Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.2k views
in Technique[技术] by (71.8m points)

azure - Why as a co-administrator of a subscription am I unable to edit the Active Directory?

A customer made me a co-administrator of his Azure subscription. However, I am unable to edit his Active Directory, ie add/edit users, create applications, etc.

Why can't I access that? I'm thinking perhaps the Subscription is owned by the AD and not the other way around.

What do each of the role levels in AD allow? There's

  • Global Admin
  • Billing Admin
  • Service Admin
  • User Admin
  • Password Admin
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I believe the primary reason for this error is because when a co-admin with Microsoft account is added to a subscription, it gets added into the subscription AD as Guest user type. In order for you to get access to that AD so that you can perform the operations on the AD, you user type needs to be changed to Member from Guest. I had exact same issue with one of the users of our product and the steps described below solved the problem.

To change the user type, one would need to use AD PowerShell Cmdlets. The process is rather convoluted and needs to be done by your customer.

  1. First, check with your customer if they themselves are using Microsoft Account for signing in into the portal. If they are, then they would need to create a user in their Azure AD. Please see this thread for why this is needed: PowerShell - Connecting to Azure Active Directory using Microsoft Account.
  2. Next, they would need to sign in using this user account because one would need to change user password on the 1st login.
  3. Install AD Modules. You may find these links useful for that purpose: https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx#bkmk_installmodule, http://www.microsoft.com/en-us/download/details.aspx?id=41950 (Please choose 64 bit version) and http://go.microsoft.com/fwlink/p/?linkid=236297.
  4. Launch PowerShell and execute the following commands:

.

$cred = Get-Credential  #In the window that shows up, please specify the local AD user credentials.

connect-msolservice -Credential $cred

(Get-MsolUser -SearchString "your microsoft account email address").UserType #This should output "Guest". If it doesn’t, please stop and do not proceed further as there might be some other issue.

(Get-MsolUser -SearchString "your microsoft account email address") | Set-MsolUser -UserType Member

(Get-MsolUser -SearchString "your microsoft account email address").UserType #This should now output "Member"

If somehow the problem still persists, ask your customer to login into the portal, delete your user record from AD users list and add it again. That should also take care of this problem.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...