Showing posts with label IT» Azure Cloud. Show all posts
Showing posts with label IT» Azure Cloud. Show all posts

Monday, 17 May 2021

Azure: User not having access rights to the Azure AD conditional access

Environment details:

·         Tenant Id: ****0-33c2d-1318-****-1agdq71a2462

·         Tenant Initial Domain Name: blogger365.onmicrosoft.com

·         Affected user: testuser@blogger365.onmicrosoft.com (134***-1**-1356-31f1-689s3***1h)

·         Error message:
'No Access'
sessionid: 1fewh22c****8ee51a52199501b
ResourceID: not available
Extension: Microsoft_AAD_IAM
Content: PoliciesTemplateBlade
Error Code: 403

Cause
The user testuser@blogger365.onmicrosoft.com (test example) does not have any Azure AD Admin roles assigned.


From documentation, we can see that the least privileged role necessary to access the Conditional Access settings is the Conditional Access administrator role.

Conditional Access | Least-privileged roles by task - Azure Active Directory | Microsoft Docs

Resolution
In order to provide access to the Azure AD Conditional Access you will need to assign your user with one of the following roles, according to the necessary permissions that you require this user to have:

Roles with permissions to write:

·         Conditional Access Administrator

·         Security Administrator

·         Global Administrator

Roles with permissions to read:

·         Security Reader

·         Global Reader

In order to assign the user with permissions to manage the Azure AD Conditional Access you needed to assign the user with the Conditional Access Administrator.

Since you are enrolled in the Azure PIM for role management, you needed to make sure that the assigned role was in the Activated state, as the Eligible state “only” provides the user with the ability of requesting the activation of the role from a Global Administrator or a Privileged Role Administrator.

(If you have been made eligible for an administrative role, then you must activate the role assignment when you need to perform privileged actions. From Activate my Azure AD roles in PIM - Azure Active Directory | Microsoft Docs )

After we activated the role, the user was then able to access the necessary resources.

Additionally, we had the following settings activated for your Azure AD:

The above setting (which is also regarded as a best practice) prevents users that do not have any Administrator role from accessing the Azure AD through the Azure Portal.

If you wish to allow all the non-admin users to access the Azure AD using the Portal, it would be important to discuss internally the requirement of this setting.

Friday, 26 March 2021

License Issue M365 E3 to E5 Resolved and Next Step

We had enough trouble when swapped license between E3 to E5.

M365 license (means Enterprise Mobility + Security E5 & Office 365 E5) and feature selection is important.

Following issues were reported when license step up was carried out from E3 to E5:

We had users (a few frontrunners) complaining that they get product deactivated message and sign-in issues when we moved them from E3 to E5 group.



 

Resulting in failure to sign in.



Reactivate message remains

However, the aforesaid issue can be easily resolved by selecting the license feature ‘Microsoft 365 Apps for enterprise’ to ‘ON’ from office admin portal


 



‘Microsoft 365 Apps for enterprise’ to ‘ON’

Thursday, 14 May 2020

Azure hosted VMs: VEEAM Backup Ports and MFA

Office 365 App ID, App secret and App Password Setup Guide for VEEAM Backup integration

Communication port requirement:

..Read this blog post to learn how to start with multi-factor authentication enabled accounts in Veeam Backup for Microsoft Office 365.

MFA setup


Verifying office365 account: https://portal.office.com/account

Thursday, 6 February 2020

Automate Azure App Services for website

Azure App Services for website

Automate the launching of websites via Azure services. This usually is a manual process of updating DNS to point to azure and adding the domain to azure. Godaddy has an API that allows changing A, txt and CName records. I need to be able to:

a) Add a domain to aure without having to pove the a/cname records to azure so this step can be done before launch is needed

b) API or somethig that will let me add domains to a web app from an automated process (API, etc)

Information on how to manage your App Service, summary below:

How to get FTP credentials for your App Service:

In the Azure Portal, browse to the App Service and click on the "Get Publish Profile" link, the value for Publish URL is the hostname and the username and password are found afterwards (see image below):


How to access phpMyAdmin

Browse to the Advanced Tools blade on your App Service and click on the Go button, this will take you to your Kudu console, just type /phpMyAdmin at the end of the URL to manage your database (see image below):


How to find the connection string for your App Service

Click on the "Configuration" blade, you can find your connection data under the Connection strings (see image below):



How to have your developers work remotely on your database

They can use MySQL WorkBench found at https://www.mysql.com/products/workbench/, they will need the hostname, username and password found on the connection string.

