question

Graemesmith-2066 avatar image
Graemesmith-2066 asked ·

Free Account Virtual Machine Login new User

Hi,

Very new to Azure and maybe doing something really stupid but help would be appreciated not an expert in networks either.

I created a new resource group (Dev1), then set up one new virtual machine and assigned it to that reopurce group. I then added a new user into the active directory with the setting dont want admin rights for this user. New user ID is devtest@**.onmicrosoft.*m. I then created a role profile against the virtual machine of (virtual machine login)using the devtest user.

I then log into azure portal as devtest user (azure active directory) and try to connect to the virtual machine via RDP. I get the following message

(You do not have permission to view network interface with ID: /subscriptions/27c1e932-e2ea-4b26-b46d-8aeebd8b5408/resourceGroups/vmdev1/providers/Microsoft.Network/networkInterfaces/dev1979)

I have checked the networtk rules and RDP is enabled both inbound and outbound . There is also a 65500 Denyallinbound/outbound set to deny that I cant delete.

I can login to virtual machine using the username of the owner of the free account (source=microsoft account holder)

Any help appreciated am I trying to login in via the wrong method or is it because I am using the same pc for 2 users or because the user doesnt have its own microsoft account?

Cheers

azure-virtual-machines
1 comment
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Graemesmith-2066

Please 'Accept as answer' if the provided information is helpful, so that it can help others in the community looking for help on similar topics.

0 Votes 0 · ·
PritamGhatak-5879 avatar image
PritamGhatak-5879 answered ·

Hi Graemesmith-2066,

From the error message it looks like your user ID does not have permission to Network resources. So could you please let me know exactly what role you have assigned for the new user ? Also let me know role you have assigned from subscription level or RG level. If you are not sure then just go to your Resource Group --> Click on "IAM" and check the level of access of your user account.

Thanks & Regards,
Pritam


Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Graemesmith-2066 avatar image
Graemesmith-2066 answered ·

Hi

Ok I went back to resource group and added a role assignment for the user set at "Virtual Machine User Login" in this and also added it to network resources. Didnt knowyou had to do that as well.

I get this error when testing the connection

Failed to start deployment
There was an error provisioning the resource group 'NetworkWatcherRG'.
Additional details from the underlying API that might be helpful: The client 'devtest@xxxxxxx.onmicrosoft.com' with object id '622df4c7-f11d-4afc-a599-0556580d174f' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/read' over scope '/subscriptions/27c1e932-e2ea-4b26-b46d-8aeebd8b5408/resourceGroups/NetworkWatcherRG' or the scope is invalid. If access was recently granted, please refresh your credentials.

On that resource under IAm I have the user set up as Virtual machine Login and under the vmdev1 resource

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PritamGhatak-5879 avatar image
PritamGhatak-5879 answered ·

Hi Graemesmith-2066,

Thanks for your information. Let me clarify few points below:


  1. If your main target is using user you just want to login to newly created VM using RDP then even you don't need to provide portal level access or RG level access of that user account. You have to provide access to that VM that user can login to that VM. VM level access means it should be within OS. Also you need to keep it in mind if your newly created VM is not the domain joined VM and user ID you have created is one AD user, then from that server you will not be able to find that user account to provide access.

  2. If your requirement is your user will manage the VM, but will not login to the VM then you need to provide "VM Contributor" role at least for that user account. You can provide that access either from subscription level or from RG.


 


Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.