Recent Discussions
Gatewayauthenticationfailed/objectid does not have authorization to perform on scope.
Hello, this is about activating the eligible role using the ARM API. Created a custom role (only with admin login action) no read action- coz we do not want user to see the machines in the portal. We have a ps script that is used inside the virtual machine to activate the eligible role using ARM API the role is assigned on subscription level and activated on resource level, using inheritance. It was working great, but from couple of weeks, we get this errors. "code":"GatewayAuthenticationFailed","message":"Gateway authentication failed for 'Microsoft.Authorization' AuthorizationFailed Message: The client '******@xxx.com' with object id 'xxxxa' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/xxxa/resourcegroups/ResGrp0213' or the scope is invalid. If access was recently granted, please refresh your credentials rest api used- PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/{roleAssignmentScheduleRequestName}?api-version=2020-10-01 it's a random issues on the random users.. #Azure #AVD #AzureVirtualMachines.
Unable to integrate Amazon Managed Grafana on Azure
Hello everyone, I am struggling here with Amazon Managed Grafana on Azure (the one available on Gallery). Have checked MS and AWS documentation and isn't clear regarding assertion mappings. Currently we are able to reach this error, when logging in with a user that do part of a group that was included on that AMG app in Azure (have test with another user account not there and gets blocked): From Entra ID sign in logs, is all good. So I think that could be related with AWS side, mostly assertion attributes that I have tried with what I have on Attributes & Claims on Azure app, but no luck :(. What I have on Azure app: What I have on AMG:
What service principal is used to authenticate Logic Apps to Azure resources?
This question is a bit more academic than practical, but I'm just trying to enhance my knowledge of how Azure authentication works under the hood. The default way to authenticate managed Logic Apps connections is through an OAuth popup asking you to grant permissions. Based on my reading of the Azure docs, this means that you're granting access to the delegated permissions of a service principal. For connectors that access the Graph API, such a service principal in your tenant with the correct delegated permissions: However, I'm struggling to find an equivalent service principal for connectors that use the Azure Resource Management API to interact with services like Log Analytics, sentinel, Logic Apps, etc. I do see a service principal called Azure Logic Apps, but it doesn't have any permissions associated with it. My understanding is that it would need to have the delegated permission user_impersonation to access Azure resources: So my questions here are What Service Principal is used for the OAuth connection to the Azure Resource Management API? If the Azure Logic Apps service principal is used, how is it able to connect to the ARM API without any permissions? Is there some Azure magic happening under the hood here?
Getting empty response while running a kql query using rest api
Hello All, Trying to run a KQL query using power via rest API by passing azure Entra app id and secret key. But we are getting empty response. Log analytics reader role is assigned on LA workspace and able to retrieve access token. When we try to run KQL query manually, we are seeing result. Below is sample snippet that i used, Not sure what is wrong with it? Any help would be highly appreciated. $tenantId = <Tenant id> $clientId = <azure entra application app id> $clientSecret = < app secret key> # Log Analytics Workspace details $workspaceId = <workspace ID> # Acquire a token $body = @{ client_id = $clientId scope = "https://api.loganalytics.io/.default" client_secret = $clientSecret grant_type = "client_credentials" } $query = "AppRequests | limit 10" $uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" $response = Invoke-RestMethod -Uri $uri -Method Post -ContentType "application/x-www-form-urlencoded" -Body $body $accessToken = $response.access_token # Define the Log Analytics REST API endpoint $baseUri = "https://api.loganalytics.io/v1/workspaces/$workspaceId/query" # Set headers for the query $headers = @{ Authorization = "Bearer $accessToken" "Content-Type" = "application/json" } # Prepare the request body $requestbody = @{ query = $query } | ConvertTo-Json # Send the request $response = Invoke-RestMethod -Uri $baseUri -Method Post -Headers $headers -Body $requestbody -Debug # Display the results $response
FSLogix Lock issue - user cannot login - user cannot be manually disconnected from session
