Monday 17 May 2021

Azure: User not having access rights to the Azure AD conditional access

Environment details:

·         Tenant Id: ****0-33c2d-1318-****-1agdq71a2462

·         Tenant Initial Domain Name: blogger365.onmicrosoft.com

·         Affected user: testuser@blogger365.onmicrosoft.com (134***-1**-1356-31f1-689s3***1h)

·         Error message:
'No Access'
sessionid: 1fewh22c****8ee51a52199501b
ResourceID: not available
Extension: Microsoft_AAD_IAM
Content: PoliciesTemplateBlade
Error Code: 403

Cause
The user testuser@blogger365.onmicrosoft.com (test example) does not have any Azure AD Admin roles assigned.


From documentation, we can see that the least privileged role necessary to access the Conditional Access settings is the Conditional Access administrator role.

Conditional Access | Least-privileged roles by task - Azure Active Directory | Microsoft Docs

Resolution
In order to provide access to the Azure AD Conditional Access you will need to assign your user with one of the following roles, according to the necessary permissions that you require this user to have:

Roles with permissions to write:

·         Conditional Access Administrator

·         Security Administrator

·         Global Administrator

Roles with permissions to read:

·         Security Reader

·         Global Reader

In order to assign the user with permissions to manage the Azure AD Conditional Access you needed to assign the user with the Conditional Access Administrator.

Since you are enrolled in the Azure PIM for role management, you needed to make sure that the assigned role was in the Activated state, as the Eligible state “only” provides the user with the ability of requesting the activation of the role from a Global Administrator or a Privileged Role Administrator.

(If you have been made eligible for an administrative role, then you must activate the role assignment when you need to perform privileged actions. From Activate my Azure AD roles in PIM - Azure Active Directory | Microsoft Docs )

After we activated the role, the user was then able to access the necessary resources.

Additionally, we had the following settings activated for your Azure AD:

The above setting (which is also regarded as a best practice) prevents users that do not have any Administrator role from accessing the Azure AD through the Azure Portal.

If you wish to allow all the non-admin users to access the Azure AD using the Portal, it would be important to discuss internally the requirement of this setting.

0 comments: