339 questions
0
votes
1
answer
70
views
RBAC role to restore service principal
I am in the process of building a custom RBAC role, only to delete & restore the App registration and service principals. I can manage delete actions and restore the App registration, but I don't ...
- 31
0
votes
2
answers
136
views
Azure RBAC assignments via Management Groups
I there anything different/off with assigning Azure RBAC roles via "Management Groups" rather than applying directly to say a subscription or a resource group?
I have an Azure App ...
- 117
0
votes
1
answer
140
views
Event Grid Domain Topic - Restrict access to topics
I have an event grid domain. It has multiple topics like topic 1, topic 2 etc. I have event publishers called publisher 1, publisher 2 etc. I want to restrict publisher 1 to topic 1, i.e. publisher 1 ...
- 107
0
votes
1
answer
134
views
Assigning web app with keyvault reference does not work via BiCep
When deploying our web app application, we knew that we wanted to import certificates to web app from Key vault. However, we've managed to get a lot of issues along the way and wanted to see if there ...
- 13
0
votes
0
answers
107
views
Azure RBAC User Authentication
Problem: I am trying to implement RBAC for Azure Search Service. I need to deny/approve users access to index resources based on their role. I need to get access tokens for the users programmatically ...
- 69
0
votes
2
answers
126
views
IoT Hub / Event Hub EventHubConnection using AzureCredentials/RBAC error (not SAS Key)
I am able to read events from Iot Hub (Event Hub) when using SAS Key but when I try using Azure Credentials, it gives me the error
What's working:
When trying to use EventHubConnection with the SAS ...
- 1,334
0
votes
1
answer
82
views
Assigning permissions to a custom role in Azure
So I'm creating a custom role.. let's call it "MyCompanyDeveloperRole"
I go onto the function app in the portal logged in as someone with that role.
It won't render the function apps list on ...
- 619
0
votes
0
answers
27
views
How to automate RBAC role update and AzDeployer
With current geneva action "Self serve apply role update", to pause after canary region, we have to manually change wait time which is error prone, planning to automate using AzDeployer / ...
0
votes
1
answer
227
views
Authorization error on my storage account when lisitng files from databricks
I have the strange issue where I dont understand why Im having the authorization error:
Im running this code with out any error:
dbutils.fs.ls("abfss://[email protected]/&...
0
votes
1
answer
828
views
How to restrict `Cosmos DB Built-in Data Contributor` role assignment to a specific database or containers within an Cosmos DB account?
How to restrict an Cosmos DB Built-in Data Contributor role assignment to a specific database or container within an Cosmos DB account?
I'm using the same Cosmos DB account for multiple databases, but ...
- 14.6k
0
votes
0
answers
278
views
Scoping RBAC "Search Service Contributor" to an index in Azure AI Search Service does not allow index creation of that index
Azure Search Index Scoped RBAC Bug Minimum Working Example
You will need an Azure Search Service and two accounts. An admin account and a service account that you can change permissions on at the ...
- 664
1
vote
1
answer
70
views
Get all users and applications with Reader role under subscription in Azure Python SDK
I need to fetch users and applications assigned the "Reader" role under a specific Azure subscription using the Azure Python SDK. The AuthorizationManagementClient is being used along with ...
- 15
0
votes
1
answer
151
views
Difference between vulnerabilityAssessments and sqlVulnerabilityAssessments in Azure SQL
I’m trying to understand the difference between the permissions:
Microsoft.Sql/servers/databases/vulnerabilityAssessments and Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments.
I need to ...
- 82
0
votes
3
answers
177
views
How to assign Reader role to user in Azure Subscription using Python SDK?
I’m trying to assign "Reader" role to user under Azure subscription using Azure Python SDK. I’ve found a way to do it using Azure REST API following MS documentation https://learn.microsoft....
- 15
0
votes
1
answer
197
views
Azure Alert Access Denied: "You are not authorized to perform access alert/read over scope SubB/RG/alerts"
I am experiencing a permissions issue with Azure alerts that I cannot resolve. Here are the details of my setup:
Subscription A: Contains a log-based alert.
Subscription B: Contains a Log Analytics ...
- 512
0
votes
1
answer
275
views
Assign role to resource in a different resource groups
I have a module that assigns the Azure Service Bus Sender role to the managed idenity for an app service. I need to set the scope to the actual instance of the service bus, but it's not in the same ...
- 4,375
0
votes
1
answer
201
views
RBAC with bicep
Im trying to assing the AD group to my storage account as contributor and also storage blob data contributor using the Servicie principal that is owner at sub level.
param storageAccountName string
...
