| title | description | author | manager | ms.service | services | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|
Azure IoT solution accelerators and Azure Active Directory | Microsoft Docs |
Describes how Azure IoT solution accelerators uses Azure Active Directory to manage permissions. |
dominicbetts |
timlt |
iot-accelerators |
iot-accelerators |
conceptual |
11/10/2017 |
dobett |
The first time you sign in at azureiotsuite.com, the site determines the permission levels you have based on the currently selected Azure Active Directory (AAD) tenant and Azure subscription.
-
First, to populate the list of tenants seen next to your username, the site finds out from Azure which AAD tenants you belong to. Currently, the site can only obtain user tokens for one tenant at a time. Therefore, when you switch tenants using the dropdown in the top right corner, the site logs you in to that tenant to obtain the tokens for that tenant.
-
Next, the site finds out from Azure which subscriptions you have associated with the selected tenant. You see the available subscriptions when you create a new solution accelerator.
-
Finally, the site retrieves all the resources in the subscriptions and resource groups tagged as solution accelerators and populates the tiles on the home page.
The following sections describe the roles that control access to the solution accelerators.
The AAD roles control the ability to provision solution accelerators, to manage users and some Azure services in a solution accelerator.
You can find more information about administrator roles in AAD in Assigning administrator roles in Azure AD. The current article focuses on the Global Administrator and the User directory roles as used by the solution accelerators.
There can be many global administrators per AAD tenant:
- When you create an AAD tenant, you are by default the global administrator of that tenant.
- The global administrator can provision a basic and standard solution accelerators (a basic deployment uses a single Azure Virtual Machine).
There can be many domain users per AAD tenant:
- A domain user can provision a basic solution accelerator through the azureiotsolutions.com site.
- A domain user can create a basic solution accelerator using the CLI.
There can be many guest users per AAD tenant. Guest users have a limited set of rights in the AAD tenant. As a result, guest users cannot provision a solution accelerator in the AAD tenant.
For more information about users and roles in AAD, see the following resources:
The Azure admin roles control the ability to map an Azure subscription to an AAD tenant.
Find out more about the Azure admin roles in the article Add or change Azure subscription administrators.
I'm a service administrator and I'd like to change the directory mapping between my subscription and a specific AAD tenant. How do I complete this task?
See To add an existing subscription to your Azure AD directory
I want to change a Service Administrator or Co-Administrator when logged in with an organizational account
See the support article Changing Service Administrator and Co-Administrator when logged in with an organizational account.
Why am I seeing this error? "Your account does not have the proper permissions to create a solution. Please check with your account administrator or try with a different account."
Look at the following diagram for guidance:
Note
If you continue to see the error after validating you are a global administrator of the AAD tenant and a co-administrator of the subscription, have your account administrator remove the user and reassign necessary permissions in this order. First, add the user as a global administrator and then add user as a co-administrator of the Azure subscription. If issues persist, contact Help & Support.
Why am I seeing this error when I have an Azure subscription? "An Azure subscription is required to create pre-configured solutions. You can create a free trial account in just a couple of minutes."
If you're certain you have an Azure subscription, validate the tenant mapping for your subscription and ensure the correct tenant is selected in the dropdown. If you’ve validated the desired tenant is correct, follow the preceding diagram and validate the mapping of your subscription and this AAD tenant.
To continue learning about IoT solution accelerators, see how you can customize a solution accelerator.