Azure Role-based access control

User with Website Contributor role is able to add tags

Hi all, I've noticed that the user with "Website Contributor" role is able to add tags to the app service, even if in the documentation this role is missing Microsoft.Resources/tags/write permissions. How this behaviour can be explained?

Account is requesting MFA without being active in the policy.

Good afternoon, There is a user in Azure who does not have an MFA policy, but even so, it asks at login to register a phone number and at login it asks for a second factor that if registered, the phone number would be SMS. Could you give me an idea of…

How to get assigned RBAC roles in a resource group which has only apps and managed identities as owners and administrators?

I want myself to have Managed Identity Contributor role in an azure resource, but I cant find the admin or owner. Only managed identities and apps are listed as owners and administrators. Whom to ask for role assignment?

You do not have access Your administrator has disabled the App registrations experience in the Azure portal. You can still register or manage applications using PowerShell or another client such as Visual Studio.

How would I create a role to be Synapse Admin but block particular pipeline and linked services

We a introducing a new source of data into Synapse which is highly sensitive. However currently my team have admin on Synapse and dedicated SQL pool. How can I allow them to keep some of the admin access but not allow them to see the pipelines and linked…

Need Help with Multi-Tenant Azure Access Management

Hi, I'm seeking advice on managing Azure access across multiple external organizations. We manage Azure for Org A and create accounts for Orgs B and C but don't manage their Azure environments. Azure B2B isn’t an option for us. Challenges: Multiple…

Azure Policy Tag add tag if missing

I set a new policy for existing resources to add required tag if missing. scenario1: Resource1 have the following tags and value Tag name = Project Value = ProjSSO Tag name = Purpose Value = app login however if the the policy trigger I received an…

Microsoft.Authorization/roleAssignments DevOps CI / ARM Template Issue

Hi, I've been using DevOps and ARM templates for a long time. Until now, I have not had to use the Microsoft.Authorization/roleAssignments resource provider under a storageAccount/tableService/tables scope before. I have managed to add some Storage Table…

"Insufficient privileges to complete the operation" while using Graph API

The access token I get from the following curl request curl "$IDENTITY_ENDPOINT?resource=https://graph.microsoft.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER does not have the permission to list or create user. Request: GET…

Deleting duplicate owner in role assignment leads to lost of Access to Azure Subscription

Hello, Not long ago, I tried assigning roles to my coworkers. When all thing's done, I saw that there are 4 duplicates of my account in the owner role, so i tried deleting 2 of those role. After that azure portal won't let me in with message saying I'm…

How would I go about setting up CA for our environment, so that MFA isn't required?

So I have been made aware that MS is forcing MFA on their tenants. Now I am still inexperienced when it comes to MS Cloud, Azure and Entra. Now we have a few different tenants and an on-prem environment. Now while we are getting our users on it we will…

How to delegate permissions to Service desk team for managing MFA in Azure Active Directory

How to delegate permissions to Service desk team for managing MFA in Azure Active Directory. just MFA reset (revoke and re-register) rights. please suggest

Adding a group of users to a group with AKS permissions ate resource group level fails to provide necessary permissions

If I correctly understand Azure then there are 3 scopes at which resource permissions can be applied: Subscription Resource Group Resource I have an AKS cluster, a group "AKS-Admins" (with all roles required to access the cluster applied…

Azure permissions for MS Authenticator registration campaign

I am trying to access the registration campaign under Security > Authentication Methods in Azure, but I keep getting a 403 error saying I do not have permission. My manager gave me article1 and article2 to figure out which "blade" I need…

same domain access

how do I provide access to multiple users with same domain

File level authentication with MSAL via web browser

Legacy app currently using secure Basic Authentication to establish file level access permission. How is file level access permission established using MSAL?

Can you please provide a list of users or groups who currently have the Owner role or a higher-level administrative role (such as Global Administrator) for the Azure subscription?

In the process of enabling PIM, added a group for the owner role in the subscription and removed all individual direct users. But that role was mistakenly added with a condition excluding the access to add new owner role assignments. Now, we are unable…

My development manager needs to be able to set up apps and wants to configure blob and kubernetes, how do i grant him access to do this

I want to set my developer up to be able to create new apps, upload code and add any services needed and am unsure how to do this

What Admin Role Allows Releasing Quarantined Emails?

I am looking to add permissions to an admin account that allows this admin to release quarantined emails. I do not want to give them global admin, but I have not found a admin role that allows someone to release these emails. As a global reader this user…

Missing Cosmos DB Built-in Data Reader and Cosmos DB Built-in Data Contributor roles in Access Control (IAM)

I'm trying to assign roles to managed identity in Cosmos DB, through browser using Access Control (IAM). Unfortunately two build in roles Cosmos DB Built-in Data Reader and Cosmos DB Built-in Data Contributor are not there. How can I add managed…