0
votes
1
answer
203
views
Nested loop in Bicep
Im trying to assign multiple AD group to Multiple RBAC roles to my storage account.
So I need to Loop through my adGroup variable ( array) and then need to also loop all my RoleIDs to assign each of ...
0
votes
1
answer
93
views
Using Azure Managed Identities in applications hosted om Azure VMs?
We have an on-prem solution where a Windows Service (on a Windows Server VM) accesses a SQL Server database on another Windows Server VM. The Windows Service runs under a certain domain user (Log On), ...
- 427
0
votes
1
answer
230
views
Bicep role assignment
Im trying to do a role assignment usig BICEP. My goal is to assign the Databricks Access connector as the storage blob data contributor on Storage account.
Im deploying both, Databricks (with managed ...
1
vote
1
answer
595
views
Azure Synapse Linked Service Error - Unable to Add SQL Server with Managed Identity Permissions
I'm working on creating a Synapse pipeline in Azure, and I'm facing an issue while setting up a linked service to connect to a self-hosted MSSQL server. Here are the details of my setup:
Source: Self-...
- 317
1
vote
1
answer
136
views
Creating a ADLS Linked Service with Bicep for a Blob Container?
I can't get this ADLS Linked Service(LS) to work.
I tried publicAccess blob, container, and private for the container. I have allowBlobPublicAccess:true for the storage account. I was able to create ...
- 13
1
vote
1
answer
247
views
How to get the condition value for creating an eligible role assignment with excluding roles?
I’m automating Azure eligible role assignments using REST API calls and currently have a setup where Owner eligible role assignment restricts users to assign roles like Reader and Storage Blob Data ...
- 15
0
votes
0
answers
155
views
I have some secrets in my AKS and I need to restrict few secrets from others
I have 10 secrets in dev namespace and I need to restrict only 2 secrets access from others I have enabled Azure RBAC for both authorization and authentication, How to achieve this?
Since I am using ...
0
votes
1
answer
461
views
REST API for Eligible role assignment with conditions for Azure resources
I'm working on automating eligible role assignments with conditions for Azure resources via REST calls. Specifically to add condition when assigning Owner role to allow users for assigning only roles ...
- 15
0
votes
1
answer
140
views
Why does my Powershell variable not get set as expected when executing inline powershell in yaml task: AzureCLI@2?
Below errors occur when executing a DevOps pipeline using Yaml AzureCLI@2 task.
ERROR: Insufficient privileges to complete the operation.
ERROR: argument --assignee-object-id: expected one argument
...
- 43
0
votes
1
answer
353
views
Azure - RBAC to Management Group
I'm unable to create a Service Connection for a Management Group. Below are more details
I have created a Management Group (my-mg)and added/assigned 2 subscriptions (dev-sub & prod-sub)
Created an ...
- 1,278
0
votes
1
answer
331
views
Unable to Access Policies in Azure Portal while permissions have been extended to the User
I myself am the Global Administrator and Owner of the Resource Group and Key Vault, but I am unable to "Access Policies" in Azure Portal. I have even gone into to give myself further ...
- 1,018
0
votes
1
answer
269
views
Azure Maps SAS creation fails
I have to use the weather API from Azure MAPS with Shared access signature token authentication
I have followed the instructions from here:
https://github.com/MicrosoftDocs/azure-docs/blob/main/...
- 1,511
0
votes
1
answer
95
views
Azure Java SDK getBlobsByTags gives AuthorizationPermissionMismatch Error
Using Azure Java SDK, We are trying to access Blob Storage entries from Azure Storage Account. We only want to Read the blob storage message. We don't have any requirement to write to it.
Our ...
0
votes
1
answer
596
views
How to give azure key vault portal access when public access is disabled
I have an azure key vault with public access disabled and using a private endpoint to bring it into the subnet. Azure App Service and Function app are able to access the key vault using managed ...
- 619
0
votes
1
answer
232
views
I cant access anything in "Audio Content Creation", error "You don't have operation permissions"
I just created a speech service, but when I go to "Audio Content Creation", I can't do anything (New - Upload - Export)
I tried to add myself as owner role, and other roles, but still, I ...
- 15
0
votes
1
answer
645
views
User XXX does not have access to compute instance YYY. Azure Machine Learning
I have some terraform where the Service Principal is Owner of the Subscription. And it can create a compute instance on AML. I assigne a user and the user can connect to it.
But when I create myself, ...
- 1,033
0
votes
1
answer
189
views
Azure Marketplace SaaS Accelerator Installation Error: Unauthorized to Perform Action on Key Vault
I am trying to install the Azure Marketplace SaaS Accelerator using Azure Cloud Shell, following the installation instructions provided in the GitHub repository.
However, I encounter errors when ...
- 1,896
1
vote
1
answer
189
views
Cannot get Azure subscriptions using `msal` and requests in python through REST API
I can get subsriptions using token captured from browser:
Then I switch to Python and msal.
I use the following code:
import msal
import requests
import sys
import json
data = json.load(open("...
- 558
0
votes
1
answer
580
views
Received error while deploying Bicep. Error: "The role assignment request schedule is invalid. (InvalidRoleAssignmentRequestSchedule)"
I'm utilizing Bicep to enable Azure AD Privileged Identity Management (PIM) with a custom role. I've created an AD Group and assigned a Custom Role to it, which includes the following actions:
"...
0
votes
1
answer
423
views
Getting an authentication error during storage account role assignment for managed identity
I am getting an error while assigning role to managed identity in storage account RBAC
Code:
RoleAssignmentCreateOrUpdateContent roleData = new RoleAssignmentCreateOrUpdateContent(
roleDefinitionId: ...
- 27
0
votes
1
answer
133
views
Unable to view deleted blobs in Azure Data Lake permissioned via ACLs
I have set up a Data Lake with 1 container and 2 directories, dirA and dirB. User X has ACL's rwx set on directory dirA, user Y has ACL's rwx set on directory dirB.
The goal is to give User X full ...
- 391
0
votes
1
answer
1k
views
What is the principal type for user assigned managed identity
While adding role assignments for storage account
I use user assigned managed identity
RoleAssignmentCreateOrUpdateContent roleData = new RoleAssignmentCreateOrUpdateContent(
roleDefinitionId: new ...
- 27
0
votes
1
answer
2k
views
Synapse - Developer Has Pause/Resume SQP Pool
A developer has reported they cant "Resume" a dedicated database via the Azure Portal as the menu option is greyed-out - see screen shot below.
I tried adding a Azure Entra group the ...
- 394
1
vote
1
answer
94
views
least privilege for function app config write
Which is the azure built-in role to use for least privilege that enables users to write to function app config?
I think the required action is: Microsoft.Web/sites/config/write
I checked this site and ...
- 8,889
0
votes
1
answer
921
views
Azure Storage Account Access: Role Assignments Yield 'Access Denied' even for "Blob Owners" roles
I have a user (MemberUser1) that is also member of my subcription and member of a group "Group1". This group has access defined in the assigned role of some resources" SQL server and ...
0
votes
1
answer
46
views
Adding users file storage feature to my application
I have an application deployed in Azure. The users are authenticated using Entra ID. I would like to give the ability to each user to upload his files and make sure he is the only one able to access ...
0
votes
1
answer
1k
views
Implementing Azure Policy to Restrict Role Assignments at Subscription Level Except for Specific Service Principal
I'm working on setting up an access control strategy for our Azure landing zones and need assistance with implementing a specific Azure Policy. Here's the scenario:
I want to create a custom role ...
- 1,017
0
votes
1
answer
122
views
Azure RBAC permission to write Cosmos DB index policy but not create container
Is it possible to create an Azure RBAC custom role that
has permission to write a Cosmos DB container's indexing policy
but is not allowed to create new containers?
It seems that the permission for ...
- 5,907
0
votes
1
answer
511
views
How to Test IAM Roles for an App Registration
I'm troubleshooting an issue where an app registration is unable to query the subscriptions within an Azure tenant, despite a role assignment granting it access at the tenant root group level. ...
- 3
0
votes
1
answer
513
views
is it possible to create Custom RBAC role for 1 specific resource?
I`ve created custom RBAC role for my personal storage account, the assignment scope is on resource group level. The issue is other storage accounts are also present in this resource group.
So the ...
- 5
-1
votes
1
answer
578
views
How to whitelist only limited IP to access blob storage
I am trying to upload an zip file from remote system to blob storage using sas(shared access signature).
I have enable "Enabled from selected virtual networks and IP addresses" in azure blob ...
- 40
0
votes
1
answer
771
views
The client XXXXX with object id XXXXX does not have authorization to perform action 'Microsoft.Resources/deployments/write' over scope
My service principle has reader role on the resource group. I'm trying to deploy the release pipeline for adf in Azure DevOps but got the below error:
The client 'XXXXXXXXXXX' with object id '...
- 45
0
votes
1
answer
404
views
com.databricks.sql.cloudfiles.errors.CloudFilesException: Failed to create an Event Grid subscription
I'm trying to use an autoloader to pick up files from a container in ADLS and store them as delta files in a delta table explicitly defined at an external location in a different container within the ...
- 13