Add users groups in Azure subscription using portal - powershell

I was trying to follow this tutorial here from official Microsoft Docs in order to give in a specific user group a role.
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
I want that role to be applied on subscription level. First, the screenshots are outdated and they are not represent the current portal. Second, the current portal seems to be unable to find the user groups through the search.

After searching and changing a lot of things I had realized that the issue wasn't on my action but on Azure portal. I gave up the portal and I started trying PowerShell and it works as it is expected to work.
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell
Therefore, save your time and use PowerShell instead of portal in case that you want to set a role in a user group. Again, there is no specific command as far as it concerns subscription level access. You need to modify a bit the one for Resource Groups and add -Scope. Your final command should be this:
New-AzureRmRoleAssignment -ObjectId $userGroupId -RoleDefinitionName 'Reader' -scope '/subscriptions/{Change_To_Subscription_ID}'

Related

Correctly link Azure Devops Organisation to Azure AD Account

I've had a standalone Azure Devops Organisation (call it MyOrg1) for quite a while, and I've recently linked it to my Azure Active Directory, and set my Azure AD user myname#my-azure-ad as the organisation owner.
This seemed to work ok. I can go directly to the URL dev.azure.com/MyOrg1, and see all my projects etc. All good so far.
The problem is that if instead I go directly to dev.azure.com, and login as my Azure AD user, it doesn't seem to recognise that this user is already associated with an existing devops account. It instead prompts me with the "Get started with Azure DevOps" screen with the option to "Continue".
If I choose "Continue" it then creates a new Organization for me like "[myname]1234".
So far this is mostly just a nuisance, but not a huge problem. However the more significant problem is that in Visual Studio, I'm not able to see MyOrg1. It will only list the new organisation "[myname]1234". If I attempt to manually add the server URL "dev.azure.com/MyOrg1" it won't work, and doesn't seem to recognise that the user myname#my-azure-ad has access to this organisation.
It shows the message "To access an Azure DevOps account, login using the picker above". The picker already shows my user myname#my-azure-ad
In the MyOrg1 organization settings, I can see that my account is definitely listed as the organisation owner, and I can see that my Azure AD is definitely linked.
I can't figure out what could be wrong. Everything looks correct, but it just doesn't work.
Just in case it makes a difference, organisation MyOrg1 is in a different region to my Azure AD. I can't really see why that would matter though, since it seemed to link it just fine.
I managed to correct the issue by doing the following...
Create a new Global Admin user account in AAD
Add this user to the DevOps organisation and set as owner
Remove my original myname#my-azure-ad from the DevOps org
Re-add myname#my-azure-ad to the org and re-assign as the owner
The only thing I can conclude is that because myname#my-azure-ad was originally added to the org before the org was linked to the AAD that this must have messed something up.

Option to limit visibilty of users in Azure DevOps

Our main Azure DevOps Organization is linked to our Azure AD. We need to invite customers to specific projects as stakeholder only, and with this, they are added as external users in our AD. We found that within a customer project also, all other external users are visible, e.g. via mention with # anywhere in the text or assignment drop-down, although these do not have access to that project. Our only workaround so far is to create new non AD linked customer specific organizations, but this is really not the right way to go (licencing, management etc.)
Is there any option to prevent this and to restrict visibility to only those users, which are part of a project (or planned)?
I tested and found the same issue as you said. It is by design, you can raise a problem in the Developer Community
https://developercommunity.visualstudio.com/spaces/21/index.html
Besides, since there is a workaround that works now, continue on this basis. You can create different AAD for the customer specific organizations, then add the customers to these AAD. Thus, these users will be invisible because they are in different AAD organizations.

Can't #mention or Assign Work Items to Other Users in Azure DevOps

In the Azure DevOps project I'm currently working on, I am unable to use the # mention feature and am not able to assign work items to other users because no users are ever found. I am aware that you should be able to search for other users if they don't initially show-up in the drop-down list, but searching always returns "No identities found".
Other members of my team that have elevated permissions than I do can use these features because they are able to search for any other user in the same Azure DevOps project. My project administrator gave-up trying to figure-out why these features won't work for me.
Is there a setting in the Azure DevOps Project Settings Permissions that enables or disables the ability to view other user names?
Here is an example of me trying to look-up my own name to assign a bug to myself without success:
And here is an example of me trying to #mention a user in a bug discussion section without success:
* Update *
When my project administrator gives me project administrator rights, I am able to #mention others. Obviously, that isn't the desired user level for a non admin like myself.

