I'm trying to create a release definition in Visual Studio Online with the task "Deploy Azure App Service".
When I try to authorize for the subscriptions it gives this error message below.
Error(s):
Insufficient privileges to complete the operation. For troubleshooting refer to link.
The content of the link they provide doesn't seem to help me.
I already tried this using Azure Service Administrator account.
Why is this happening? What are the kind of permissions i need for doing this?
The user must be a member of Global Admin role in the directory.
On the other hand, you may configure it manually with this PowerShell script.
More information, you can refer to Automating Azure Resource Group deployment using a Service Principal in Visual Studio Online: Build/Release Management (Manual configuration section)
Download & run this PowerShell script in an Azure Powershell window to
generate required data for Service Principal based Azure service
connection. Running this script would prompt you for:
The name of your Azure Subscription name
A password that you would like to set for the Service Principal that is going to be created
Note: the script has been tested with Azure PowerShell version 1.0.2.
Once successful, the script would output the following details for the
Azure Service Endpoint.
Connection Name
Subscription Id
Subscription Name
Service Principal Client Id
Service Principal key
Tenant Id
Related
I'm trying to work around a problem with my Self-hosted Azure Pipeline agent. One of the workarounds listed here is to make the agent log on as myself, (instead of as the current, "Network Service" account it uses).
So I tried that. I went to the Services app, edited the "Azure Pipelines Agent" service and changed the user to be myself.
Windows then tells me that I'll need to stop the service and restart it. But when I do that, I get an error dialog with Error 1069: "The service did not start due to a logon failure"
I have tried to use both my Windows 10 Logon PIN (that I type to login when I sit down at the machine) as the password as well as my Azure AD password for our organization that lets me log on to all our resources. Neither one works.
I know I have the correct account. I don't have any other organization passwords that I know of. What am I doing wrong?
Change the logon user on DevOps agent services won't work.
If you'd like to run the agent with specific account, you need to uninstall the agent(config.cmd remove), then reconfigure the DevOps agent, type your account as below during the configuration.
You can validate the user account in DevOps pipeline with below task:
pool: self2
- script: whoami
I work in a team that uses Azure Service Fabric and I want to connect to an Azure SQL database using my Azure AD account instead of using a SQL username/password when running locally.
Service Fabric runs locally on a cluster and runs as the NT Authority\Network Service user. I believe that it's possible to change the user that it runs under, but when I tried it seemed to remove the ability to use Visual Studio to debug the app. It also required having the password in the config which is not ideal.
I'm trying to login to Azure AD with the AzureCli and the az login command and can do this easily with my local user azuread\chester.
A comment on github suggests that I should be able to run a powershell prompt as the network service and use az login to login with my account. When I tried this it failed with a generic error:
Does anyone know if it's possible to login to AzureAD with the NT Authority\Network Service user?
I know it's possible to use an Azure App Registration as a principal, but this method still involves a password and i'm trying to avoid passwords.
It is perfectly possible but, since it's a non-interactive account, the optimal choice is to login as an application. This, however, implies high level permissions so careful attention must be paid when consenting them. Also, it's possible to login as a user using the ROPC flow, however this one is not recommended due security and technical limitations.
Regarding az cli take a look at Sign in with a service principal.
I have been working with the Android Management API to try and manage the policy of my company's existing enterprise. My company account has the Owner role within the organization and the roles Owner and Service Account Admin for the service account mentioned later.
I followed the Quickstart Guide to get familiar with the API and made some modifications for a more permanent solution along the way such as creating a service account with the Android Management User role via the Google Cloud Platform and generating a JSON key to acquire credentials rather than going through the OAuth2 flow like in the guide. This allowed me to authenticate properly, but when it comes time to patch the policy as such,
androidmanagement.enterprises().policies().patch(
name=policy_name,
body=policy_json
).execute()
I get the following error:
<HttpError 403 when requesting https://androidmanagement.googleapis.com/v1/enterprises/XXXXXXXXX/policies/<policy_name>?alt=json returned "Caller is not authorized to manage enterprise.". Details: "Caller is not authorized to manage enterprise.">
I have verified that the service account I am authenticating with has the Android Management User role, and thus has the androidmanagement.enterprises.manage permission.
I have also attempted to make this call with an elevated admin role in the organization.
Is there a chance that I need to have created the enterprise with my own account to manage the enterprise? The guide suggests that an organization can create multiple enterprises. In which case, would I need to create a new Google account not associated with my organization's enterprise and create a new enterprise that way?
It is advisable to use your own google account to call Android Management API since your organization account may not be compatible with the quickstart.
To access the Android Management API your service account requires the androidmanagement.enterprises.manage permission, which can be granted by the Android Management User role (or roles/androidmanagement.user). Kindly check this link for details regarding creating a service account.
Please keep in mind that the enterprise you created as part of the colab instructions can only be managed using the colab itself. To allow your cloud project to manage an organization, you will need to create one using the client configuration from your cloud project.
When I running my Azure Devops build pipeline for a UWP app locally via a private Windows Agent, it complains that it cannot access C:\Program Files (x86)\Windows Kits\10\App Certification Kit\SupportedAPIs-x86.xml
The agent service is using the default suggested user NT AUTHORITY\NETWORK SERVICE.
So far I tried, without success:
to run the service with my (admin) credential (I'm using an hotmail account to log on my machine) but it doesn't want to (error 1355)
give `Everyone` `Read & Execute` rights on the folder the service is denied access to
I dont know if you're still having this issue but this is what worked for me. Anyone else that finds this can try this out.
I would recommend trying this out as a sanity check, but my issue was permissions.
If you run services.msc and find Azure Pipelines Agent then click
on the service to highlight it.
Right click, go to properties
Navigate to the Log On tab at the top
Change the username and password to a known domain admin account
Click ok and restart the service.
Now run your pipeline again and see if it can connect and publish your files. If it does then its a user/permissions issue.
I followed the steps as per
https://github.com/OfficeDev/O365-WebApp-MultiTenant and added the connected service. However this does not register the app under Windows Azure Active Directory Applications. I have properly linked my office 365 account into Azure. However when I add the connected service it is still empty. Is this a known issue and what is the work around?
No, this isn't a known issue. The "Add Connected Service" wizard is not generating a client ID and secret in your web.config?
As a workaround you could login to the Azure Management Portal and register the app manually, then put the client ID and secret into your web.config.
I just had the same issue and spend some hours on it. Finally it turns out that I had used a user account to log in in visual studio that was assigned to a different MS Azure account.
In my case I was using the user of production environment instead of my own developer account to log in.