we are using admin accounts as admin account have most of the rights to execute and access files from the all locations so uipath automation runs smoothly.
admin account : CORP\ADM-FR-SFAKHORI
sefrvice account : SVC-FR-S2DCAUTO
we conenct our production using admin account , and now need is there to run more automations and we dont have free slots for admin accounts to run / admin account is occupied with existing automation.
Team provided us service account instead admin account to connect our vm and to run automations.
to login certain applications via servcie account is possible which we are doing currenly also but can we run automations using servcie account?
we are using task scheduler and for now our vm is not able to connect with service account as servcie account deoent have logon accesss.
my question is if team provides logon access to servcie account then can we execute our scripts without any issue ? or can we ask for admin account to the team ?
we are using ateended named user license.
Please help us on same.
i tried by connecting using service account to vm but it is just connecting and disconnecting.
so we are not sure if team provides us login access then also we can able to accseess/execute or not.
so we want that surety .
enter image description here
Related
I cannot assign a capacity Id to a workspace via Powershell commands, logged in with a service principal.
$workspace = Get-PowerBIWorkspace -name 'XXX-XX-XXXX-XXX'
$workspaceId = $workspace.Id
echo $workspaceId
Set-PowerBIWorkspace -Id $workspaceId -Scope "Organization" -CapacityId "XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX"
error message:
Set-PowerBIWorkspace: Operation returned an invalid status code 'Unauthorized'
I have taken the following steps:
I have created a service principal and assigned it to a security group in Azure AD.
I Manually added this security group in the admin Portal in PowerBi service to allow service principals to interact with service (under developer settings).
I have been able to (using PowerShell) login with the service principal and create a workspace.I can get all workspaces etc...
However, when I try to set a workspace capacity Id (assign it to a premium capacity) I get an unauthorized error.
I suspect I cannot do this because to perform this action, I have to go under Admin Portal Settings > Workspaces (I need Admin Rights to PowerBi service), hence I'm trying to find a way to grant these admin permissions to the service principal.
Besides this, I have:
Assigned that same service principal in the security group to be
workspace admin
Assign PowerBi administrator role in AAD to that service principal
But nothing worked.
Is there a way to perform these actions? Or is it a limitation of Service Principals?
Thank you,
Joao
The admin APIs in general cannot be used when authenticating with service principal. Recently, they made it possible to use some of them, but not all. For example take a look at Announcing new Admin APIs and Service Principal authentication to make for better tenant metadata scanning and Enable service principal authentication for read-only admin APIs, where you can see the list of supported APIs.
To assign a capacity to a workspace, UpdateGroupsAsAdmin API is used, which is currently not listed as a supported API, and is documented only for "normal" authentication:
Permissions
The user must have administrator rights (such as Office 365 Global Administrator or Power BI Service Administrator).
while for other APIs (GetGroupsAsAdmin, PostWorkspaceInfo) is explicitly documented that they can be used with a service principal:
Permissions
The user must have administrator rights (such as Microsoft 365 Global Administrator or Power BI Service Administrator) or authenticate using a service principal.
So either you have to wait for Microsoft to implement authentication with service principal (and there is no guarantee they will do that), or you will have to change the authentication (to use AAD account).
Am trying to run my Service Fabric application in my local cluster to run as a different user. Use case is am trying to connect to my on prem database, but since n/w service accounts don't have access, i need to run my SF as logged in user. I've followed the below url exactly, as Admin user & domain user, but no luck.
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-application-runas-security
Am getting the below error in eventviewer.
"Error getting user account information for domain\user:AccessDenied"
"SetupSecurityPrincipals failed with ApplicationPrincipalAbortable Error"
How else can i run my SF as logged in user?
I was able to accomplish this by running 'Service Fabric Host Service' in services as logged in user(instead of local account). Along with this the Integrated Security = SSPI needs to be in the appsettings.json.
I want to access the
Azure Portal -> Azure Active Directory->User Settings
via a powershell commandlet.
Currently I have tried
Get-MsolCompanyInformation
which gives limited data about these settings. Not all settings access (true/false) comes up with this commandlet.
Can someone give the commandlet(s) by which I can get whether these settings are enabled/disabled for a tenant?
For now, there is no command to list those informations in msol powershell module and Azure AD powershell module v2.
As a workaround, we can use role to control those permission.
We can use Azure AD powershell V2 to list roles:Get-AzureADDirectoryRole.
Then we can use this command to list the members of this role: Get-AzureADDirectoryRoleMember.
To create role, we can list the role template with this commmand Get-AzureADDirectoryRoleTemplate
PS C:\Users> Get-AzureADDirectoryRoleTemplate
ObjectId DisplayName Description
-------- ----------- -----------
729827e3-9c14-49f7-bb1b-9608f156bbb8 Helpdesk Administrator Helpdesk Administrator has access to perform common helpdesk related tasks.
f023fd81-a637-4b56-95fd-791ac0226033 Service Support Administrator Service Support Administrator has access to perform common support tasks.
b0f54661-2d74-4c50-afa3-1ec803f12efe Billing Administrator Billing Administrator has access to perform common billing related tasks.
4ba39ca4-527c-499a-b93d-d9b492c50246 Partner Tier1 Support Allows ability to perform tier1 support tasks.
e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 Partner Tier2 Support Allows ability to perform tier2 support tasks.
