriptions.
Related
I'm a support engineer and have not worked with Azure a lot but have done quite a bit of research regarding azure issues. To give some context I have a client that says his company's users are able to access the AD even though they are not assigned to an admin role. I have checked all admin roles and just certain admins are assigned, yet a normal user have access. Any ideas on what to look at? Any info would be appreciated.
If I understand correctly, you would like to block non admin users to be able to access azure ad administration portal.
If that is what you would like to achieve, then you can restrict the non-admin users to access azure ad admin portal through the below setting,
Login to azure portal
Navigate to azure active directory
Click on users on your left
Click on user settings
toggle the switch to 'yes' for 'administration portal'
Hope this helps. Let me know if you have any further questions.
Thanks!
I'm trying to manage multiple outlook calendars using a single account as a proxy, so all other accounts share their personal calendar with this "master" account and within this one i can add, edit or delete events "for everyone".
The problem is that i can't get the account grant the Calendar.ReadWrite.Shared to the app, even though that in my app this permissions are configured as recommended.
Azure portal - app permissions:
permissions of the app in azure portal
msalconfig:
msal configuration used
The "funny" thing is, with the account used to create the app in the first place everything works, but with any other account not.
I even created another app with the intended final account and nothing. This is the, incompplete permissions, resul:
actual result
This is the desired result:
desired result
If you just want to make a proxy to modify calendars for all users, have you tried application-only Auth and grant Calendars.ReadWrite permission with application type to it? Based on this permission official comment: Read and write calendars in all mailboxes which seems to meet your requirement.
We used to be able to have social accounts request access packages by signing in at myaccess.microsoft.com. Now, we get an error that says you can not sign in with a personal account. Why is this the case since it remains possible to create a domain like gmail.com or outlook.com as a connected organization in Entitlement Management?
Also, after landing on the myaccess portal and expanding an access package that a user has been approved for to view its resources, it used to be able for example, to open a SharePoint site or an application directly from this view by simply clicking on the resource or clicking an open Now that ability has been removing leaving us to have to send links tot he resource to users. This degrades experience substantially. Can we have this ability returned?
Please check the type of personal account in your portal, and if guest, you cannot log in myaccess.onmicrosoft.com , if created in the portal or of type member, it is accessible.
This is the relevant doc.
Sign in to the My Access portal.
Be sure you use your organizational (work or school) account. If
you're unsure, check with your project or business manager.
I invited my personal account (user type) to test if I login directly myaccess.onmicrosoft.com.And the following screenshots do report errors.
We are looking to set up a solution to monitor primarily the Global Admin role in Azure AD, so if a user is added to or removed from the role an e-mail is sent to a specific mailbox.
On our local AD we have a working solution for this, but I can't seem to find a similar solution for AAD.
In the Office 365 Security & Compliance Center > Alerts > Alert Policies there is a policy called "Elevation of Exchange admin privilege" which basically does what I want, except it only targets the Exchange Admin role.
I've tried creating a new policy from scratch, but as far as I can tell there is no way to choose to target a specific role. There is only the "Granted Exchange admin permission" and nothing really comes up when I search for "role" or "admin" in the "Activity is" drop down.
I've also looked at the MCAS (MS Cloud App Security) policies but nothing there seems to be what I need either.
I found this article: Monitor Office 365 admin role changes in all customer tenants but it seems to be geared more towards multitenant environments and requires quite a bit och additional setup. I was hoping there was a simpler solution for a single tenant environment.
Kind regards
If you have MCAS, I think it's possible that you have PIM as well (privileged identity Management. it requires aad P2 skus. But assuming you do, then it's very simple to do this. You would just go into the PIM in azure, click azure ad roles, click manage roles, choose the global admin role, Click role settings, and you will see options like this
If you don't have PIM, then it becomes quite a bit more complicated but could probably be less complicated than your example, you could set up log analytics to ingest azure ad data, and using a query pull out that information (role assignment event for example), then you could set up an alert in monitor referencing a log analytics workspace. https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-analyze-activity-logs-log-analytics
As you can see from the image, it's not letting regular users login to the application. How do I bring down this access to members? This is an azure active directory application. I can login just fine with an admin user but my regular accounts gets blocked. Note, I created the application with the regular account. I don't suppose this has something to do with it?
I've granted the app all delegated permissions. No application permissions though. I'm thinking there's something in the manifest I need to alter but I'm not sure and I've never messed with this before. So any help is appreciated.
You likely need to perform admin consent for the application. There are two ways to do this in Azure AD:
In the Azure portal, you can go into the App Registrations blade, then click on the App, click on Permissions, and hit Grant Permissions.
Construct a request to Azure AD with the extra parameter &prompt=admin_consent.
For example:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=<AppID>&resource=<Resource App ID URI>&response_type=code&redirect_uri=<Redirect URI>&prompt=admin_consent