339 questions
0
votes
1
answer
70
views
RBAC role to restore service principal
I am in the process of building a custom RBAC role, only to delete & restore the App registration and service principals. I can manage delete actions and restore the App registration, but I don't ...
- 31
0
votes
2
answers
136
views
Azure RBAC assignments via Management Groups
I there anything different/off with assigning Azure RBAC roles via "Management Groups" rather than applying directly to say a subscription or a resource group?
I have an Azure App ...
- 117
0
votes
0
answers
278
views
Scoping RBAC "Search Service Contributor" to an index in Azure AI Search Service does not allow index creation of that index
Azure Search Index Scoped RBAC Bug Minimum Working Example
You will need an Azure Search Service and two accounts. An admin account and a service account that you can change permissions on at the ...
- 664
0
votes
0
answers
107
views
Azure RBAC User Authentication
Problem: I am trying to implement RBAC for Azure Search Service. I need to deny/approve users access to index resources based on their role. I need to get access tokens for the users programmatically ...
- 69
0
votes
1
answer
134
views
Assigning web app with keyvault reference does not work via BiCep
When deploying our web app application, we knew that we wanted to import certificates to web app from Key vault. However, we've managed to get a lot of issues along the way and wanted to see if there ...
- 13
0
votes
1
answer
828
views
How to restrict `Cosmos DB Built-in Data Contributor` role assignment to a specific database or containers within an Cosmos DB account?
How to restrict an Cosmos DB Built-in Data Contributor role assignment to a specific database or container within an Cosmos DB account?
I'm using the same Cosmos DB account for multiple databases, but ...
- 14.6k
0
votes
1
answer
227
views
Authorization error on my storage account when lisitng files from databricks
I have the strange issue where I dont understand why Im having the authorization error:
Im running this code with out any error:
dbutils.fs.ls("abfss://[email protected]/&...
0
votes
2
answers
126
views
IoT Hub / Event Hub EventHubConnection using AzureCredentials/RBAC error (not SAS Key)
I am able to read events from Iot Hub (Event Hub) when using SAS Key but when I try using Azure Credentials, it gives me the error
What's working:
When trying to use EventHubConnection with the SAS ...
- 1,334
0
votes
1
answer
140
views
Event Grid Domain Topic - Restrict access to topics
I have an event grid domain. It has multiple topics like topic 1, topic 2 etc. I have event publishers called publisher 1, publisher 2 etc. I want to restrict publisher 1 to topic 1, i.e. publisher 1 ...
- 107
0
votes
1
answer
82
views
Assigning permissions to a custom role in Azure
So I'm creating a custom role.. let's call it "MyCompanyDeveloperRole"
I go onto the function app in the portal logged in as someone with that role.
It won't render the function apps list on ...
- 619
1
vote
1
answer
595
views
Azure Synapse Linked Service Error - Unable to Add SQL Server with Managed Identity Permissions
I'm working on creating a Synapse pipeline in Azure, and I'm facing an issue while setting up a linked service to connect to a self-hosted MSSQL server. Here are the details of my setup:
Source: Self-...
- 317
0
votes
1
answer
275
views
Assign role to resource in a different resource groups
I have a module that assigns the Azure Service Bus Sender role to the managed idenity for an app service. I need to set the scope to the actual instance of the service bus, but it's not in the same ...
- 4,375
0
votes
1
answer
151
views
Difference between vulnerabilityAssessments and sqlVulnerabilityAssessments in Azure SQL
I’m trying to understand the difference between the permissions:
Microsoft.Sql/servers/databases/vulnerabilityAssessments and Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments.
I need to ...
- 82
0
votes
1
answer
197
views
Azure Alert Access Denied: "You are not authorized to perform access alert/read over scope SubB/RG/alerts"
I am experiencing a permissions issue with Azure alerts that I cannot resolve. Here are the details of my setup:
Subscription A: Contains a log-based alert.
Subscription B: Contains a Log Analytics ...
- 512
0
votes
3
answers
177
views
How to assign Reader role to user in Azure Subscription using Python SDK?
I’m trying to assign "Reader" role to user under Azure subscription using Azure Python SDK. I’ve found a way to do it using Azure REST API following MS documentation https://learn.microsoft....
- 15
0
votes
1
answer
201
views
RBAC with bicep
Im trying to assing the AD group to my storage account as contributor and also storage blob data contributor using the Servicie principal that is owner at sub level.
param storageAccountName string
...
0
votes
1
answer
230
views
Bicep role assignment
Im trying to do a role assignment usig BICEP. My goal is to assign the Databricks Access connector as the storage blob data contributor on Storage account.
