Permissions on the azureiotsuite.com site
What happens when you sign in
The first time you sign in at azureiotsuite.com, the site determines the permission levels you have based on the currently selected Azure Active Directory (AAD) tenant and Azure subscription.
First, to populate the list of tenants seen next to your username, the site finds out from Azure which AAD tenants you belong to. Currently, the site can only obtain user tokens for one tenant at a time. Therefore, when you switch tenants using the dropdown in the top right corner, the site logs you in to that tenant to obtain the tokens for that tenant.
Next, the site finds out from Azure which subscriptions you have associated with the selected tenant. You see the available subscriptions when you create a new solution accelerator.
Finally, the site retrieves all the resources in the subscriptions and resource groups tagged as solution accelerators and populates the tiles on the home page.
The following sections describe the roles that control access to the solution accelerators.
The AAD roles control the ability provision solution accelerators and manage users in a solution accelerator.
You can find more information about administrator roles in AAD in Assigning administrator roles in Azure AD. The current article focuses on the Global Administrator and the User directory roles as used by the solution accelerators.
There can be many global administrators per AAD tenant:
- When you create an AAD tenant, you are by default the global administrator of that tenant.
- The global administrator can provision a basic and standard solution accelerators.
There can be many domain users per AAD tenant:
- A domain user can provision a basic solution accelerator through the azureiotsuite.com site.
- A domain user can create a basic solution accelerator using the CLI.
There can be many guest users per AAD tenant. Guest users have a limited set of rights in the AAD tenant. As a result, guest users cannot provision a solution accelerator in the AAD tenant.
For more information about users and roles in AAD, see the following resources:
Azure subscription administrator roles
The Azure admin roles control the ability to map an Azure subscription to an AD tenant.
Find out more about the Azure admin roles in the article How to add or change Azure Co-Administrator, Service Administrator, and Account Administrator.
I'm a service administrator and I'd like to change the directory mapping between my subscription and a specific AAD tenant. How do I complete this task?
I want to change a Service Administrator or Co-Administrator when logged in with an organisational account
See the support article Changing Service Administrator and Co-Administrator when logged in with an organisational account.
Why am I seeing this error? "Your account does not have the proper permissions to create a solution. Please check with your account administrator or try with a different account."
Look at the following diagram for guidance:
If you continue to see the error after validating you are a global administrator on the AAD tenant and a co-administrator on the subscription, have your account administrator remove the user and reassign necessary permissions in this order. First, add the user as a global administrator and then add user as a co-administrator on the Azure subscription. If issues persist, contact Help & Support.
Why am I seeing this error when I have an Azure subscription? "An Azure subscription is required to create pre-configured solutions. You can create a free trial account in just a couple of minutes."
If you're certain you have an Azure subscription, validate the tenant mapping for your subscription and ensure the correct tenant is selected in the dropdown. If you’ve validated the desired tenant is correct, follow the preceding diagram and validate the mapping of your subscription and this AAD tenant.
To continue learning about IoT solution accelerators, see how you can customize a solution accelerator.