hi John, I have a "contributor" role assigned at subscription and "User" role in AAD to which subscription is associated with. I tried creating a Azure AD B2C tenant but access was denied with below message: "User Authorization: Access is denied. You must have one of the following user roles for access: External ID User Flow Administrator, External ID User Flow Attribute Administrator, B2C IEF Keyset Administrator, B2C IEF Policy Administrator, External Identity Provider Administrator, Application Administrator, Security Administrator, Security Reader, Global Reader, Global Administrator." Since, i have contributor role at subscription, i assumed that i can spin up any resource in the subscription. Does this not apply on B2C ? and do i need to change my role in Active Directory ?
AAD does not live in a subscription. Subscriptions USE AAD instances. Your contributor role is only at a subscription and therefore has no impact at AAD levels. You need a role set at AAD which is one of those it lists.
Hi John, Great video again. I am trying to figure out what are the exact permission required if I would like my Azure applications to rotate the passwords of my Global administrators every few months ? The idea is whenever global admin has to use the password, it will have to draw from some sort of external vault.
@@NTFAQGuy yes john. Sorry for asking question on the wrong video. I was trying to look at azure ad built-in role but unable to figure out the exact role which can suffice the purpose.
great content, John! liked and subscribed. I was also wondering if you could help with a use case, I want to write an azure policy because I dont want the Owner role to be able to cancel or transfer subscriptions, would you be able to help me with that? thanks!
@@NTFAQGuy understood. The point being, we dont want the Owners to be able to cancel the subscription or move them to another mgmt group. They can do everything else that the role allows. So I wanted to write an azure policy and apply it to the mgmt groups
Great video as always! Is there anyway to automate the assignment an RBAC role to a group? I understand a group with "isAssignableToRole" property set to true cannot be of dynamic membership type. Does that mean if I need to assign the "Guest Inviter" role to a large group of people, they would have to activate it via PIM or I would have to explicitly assign the role to each user?
high-quality training with actual context and things the documents don't tell you - so much more than just another how to video
Thanks, glad it's useful.
Another amazing video John !! Love the way you explain these topics. Thank you again.
Great video! It really helped me to understand how RBAC and PIM work together
Some more very good information regarding Azure resources, thank you John.
My pleasure! Ken, you based in the US?
Superb as always John
Thank you!
This video helped me to understand RBAC a whole lot better to solve some challenges and problems we have. Got some more digging to do! 🤣🤣 Thanks John!
Great tutorial, very informative. Thank you.
Glad it was helpful!
Super like the content John. Thanks.
Glad you enjoyed it
Amazing teacher
Great video! Thanks!
Thanks
You won one more subscriber, thanks.
Thanks!
Superb !
Thank you
Superb
gracias!
You are welcome. Thanks for watching.
nice one!
For the algorithm! 😁
hi John, I have a "contributor" role assigned at subscription and "User" role in AAD to which subscription is associated with. I tried creating a Azure AD B2C tenant but access was denied with below message:
"User Authorization: Access is denied. You must have one of the following user roles for access: External ID User Flow Administrator, External ID User Flow Attribute Administrator, B2C IEF Keyset Administrator, B2C IEF Policy Administrator, External Identity Provider Administrator, Application Administrator, Security Administrator, Security Reader, Global Reader, Global Administrator." Since, i have contributor role at subscription, i assumed that i can spin up any resource in the subscription. Does this not apply on B2C ? and do i need to change my role in Active Directory ?
AAD does not live in a subscription. Subscriptions USE AAD instances. Your contributor role is only at a subscription and therefore has no impact at AAD levels. You need a role set at AAD which is one of those it lists.
@@NTFAQGuy Thanks John
@John Savill Where do i put the custom JSON file after i create it, could you please let me know, where to place it and use it
Does not matter where you put it. Once you import to create the new role the JSON file can be deleted.
Hi John, Great video again. I am trying to figure out what are the exact permission required if I would like my Azure applications to rotate the passwords of my Global administrators every few months ? The idea is whenever global admin has to use the password, it will have to draw from some sort of external vault.
That would be an azure ad permission not an azure permission.
@@NTFAQGuy yes john. Sorry for asking question on the wrong video. I was trying to look at azure ad built-in role but unable to figure out the exact role which can suffice the purpose.
Hi Please make video on WVD deep dive
great content, John! liked and subscribed.
I was also wondering if you could help with a use case,
I want to write an azure policy because I dont want the Owner role to be able to cancel or transfer subscriptions, would you be able to help me with that?
thanks!
Owner of a sub will be able to move it. Limit who is owner.
@@NTFAQGuy understood. The point being, we dont want the Owners to be able to cancel the subscription or move them to another mgmt group. They can do everything else that the role allows. So I wanted to write an azure policy and apply it to the mgmt groups
@@ibmuser13 I’ve never tried that. You would need to look if that’s possible based on properties exposed. My gut feeling is no
Great video as always! Is there anyway to automate the assignment an RBAC role to a group? I understand a group with "isAssignableToRole" property set to true cannot be of dynamic membership type. Does that mean if I need to assign the "Guest Inviter" role to a large group of people, they would have to activate it via PIM or I would have to explicitly assign the role to each user?