Monday, 26 August 2019

Start/Stop VMs during off-hours solution in Azure Automation, Log Analytics




To automate the start and stop of the VMs hosted on Azure we need to consider two things, i) Automation Account and ii) Log Analytics Workspace

Scenario:


Set up the first solution deployment to start few VMs at 6 AM and stop them at 6 PM from Monday to Friday.

Then you would make the second solution deployment to start the other few VMs at 10 AM and stop them at 10 PM from Sunday to Thursday.

Please read through the steps, as you would have to specify the resource group/s you want this action to be taken, and you would also have to exclude the VMs on which you don’t want the solution.


For example, if you have 20 VMs in one resource group, but you only want the first 8 VMs to be started and stopped by the solution, you would have to specify the Resource Group name during deployment process and a list of the excluded VMs (VM9, VM10, VM11 … VM20).  This way, the solution will only affect (start and stop) VM1, VM2, VM3… VM8.

I have used the naming convention ‘StartStopVMDaily-IRIS-AA’, where IRIS stands for the project vendor and AA stands for Automation Account, and for ‘StartStopVMDaily-IRIS-LA’ LA stands for Log Analytics. Make sure both automation account and log analytics have the  same resource group name.


To summarize following are the process:


All services>> Automation Accounts>> click Add 

Add automation account name and fill in other relevant details for - ‘StartStopVMDaily-IRIS-AA’  and click create.



Then let’s go to the service, ‘log analytics workspaces’ via All services>> Log Analytics workspaces:





Click Add. 







Fill in sensible details for ex: 

StartStopVMDaily-IRIS-LA >> Subscription: Enterprise >> Resource Group: provide resource group name of the hosted VMs >> Location: West Europe >> Pricing Tier: Free (select what suites you) and click OK.


After creation of Log Analytics workspaces, click on 'StartStopVMDaily-IRIS-LA' which has been just created (as highlighted below).



Click workspace summary





from Overview window click 'Add' option from the marketplace search window, type 'Start/Stop VMs during off-hours' 










and click Create  





as soon as create button is clicked >> from 'Add Solution' space select workspace as 'StartStopVMDaily-IRIS-LA' >> automation account as 'StartStopVMDaily-IRIS-AA' >> configuration: configure parameters >>



parameters:

vm runbook: target resourceGroup Names: wildcard '*', * is applicable to all resource groups, else specify correct resource group where the VMs reside >> VM Exclude List (list of VMs which needs to be excluded>>  enter the VM names in the space provided. For more than one VM enter with coma >> enter schedule daily start and stop time (specify correct time zone >> select email functionality if required and specify a valid email address.>> click ok and click create.

Click log analytics workspace 'StartStopVMDaily-IRIS-LA' which we just created. and click workspace summary



Selecting the graphical ‘startstopvmview’ provides a historical summary of the schedules.



If you may want to modify the schedules to recur automation weekly or monthly based on your requirement following Home>> Automation Account >> select the required automation account (for ex: ‘StartStopVMDaily-IRIS-AA’) >> click Schedules >> Scheduled-StartVM or Scheduled-StopVM


Settings:


 You may include or exclude VMs by modifying the variables:


Automation Accounts >> StartStopVMDaily-IRIS-AA >> Variables

Select External_ExcludeVMNames and modify the Value (VMNames described under it)


Reorganize automation account and log analytics @your Azure portal favourites:
Deploy the solution twice based on the above scenario.


I hope the above depicted pictures are self-explanatory.
Have a great time J.

also read@Microsoft documentation