Im deploying both, Databricks (with managed ...
0
votes
5
answers
3k
views
Unable to send email from local machine via Azure Communication Service and using logged-in user's credentials
I am trying to send email using Azure Communication Service and DefaultAzureCredential from my local machine but I am getting the following error:
Azure.Identity.AuthenticationFailedException: Azure ...
- 137k
0
votes
1
answer
203
views
Nested loop in Bicep
Im trying to assign multiple AD group to Multiple RBAC roles to my storage account.
So I need to Loop through my adGroup variable ( array) and then need to also loop all my RoleIDs to assign each of ...
1
vote
1
answer
70
views
Get all users and applications with Reader role under subscription in Azure Python SDK
I need to fetch users and applications assigned the "Reader" role under a specific Azure subscription using the Azure Python SDK. The AuthorizationManagementClient is being used along with ...
- 15
0
votes
0
answers
27
views
How to automate RBAC role update and AzDeployer
With current geneva action "Self serve apply role update", to pause after canary region, we have to manually change wait time which is error prone, planning to automate using AzDeployer / ...
0
votes
1
answer
461
views
REST API for Eligible role assignment with conditions for Azure resources
I'm working on automating eligible role assignments with conditions for Azure resources via REST calls. Specifically to add condition when assigning Owner role to allow users for assigning only roles ...
- 15
0
votes
1
answer
93
views
Using Azure Managed Identities in applications hosted om Azure VMs?
We have an on-prem solution where a Windows Service (on a Windows Server VM) accesses a SQL Server database on another Windows Server VM. The Windows Service runs under a certain domain user (Log On), ...
- 427
0
votes
1
answer
596
views
How to give azure key vault portal access when public access is disabled
I have an azure key vault with public access disabled and using a private endpoint to bring it into the subnet. Azure App Service and Function app are able to access the key vault using managed ...
- 619
0
votes
1
answer
331
views
Unable to Access Policies in Azure Portal while permissions have been extended to the User
I myself am the Global Administrator and Owner of the Resource Group and Key Vault, but I am unable to "Access Policies" in Azure Portal. I have even gone into to give myself further ...
- 1,018
0
votes
1
answer
1k
views
What is the principal type for user assigned managed identity
While adding role assignments for storage account
I use user assigned managed identity
RoleAssignmentCreateOrUpdateContent roleData = new RoleAssignmentCreateOrUpdateContent(
roleDefinitionId: new ...
- 27
1
vote
1
answer
247
views
How to get the condition value for creating an eligible role assignment with excluding roles?
I’m automating Azure eligible role assignments using REST API calls and currently have a setup where Owner eligible role assignment restricts users to assign roles like Reader and Storage Blob Data ...
- 15
0
votes
1
answer
645
views
User XXX does not have access to compute instance YYY. Azure Machine Learning
I have some terraform where the Service Principal is Owner of the Subscription. And it can create a compute instance on AML. I assigne a user and the user can connect to it.
But when I create myself, ...
- 1,033
0
votes
1
answer
353
views
Azure - RBAC to Management Group
I'm unable to create a Service Connection for a Management Group. Below are more details
I have created a Management Group (my-mg)and added/assigned 2 subscriptions (dev-sub & prod-sub)
Created an ...
- 1,278
0
votes
1
answer
1k
views
Implementing Azure Policy to Restrict Role Assignments at Subscription Level Except for Specific Service Principal
I'm working on setting up an access control strategy for our Azure landing zones and need assistance with implementing a specific Azure Policy. Here's the scenario:
I want to create a custom role ...
- 1,017
0
votes
1
answer
2k
views
How to grant access to individual certificate in Azure Key Vault
I have created an Azure Keyvault. I have added a certificate and private key to the Keyvault. The keyvault is using Role Based Access Controls.
I have an Azure AD user account I am trying to grant ...
- 1,261
1
vote
1
answer
136
views
Creating a ADLS Linked Service with Bicep for a Blob Container?
I can't get this ADLS Linked Service(LS) to work.
I tried publicAccess blob, container, and private for the container. I have allowBlobPublicAccess:true for the storage account. I was able to create ...
- 13
2
votes
1
answer
2k
views
Azure - should the creator of a resource have owner rights?
If an Azure user has Contributor rights to a Subscription and they create a resource under that subscription e.g. a Storage Account. Should that user be automatically granted owner rights over the ...
- 724
0
votes
0
answers
155
views
I have some secrets in my AKS and I need to restrict few secrets from others
I have 10 secrets in dev namespace and I need to restrict only 2 secrets access from others I have enabled Azure RBAC for both authorization and authentication, How to achieve this?