88d8e3e3-8f55-4a1e-953a-9b9898b8876b Directory Readers Allows access to various read only tasks in the directory.
29232cdf-9323-42fd-ade2-1d097af3e4de Exchange Service Administrator Exchange Service Administrator.
75941009-915a-4869-abe7-691bff18279e Lync Service Administrator Lync Service Administrator.
fe930be7-5e62-47db-91af-98c3a49a38b1 User Account Administrator User Account Administrator has access to perform common user management related tasks.
9360feb5-f418-4baa-8175-e2a00bac4301 Directory Writers Allows access read tasks and a subset of write tasks in the directory.
62e90394-69f5-4237-9190-012177145e10 Company Administrator Company Administrator role has full access to perform any operation in the company scope.
a0b1b346-4d3e-4e8b-98f8-753987be4970 User Every user is implicitly considered to be a member of the User Role.
f28a1f50-f6e7-4571-818b-6a12f2af6b6c SharePoint Service Administrator SharePoint Service Administrator.
d405c6df-0af8-4e3b-95e4-4d06e542189e Device Users Device Users
9f06204d-73c1-4d4c-880a-6edb90606fd8 Device Administrators Device Administrators
9c094953-4995-41c8-84c8-3ebb9b32c93f Device Join Device Join
c34f683f-4d5a-4403-affd-6615e00e3a7f Workplace Device Join Workplace Device Join
17315797-102d-40b4-93e0-432062caca18 Compliance Administrator Compliance administrator.
d29b2b05-8046-44ba-8758-1e26182fcf32 Directory Synchronization Accounts Directory Synchronization Accounts
2b499bcd-da44-4968-8aec-78e1674fa64d Device Managers Allows access to read and edit device properties.
9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3 Application Administrator Application Administrator role has access to perform common application management related tasks.
cf1c38e5-3621-4004-a7cb-879624dced7c Application Developer Application Developer role has ability to create single-tenant applications.
5d6b6bb7-de71-4623-b4af-96380a352509 Security Reader Security Reader allows ability to read security information and reports.
194ae4cb-b126-40b2-bd5b-6091b380977d Security Administrator Security Administrator allows ability to read and manage security configuration and reports.
e8611ab8-c189-46e8-94e1-60213ab1f814 Privileged Role Administrator Privileged Role Administrator has access to perform common role management related tasks.
3a2c62db-5318-420d-8d74-23affee5d9d5 Intune Service Administrator Intune Service Administrator has full access in the Intune Service.
158c047a-c907-4556-b7ef-446551a6b5f7 Cloud Application Administrator Cloud Application Administrator has the ability to create applications and update all cloud properties of applications.
5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91 Customer LockBox Access Approver Customer LockBox Access Approver has approval access to user data requests.
44367163-eba1-44c3-98af-f5787879f96a CRM Service Administrator CRM Service Administrator has full access in the CRM Service.
a9ea8996-122f-4c74-9520-8edcd192826c Power BI Service Administrator Full access in the Power BI Service.
95e79109-95c0-4d8e-aee3-d01accf2d47b Guest Inviter Guest Inviter has access to invite guest users.
b1be1c3e-b65d-4f19-8427-f6fa0d97feb9 Conditional Access Administrator Allows management of all conditional access capabilities.
More information about Azure AD powershell V2, please refer to this link.
I am trying to setup a Gcloud Auth Login for an account on a server that will cover all users.
i.e.
I login using an administrator account and issue the command..
e.g.
gcloud auth login auser#anemail.com
go through the steps required and when I issue the issue the Gcloud Auth List command I get the right result.
But other users cannot see it.
i.e. we use sap data services that use a proxy account on the server when it is running
e.g.
proxyaccount#mail.com
but that user cannot see the the authorized user I authorized using the administrator account.
I get error "you do not currently have an active account selected"
The "other" accounts do not have administration access nor do we want them to, and besides I don't want to have to go through this process for each and every account that connects to the server.
Ian
Each user gets its own gcloud configuration folder. You can see which configuration folder is used by gcloud by running gcloud info.
Note that if your server is a VM on GCP you do not need to configure credentials as they are obtained from metadata server for the VM.
Sharing user credentials is not a good practice. If you need to do this your users can set CLOUDSDK_CONFIG environment variable to point to one shared configuration folder. Also you should at least use service account for this purpose and activate it via gcloud auth activate-service-account instead of using credentials obtained via gcloud auth login.
In the new Azure portal you have the option to use Role Based Access (RBAC). I want to give a user rights to startup and shutdown a virtual machine in Azure. I also don't want that is it possible for this user to create new VM's in Azure so I don't want to make this user Administrator. I gave the user the required rights in the new Azure portal (owner for: the VM, Cloud Service and storage).
When I open PowerShell with the user that has rights on Azure. I first execute the command Add-AzureAccount. After this I execute the following command: Start-AzureVM -ServiceName "MyVM" -Name "MyVM". Then I receive the following error: ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.
When I perform this scenario for a Subscription Administrator everything works fine.
Is the described scenario supported by the Azure PowerShell cmdlets? What are possible alternatives?
Thanks in advance
Unfortunately, RBAC through Powershell is currently only available for ARM-resources, i.e. non-"classic" resources in the preview portal, and users needs to have accounts in the Azure AD tenant associated with the subscription. Federated Microsoft accounts will won't work.