I believe one of our developers inadvertently deleted the two default service accounts that came with the Google Cloud Project
I am now unable to start or spin up any new servers as I receive this:
The user does not have access to service account
'215988481317-compute#developer.gserviceaccount.com'
Is there a way to restore this service account with the correct permissions?
OR is the entire project screwed because this account doesn't exist anymore and creating a new account doesn't have this same syntax?
It appears that the service account's project permission may have been deleted rather than the account itself. Try adding the service account email address as member with the "Editor" role using the Permissions page.
Related
I'm not able to access any tabs in AAD. What could be the issue?
Please check if below points can be worked around in your case.
Buttions or options being greyed out maybe because , you may not have had global admin rights/user administrator rights on the azure AD tenant. There are a few roles which can create users within the directory. You may not have any roles within the directory which permit the operations.
Reference: github issue.
Even in Azure AD free edition ,one should be able to create the users if you have proper roles .
On completion of the first 30 days of Microsoft Azure’s free trial,
your ‘Free Trial’ Azure Subscription will be disabled. To fix this,
the subscription needs to be changed to the ‘Pay-As-You-Go’ plan
instead of the ‘Free Trial’ plan which it is currently on.
For example :For applications under Enterprise application, one of the following roles: Global Administrator, Cloud Application
Administrator, Application Administrator, or owner of the service
principal.
You can check Azure AD built-in roles, and by checking the
description of role , assign the required one to manage identity .
You can Assign Azure AD roles to users to manage the identities
if you have global or role administrator rights. Approach the
admin to assign the roles .Also see custom roles in Azure AD
if needed.
Please check if this issue in - Microsoft Q&A can relate .
If issue still remains you can raise a support request in troubleshoot+support blade.
I want to authorize several Logic Apps to access operations on an API secured by an app registration, which has several app roles describing different operations. Currently a directory administrator is doing this manually using New-AzureADServiceAppRoleAssignment once the Logic Apps are created, because the associated service principal doesn't exist until then.
I'd rather this were automated, because especially in development, the manual work of asking a directory administrator to re-run this script is very tedious. However I don't know how to grant the scripting account - a service principal linked to a DevOps service connection - only the permissions to do this, and not make it a directory administrator able to do anything. If the service connection is a directory administrator, developers would be able to supply it scripts to tell it to create or delete any combination of role assignments, enabling them to let themselves into anything, and also shut out people who should be able to prevent this. This is an unacceptable security hole.
What is the minimal permission needed to allow an automated process to script the creation of app role assignments but nothing else, and where is this documented?
For this requirement, you can just add the scripting account as owner of your app(just create a new user without any roles and add it as the app's owner). Then it can just add role assignment in this app but can't do other operations on role assignment of other apps.
Can someone help me understand the difference between the Service Principal created when I create an App Registration in AAD and the Managed Identity that gets created when I enable "System Assigned" on the Identity blade of an App Service?
We have an App Service that we are developing that we have created an App Registration for and we have also enabled the System Assigned identity. When we go into Enterprise Applications under AAD and search for our app, it comes up with 2 entries. One for the Managed Identity and one for the Service Principal created as part of the App Registration. We are trying to understand which one we would use to give the app permissions to write to an Azure SQL DB.
Managed Identities are essentially service principals wrapped with Microsoft logic to make accessing resources simpler. Although, sometimes adding more layers may complicate things, the idea is to make it easier, simpler, and less consumer interactive.
For your scenario, you'll want to think about what you would like to do. Would you like to have more control and implement your own logic with an Azure SQL DB protected by AAD, or try utilizing Microsoft's Managed Identity to protect/access the Azure SQL DB resource. (Ideally the Managed Identity path should be less work)
The tutorial for using Managed Identities to access an azure SQL db from an app service can be found here :
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi
The docs for protecting an Azure SQL DB using Azure AD can be found here :
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication
Furthermore Managed Identities are explained in the official Microsoft documentation here :
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
It's important to note that there are two kinds of Managed Identities.
From the documentation:
A system-assigned managed identity is enabled directly on an Azure
service instance. When the identity is enabled, Azure creates an
identity for the instance in the Azure AD tenant that's trusted by the
subscription of the instance. After the identity is created, the
credentials are provisioned onto the instance. The lifecycle of a
system-assigned identity is directly tied to the Azure service
instance that it's enabled on. If the instance is deleted, Azure
automatically cleans up the credentials and the identity in Azure AD.
A user-assigned managed identity is created as a standalone Azure
resource. Through a create process, Azure creates an identity in the
Azure AD tenant that's trusted by the subscription in use. After the
identity is created, the identity can be assigned to one or more Azure
service instances. The lifecycle of a user-assigned identity is
managed separately from the lifecycle of the Azure service instances
to which it's assigned.
The picture from the official docs also gives a good example of a VM using MSI(Managed Service Identity).
This is Provided below:
In addition to that, the App Service Managed Identity documentation can be found here :
https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity
I would like to elaborate a little further as the topic around service principals and app registrations in Azure can be confusing.
As you noticed, a service principal will get created in your AAD tenant when you turn on system-assigned managed identity for a resource in Azure. This service principal is tied to the lifecycle of your resource or in other words: If you delete your App Service, Azure will delete the service principal for you [2].
