I have a scenario that requires a task running in VSTS add a "Reply URL" to an App registered in AAD.
I've added a service connection in VSTS, it created a SPN and made it a contributor of the Azure subscription, additionally I've added the SPN as an owner of the AppID by calling Add-AzureADApplicationOwner
Still the VSTS task can't operate on the AppID, it can't even read it, e.g. running Get-AzureRmADApplication I get:
[error]Insufficient privileges to complete the operation.
Refer to these steps below to grant permission:
Log on to the Azure portal
Select Azure Active Directory
Select App registrations
Select the corresponding application
Click Settings
Click Required permissions
Click + Add > Select an API
Select Windows Azure Active Directory >Select
Check necessary permissions in Select permissions > select.
Click Done
Click Grant Permissions button
An addition to starian chen-MSFT's answer. I managed to solve the same problem by adding and granting the following permissions on the answer's Step 9:
Read and write directory data
Manage apps that this app creates or owns
Related
I'm trying to set up automated pipeline for database creation and need to open access for all users of some AD group. Last part is done through CREATE USER [Group Name] FROM EXTERNAL PROVIDER;
In order to execute this command, one needs to be logged in with AAD and the only Azure DevOps task used to execute SQL scripts (SqlAzureDacpacDeployment#1) has limited options to sign with AD. Currently it supports sign in with AD username/password and AD Integrated. User/password option is not possible as we use two factor authentication. And the latter requires self-hosted agent for pipeline which we do not have.
Additionally, there is one more sign in option that look promising (Service Principal: Uses the Authentication data from Azure Subscription), but after trying it failed miserably with error:
##[error]Principal 'web-API' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
Are the any other options we could use to create AD users in Azure SQL database? Any help would be appreciated.
How to solve above error ?
Please follow below steps:
Step 1: Go to Azure portal and find out your SQL server resource and you will find Active director left side under settings. Please click Set Admin. Now your Active Directory user account becomes Admin to the SQL server.
Step 2: Now use SSMS login with Active directory authentication if Multi-factor Authentication (MFA) is enabled. Otherwise, you can choose either 'Active directory - Integrated' or 'Active Directory - Password.'
Step 3: Create new logins which you can see in the below code:
CREATE USER [User1#Domain.com]
FROM EXTERNAL PROVIDER
WITH DEFAULT_SCHEMA = dbo;
add user to roles for the particular database
ALTER ROLE dbmanager ADD MEMBER [User1#Domain.com];
ALTER ROLE loginmanager ADD MEMBER [User1#Domain.com];
Note : If you add a domain user that is configured for MFA, then for that user to log on using SSMS they should select the SSMS authentication option Azure Active Directory - Universal with MFA.
Regarding SqlAzureDacpacDeployment#1 follow this Link.
For more detail information refer this:
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview?view=azuresq
https://learn.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql?view=sql-server-ver15
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-mfa-ssms-overview?view=azuresql
How do I grant permissions in Azure DevOps to create pulls?
See the attached screenshot image file for details. https://github.zendesk.com/attachments/token/3n94qn1KDz53kxCMwGXGBKleV/?name=Screenshot+2020-12-11+034803.png
Hal
Two things to ask yourself:
Does the user have a license?
In Azure DevOps, go to Organization Settings -> Users.
Locate the user and select "Change access level".
Change the access level from Stakeholder to ie. Basic.
Does the user have permission to "Contribute to pull request"
This permission is granted by the Contributer group by default.
In Azure DevOps go to your Project -> Project Settings -> Permissions -> Contributers
Add the user to the Contributers group.
I'am recently installed Azure DevOps Server 2019 in on-premises server.
However, i'am so confused : How i can set the security and the user permission in the server, such as : Deny user to view author project in the same collection , create custom group not in the azure devops default groups ...
I ask for idea to implement that
Thank you
According to Azure DevOps permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
Deny user to view author project in the same collection.
Assume you were talking about team project. In your scenario, the simplest way is not add that user to your team project. People without team project collection admin permission will not be able to see those projects which they are not added in.
If you already add users in the team project and want the user not be able to see some info such as repo/build/work items in the project .
You need to evidently deny those users for viewing some project repositories/builds/ work items.
As how to create group, you could directly click New Group in the right top corner of the page from Project Settings-- Permission
More details about how are permissions and groups defined, suggest you go through our official doc here-- About permissions and groups
Besides, you could also manage user permission with the help of command line. The tfssecurity command line tool allows us to manage permissions for Azure DevOps groups and users. We could use it in a PowerShell script to grant access to projects that already exists.
Does anyone know where I can set the permission to manage deployment groups in Azure DevOps.
If i click on "deployment groups" in the menu shown here:
I am receiving this message when i click on a deployment group.
The error message states:
You do not have permissions to register targets. Contact your release
manager to grant permission
I am a member of both project administrators and build administrators groups.
I can reproduce your problem and solve it with the following permission settings.
Click Manage in the Deployment pool
If you get this error you do not have permission to manage this deployment pool's roles to prevent you from modifying permissions in Security. You need to be added to Project Collection Administrators group in organization setting permissions. If you can't be added to the PCA group, you can let the users in the PCA group help you modify it.
Set the user's Role to Administrator in Security, click Save Changes.
After this setting, you will not receive the error message:You do not have permissions to register targets. Contact your release manager to grant permission when you enter the Deployment groups.
This access is not required as I was able to fix this without changing org level access to others and indeed such access is not made to share with all.
I have an Azure Active Directory app and it has various reply URLs. I've being adding reply URLs manually in the Azure portal AAD-> register-app-> settings-> reply-URLS.
My goal is to be able to run an azure pipeline task that can retrieve the reply URL I need from an azure app service( which I know how to do) and add it to the reply URL list from the register app in AAD with a command. Using either Azure-cli, Azure-powershell or Powershell from azure pipeline task list.
If there's another way of doing it with another task I'm open to suggestions.
This is what i tried:
This is what the log/debug output:
I guess that a better questions is:
How Can I give privileges to an Azure CLI task from Azure DevOps to achieve the task from previous problem?
Your question has changed a bit after your edit, so I've tried to revise and answer both parts.. i.e. adding reply URLs through script and something to possibly help with privileges issues:
Adding Reply URLs to your application through PowerShell script
Make use of application object's ReplyUrls list and Set-AzureADApplication command. Here's a quick sample script:
# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
# reply URL to add
$newURL = "https://mynewurl"
# Existing reply URLs list
$replyURLList = $app.ReplyUrls;
$replyURLList.Add($newURL)
Set-AzureADApplication -ObjectId $app.ObjectId -ReplyUrls $replyURLList
Assigning correct privileges for execution of script
To execute your script as part of pipeline, this article provides very detailed step-by-step instructions: Set up continuous deployment in Azure Pipelines
I would point you to option 1 in the article, which talks about creating a separate application/service principal for executing the script. Once you do that, you can assign the required privileges to this service principal that will be used to execute the script and resolve your current issue of insufficient privileges.
Screenshot for important parts from article:
For step h, you can follow the first link to register application from Azure Portal.
Once you have the separate application/service principal created for executing script, please go to it's settings > Required Permissions
"Windows Azure Active Directory" should already be available in list of APIs (if not, you can click Add button to add it)
Pick the appropriate privilege under application permissions.
Make sure you go through Admin consent at the end of this process by clicking on the "Grant permissions" button at the end of this process.