Since I am using ...
0
votes
1
answer
269
views
Azure Maps SAS creation fails
I have to use the weather API from Azure MAPS with Shared access signature token authentication
I have followed the instructions from here:
https://github.com/MicrosoftDocs/azure-docs/blob/main/...
- 1,511
0
votes
1
answer
921
views
Azure Storage Account Access: Role Assignments Yield 'Access Denied' even for "Blob Owners" roles
I have a user (MemberUser1) that is also member of my subcription and member of a group "Group1". This group has access defined in the assigned role of some resources" SQL server and ...
0
votes
1
answer
2k
views
Synapse - Developer Has Pause/Resume SQP Pool
A developer has reported they cant "Resume" a dedicated database via the Azure Portal as the menu option is greyed-out - see screen shot below.
I tried adding a Azure Entra group the ...
- 394
0
votes
1
answer
140
views
Why does my Powershell variable not get set as expected when executing inline powershell in yaml task: AzureCLI@2?
Below errors occur when executing a DevOps pipeline using Yaml AzureCLI@2 task.
ERROR: Insufficient privileges to complete the operation.
ERROR: argument --assignee-object-id: expected one argument
...
- 43
-1
votes
2
answers
5k
views
I'm unable to Login to VM with Azure AD user credentials
I'm unable to login to Azure Virtual Machine with Azure AD credential even if select the Option Azure AD Domain Joined while creating the Azure VM.
I'm always getting The Logon attempt failed error.
...
- 11
0
votes
1
answer
232
views
I cant access anything in "Audio Content Creation", error "You don't have operation permissions"
I just created a speech service, but when I go to "Audio Content Creation", I can't do anything (New - Upload - Export)
I tried to add myself as owner role, and other roles, but still, I ...
- 15
3
votes
2
answers
2k
views
Is it possible to use RBAC to allow read only access to an App Service's Application Settings?
I would like provide read only access to an the Application Settings of an app service. Specifically by Application Settings of an App Service, I'm referring to the 4 tabs that appear when you open ...
- 115
0
votes
1
answer
580
views
Received error while deploying Bicep. Error: "The role assignment request schedule is invalid. (InvalidRoleAssignmentRequestSchedule)"
I'm utilizing Bicep to enable Azure AD Privileged Identity Management (PIM) with a custom role. I've created an AD Group and assigned a Custom Role to it, which includes the following actions:
"...
1
vote
1
answer
189
views
Cannot get Azure subscriptions using `msal` and requests in python through REST API
I can get subsriptions using token captured from browser:
Then I switch to Python and msal.
I use the following code:
import msal
import requests
import sys
import json
data = json.load(open("...
- 558
5
votes
3
answers
13k
views
How to find an identity by client id in Azure?
I have an application (AWX) with a script that is trying to perform an action in Azure (add tags to a vm). In AWX, I get the following error, apparently from Azure: msg: "Error retrieving ...
- 1,808
0
votes
1
answer
423
views
Getting an authentication error during storage account role assignment for managed identity
I am getting an error while assigning role to managed identity in storage account RBAC
Code:
RoleAssignmentCreateOrUpdateContent roleData = new RoleAssignmentCreateOrUpdateContent(
roleDefinitionId: ...
- 27
0
votes
1
answer
771
views
The client XXXXX with object id XXXXX does not have authorization to perform action 'Microsoft.Resources/deployments/write' over scope
My service principle has reader role on the resource group. I'm trying to deploy the release pipeline for adf in Azure DevOps but got the below error:
The client 'XXXXXXXXXXX' with object id '...
- 45
0
votes
1
answer
189
views
Azure Marketplace SaaS Accelerator Installation Error: Unauthorized to Perform Action on Key Vault
I am trying to install the Azure Marketplace SaaS Accelerator using Azure Cloud Shell, following the installation instructions provided in the GitHub repository.
However, I encounter errors when ...
- 1,896
0
votes
1
answer
511
views
How to Test IAM Roles for an App Registration
I'm troubleshooting an issue where an app registration is unable to query the subscriptions within an Azure tenant, despite a role assignment granting it access at the tenant root group level. ...
- 3
0
votes
1
answer
513
views
is it possible to create Custom RBAC role for 1 specific resource?
I`ve created custom RBAC role for my personal storage account, the assignment scope is on resource group level. The issue is other storage accounts are also present in this resource group.
So the ...
- 5
0
votes
2
answers
4k
views
What permission are required to view Directory log in Azure?
I am trying to access the Directory activity log in my Azure tenant, but I am getting the error that I don't have permission to view Directory log.
I am trying to figure out if anyone know the ...
- 13