Beside service principals, there are other object types that live inside a tenant: User principals and application objects. As the name suggests, user principals identify a user while a service principal can be used to either identify a resource in Azure or an application object. To both types of principals you can assign roles, as you mentioned you can create a new user in your database and use the system-assigned identity (Service Principal 1 in the image below) to let Azure SQL know that your App Service has permissions to access the database [3]. This is marked in red in the image.
When you create an app registration, two objects are created: An application object and a service principal in your tenant (this is "Service Principal 2") [4]. You could now use this service principal as well to give it permissions to access the database (marked in orange in the image) but this service principal is not tied to your Azure App Service and doesn't represent it. In other words, if you want to use Service Principal 2 in your App Service, beside creating a user for this service principal in your database you'd additionally also need to get an access token for this service principal whenever you create a new SQL connection to the database in your application. It's possible but a bit more inconvenient and the beauty of using system-assigned identities is that your App Service knows about its service principal already and you don't have to manage it on your own (e.g., delete it when your App Service gets deleted).
Long story short: Use the system-assigned managed identity in your use case.
[2] https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types
[3] https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi#grant-permissions-to-managed-identity
[4] https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals
You can only use the managed identity that you have enabled in your App Service for authentication to AAD which eventually allows you to access your Azure SQL instance based on roles/permissions. I'd tried using the service principal/Enterprise Application created as part of App Registration process for authentication and it didn't work.
The way I see it is that the App Service is what runs/hosts your application and only this managed identity/SP is available to your running application for authentication to AAD.
The Service principal/Enterprise Application is being used internally for some other purpose and, it is not available to our application for authentication to AAD.
Just a wee note. App Registration may live without Service Principal. App Registration may represent an application that is consumed, not necessarily the consumer.
Managed Identity is solely a client-based identity.
E.g. Your App Service is acting as a client, when accessing Azure SQL. In this case you don't need an app registration and its service principal at all. You will only need a Managed Identity (which is a Service Principal).
When your App Service (A) is opposed to access another App Service (B) then again your App Service (A) does not need an app registration. But App Service B needs to have an app registration.
Imo when you want to use the credential-less approach in Azure, an app registration is acting as the server part and a Managed Identity (system - or user-assigned) is considered to be the client part.
I am using Redgate Data Platform Studio to transfer data from on-premise SQL Server to Azure-hosted SQL Server. This web-based application has the ability to use an Azure Storage account (for data transfer purpose) simply by logging into my company's ADFS. The web application can successfully see storage accounts inside a subscription (let's call it Subscription A) owned by my ADFS user, when I log in to my company's active directory (via ADFS). Let's call my company's AD Directory A.
I also have subscription B owned by a Microsoft account NOT related to my company's Active Directory. This subscription B is managed by another Azure AD Tenant B, with that Microsoft account as the Service Administrator & Owner. To link the two directories, I used B2B State 3 configuration described here. So in Directory B, my Directory A user shows up as Guest User with the Source=External Azure Active Directory.
For the storage accounts in Directory B, I grant the built-in role "Storage Blob Data Contributor" and "Storage Account Contributor" to the Guest User (source=external AAD Directory A). Therefore, in both Microsoft Azure Storage Explorer as well as in portal.azure.com I can see storage accounts inside Subscription B.
BUT if I log in to the Redgate application using Directory A credential (via my company's ADFS), only storage account inside Subscription A shows up in the Redgate application. I already tried giving the guest user in Directory B the following roles to the user, even at the highest Subscription B level, but no luck:
As Co-Administrator
As Contributor
As Storage Account Contributor
As Storage Blob Data Owner
My question: is this the application's limitation of not being able to access subscription in another directory (B), or is there some configuration either in directory A/B and/or subscription A/B that I need to set?
Is this the application's limitation of not being able to access subscription in another directory?
As per my official document and my understanding you cannot assign your subscription among many directory.
As said on official document "Multiple subscriptions can trust the
same Azure AD directory, but each subscription can only trust a single directory".
See the below screen shot and refer here
Note: When you associate a subscription to a different directory, users that have roles assigned using role-based access control (RBAC)
will lose their access. Classic subscription administrators
(Service Administrator and Co-Administrators) will also lose
access. Please check the Important Note here
If you want to know more details please refer this docs
I am using a visualstudio account in Azure. i have created a new user and given admin access to the active directory to this user. I also added this user as the owner to the subscriptions i had.
I now login as this into the new portal. I can see the subscription that i have. However i do not see the icon for Azure ActiveDirectory. Therefore i try to login to the old portal. This time I get stopped by a "No subscriptions found" prompt which does not let me for farther.
What is going on? why is there such discrepency between the two sites?
The classic (i.e. old) site only works with the old access model (service admin and co-admin), and requires at least one subscription to get into the site. The new site uses the fine-grained RBAC model (owner, contributor, etc...), and does not require any subscription just to get in to the site.
Adding a user as an 'Owner' in the new Azure portal does not make them a co-administrator, and thus, does not give them access to the classic portal:
The owners you added through the Azure portal cannot manage services in the Azure classic portal.
In order for your new user to get into the classic Azure portal, they need to have service admin or co-admin access to an Azure subscription. You can do one of the following:
Add the new user as a co-admin to your existing subscription (you would do this in the classic portal)
Make the new user the service admin for the subscription
Transfer the entire subscription to the new user (which also makes the new user the account admin)