Azure DevOps and Teams - one Group group to control membership to both

I have been trawling the internet and clicking myself blue in the face! Hopefully someone has a definitive answer.
I want to have one Group (in either of Azure AD, Microsoft Teams or Azure DevOps). This group must have access to a DevOps project and a Team site. When I change the membership of the group, the membership must change for both the Team and the DevOps project. I want to avoid the overhead of managing the groups for both separately.
Is this at all possible? Thanks.
This is a really good question, and the answer is not obvious at all. Ironically we had the same exact problem in Microsoft Teams - when a user was added or deleted from the underlying Office 365 Group (which is mastered in Azure AD), it would take up to an hour, sometimes more, to be reflected in Teams, which has its own copy of the member list.
There is a way to do it, and it's how Teams does it: it relies on a relatively new feature in Microsoft Graph called subscriptions. You can find the documentation for it here: https://learn.microsoft.com/en-us/graph/api/resources/subscription?view=graph-rest-1.0.
Essentially what you want to do is create a subscription to the group: POST https://graph.microsoft.com/v1.0/subscriptions with the right message body and your endpoint will be called whenever there's a membership change in the group. Your endpoint won't know what changed, just the event and some IDs - you will likely have to make a separate call to retrieve the actual data (unless the IDs alone are sufficient).
There's a sample on GitHub that illustrates how to use Microsoft Graph subscriptions including more details on how to subscribe to group notifications specifically.
One thing to be aware of is that to use these APIs, your application will require fairly elevated permissions: Group.Read.All which means it has the ability to read not only the team/group members, but all of its messages too (among other things), for every group in your Office 365 tenant. We are working with the MS Graph team to support a less-privileged, per-group permission approach, but even after that's released for Teams Graph APIs, support for that will have to be added to the subscriptions APIs I just mentioned and that may not happen for a while.

How to use Microsoft (not Organizational) account with Add-AzureAccount?

I'm trying to use the Add-AzureAccount command that's part of the Azure PowerShell tools (August 2014, v0.8.6), and although various examples on the web lead me to expect that it will let me use either an organizational account or a Microsoft Account to log in, in practice, it seems to be requiring an organizational account.
When I execute the command, it opens a hosted browser window as expected, but the prompt says Sign in with your organizational account followed by a username and password. There seems to be no way to tell it that no, I actually need to use a Microsoft Account.
(As it happens, my email address is associated with both an organizational account, and also a Microsoft Account. This may not be helping.)
I could create a completely separate organizational account in an Azure Active Directory, make that a co-admin, and log in with that, but it seems like this shouldn't be necessary.
Is there some way to force it to offer me both options?
I was able to resolve this problem through trial-and-error. As Paul points out in his post, you can load your subscription info into PowerShell using the following sequence:
1. Get-AzurePublishSettingsFile
This will open a browser to a special page that lets you download your profile settings file.
Note: If you have multiple subscriptions, you must use the dropdown to select the one that contains the Azure components you want to manage. For instance, I have a BizSpark subscription that I use for my own company, and a separate MSDN subscription that my clients use (adding me as an administrator). Both subscriptions show up on my management portal page, so I needed to download 2 separate publishsettings files.
2. Import-AzurePublishSettingsFile my-subscription.publishsettings
In my case, I renamed the settings files to "BizSpark.publishsettings" and "MSDN.publishsettings", so I ran this command twice.
3. Get-AzureSubscription
This will list all of the subscriptions that have been imported into PowerShell, showing the subscription name and the other properties.
4. Select-AzureSubscription -SubscriptionName "my-subscription"
You can now use the subscription name to select the subscription you want to use. This allows you to switch back and forth between subscriptions and work with the Azure components you need to manage.
Use #outlook.com instead of the organizational address and you will be directed to the Microsoft Account login.
Azure can be signed up with either Microsoft Account or Organizational Account. Add-AzureAccount will display a message like "Sign in with your organizational account" in the browser window, but actually if you input your Microsoft Account email address into the box and move focus out, the page will redirect to Microsoft Account sign page automatically, and then you can sign in.
Sometimes you may meet some error like "The cache contains multiple tokens satisfying the requirements". You can try to clean all the existing Azure Accounts firstly and then try to sign in again.
To clean up, run Get-AzureAccount | Remove-AzureAccount.
I have a similar problem. Using Add-AzureAccount with my Microsoft Account result in adding my organizational account.
For example I run Add-AzureAccount, in the form I type davideicardi#hotmail.com (my Microsoft account) but the resulted account is davide.icardi#mycompany.com (my organizational account).
I solved by deleting all the Azure account registered on Power Shell (also the one not related to my account, using Remove-AzureAccount), then I have deleted IE cookies (not sure it this is important...), closed the powershell console and executing again Add-AzureAccount.
I suspect that there is a bug somewhere...