Share via

How do I troubleshoot and determine the correct permission to assign a user to access an azure portal blade

Greg Bonk 86 Reputation points
2023-08-01T02:38:20.2333333+00:00

Occasionally a user when browsing the azure portal for our tenant lands on a blade that returns a 403.

For EXAMPLE....

User's image

I would like to know how to debug this scenario IN GENERAL.

  1. Are there additional details in an Azure log somewhere, that I could use something like Log Analytics to get details?
  2. Is there an Azure Portal blade permission reference that I could use that would tell me what permissions a user has to have to be able to view this blade ?

I know in this specific example I could grant a user 'Global Reader' or 'Authentication Policy Administrator' but I really want to know the specifics on what Action was violated and what Role Permission is required.

I'm hoping to find a log that will contain a message that says something to the effect of "Permission Denied 403, User doesn't have permission microsoft.directory/authenticationMethods/read "

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michael Durkan 12,241 Reputation points MVP
    2023-08-01T14:55:53.6566667+00:00

    Hi

    I would imagine the blade in your screenshot refers to the "Authentication Policy Administrator" role:

    https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#authentication-policy-administrator

    Full list can also be found at the top of the page on this link.

    As regard logs, the "Sign-In" or "Audit" logs on the main page of your Azure AD Tenant in the Azure Portal whould provide more info here as you can search by the affected users:

    enter image description here

    Hope this helps,

    Thanks

    Michael Durkan

    • If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!
    0 comments
  2. Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
    2023-08-02T09:47:06.77+00:00

    @Greg Bonk Thank you for reaching out to us, As I understand you are looking for some logs which can help you understand what permissions are required when end user access an Azure AD blade (for example) in return we 403 forbidden/unauthorized error, looking for this information to captured in the audit logs.

    Did a quick demo on this scenario at my end, when it comes to 403 error/unauthorized error, there is no information captured with respect to what permissions/privileges are required to access specific Azure AD blade in Azure AD audit logs, audit logs capture changes to applications, groups, users, and licenses are all captured in the Azure AD audit logs.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs

    You can share your feedback on this requirement - https://feedback.azure.com/d365community so that product group team can review the same.

    Azure AD built in roles sharing for reference - https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

    Let me know if you have any further questions, feel free to post back.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.