Issue just started happening. On latest version of FSLogix (hotfix 4), upgraded from hotfix 1. Issue presented in hotfix 1, MS support suggested to update to latest. We have a 15 minute policy pushed via intune that logs off disconnected sessions after 15 minutes. It has been working fine for over a year. This week, one user is affected. When they are disconnected, the AVD session host (Win10) does not log them off, and FSLogix seems to hold onto their session. The FSLogix logs indicate " Failed to acquired check session lock for user username" repeatedly. We don't allow local profiles to be created. We have the required registry keys added. User is 1 version back on the AVD client - also tried on latest client. Opened ticket with MS support. Only workaround is to reboot session host, but others are logged in and not a valid workaround. First time user logs in after a reboot, it works fine. Subsequent logins cause an issue, user receives "Singing out" as shown in screenshot and nothing happens. When I try to manually log off the user either from the azure portal or the session host, nothing happens. Anyone else experience this or have suggestions?[On demand] Azure Virtual Desktop hostpool management at scale
Need to dynamically scale Azure Virtual Desktop session hosts to meet your usage needs? Watch Azure Virtual Desktop hostpool management at scale – now on demand – and join the conversation at https://aka.ms/AVDHostpoolManagement. To help you learn more, here are the links referenced in the session: Watch Azure Virtual Desktop: Everything You Need to Know to explore the full capabilities of Azure Virtual Desktop! For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.[On demand] Azure Virtual Desktop app management
Flexibility, scalability, and seamless integration within Windows environments in the cloud. See how App Attach with Azure Virtual Desktop supports MSIX, App-V, and other solutions. Watch Azure Virtual Desktop app management – now on demand – and join the conversation at https://aka.ms/AVDAppManagement. To help you learn more, here are the links referenced in the session: Framework packages can be added to a custom image via scripts to prepare for any MSIX package. The script to install MSIX frameworks can be found here. For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.Azure Load Balancer and security headers
Hi, If I need to set Access-Control-Allow-Origin (something else than *) in the server. Does anybody have experiences if that is header is traveling through the Azure Load Balancer? Some documentations are saying that LB needs to be able to support these headers. I'm asking this in this way, as this is kind of preparing for the future, while not be able to test that yet. Neither I was not able to find any Azure documentation for this.Private Link/Endpoint and Run Command not working
Hi, I have setup a private endpoint and it seems to be working. Both existing and new servers are added and reporting as expected over the private endpoint. But I have issues with the RunCommand function, using PowerShell or AZ CLI. When I run a script on an server that existing before I added the private end point, the run command works as expected. But on newly added servers or servers where I reinstall the Arc Agent (testing), the run command just tries and tries and ends up with a timeout. Nothing happens on the server. Command plug isn't installed etc. In PowerShell, I use Get-AzConnectedMachine to build an object with all machine details returned. This is then parsed to New-AzConnectedMachineRunCommand, to ensure it (hopefully) knows about the private link scope etc. Conditional forwarders for his.arc.azure.com, guestconfiguration.azure.com and kubernetesconfiguration.azure.com has been set up. All FQDNs in "DNS configuration" found in the Private Endpoint Connections for the link also resolves to the expected internal IP. Any suggestions to what I'm missing or should look at? Servers (lab) currently have full internet access, so no blockers there. Thanks, -HeineEntra ID Service not running?
hello everyone, we get a notification on our email that the Entra ID Sync service is not running, while it is set to automatic. then 30 minutes later, at the next scheduled sync, it resolves itself. our event viewer shows 1 export error with event ID 6100, that was an user were the inheritance wasn't set up properly, we fixed that, but that did not fix the error in the title. we googled, but really only found "turn on your service and set it to automatic" which is not that helpful. i checked using AI, but that did not go anywhere either. "your internet might have been down" yeah thank you, if that was the case, we would have noticed a wider spread outage.. we thought it might be a throttling issue, but it happens at seemingly random times, so not only during daily start up. so we are kind of at a loss to how to properly fix this, any suggestions?
Azure Virtual Desktop Portal Bug
Since two days we discovered that in the AVD Portal under the Session hosts register the "VM Resource group" shows the resource group of the hostpool objects and not the actual virtual machines resourcegroup. In addition the "VM Location" is also the location of the hostpool objects and not the location of the virtual machines anymore.Azure write back number of security sign in questions.
Hi I enabled SSPR 24 hours ago and checked the box security questions an hour ago. In my test accounts, I don't get prompt for any security questions. I only get prompted for i forgot password and verification steps. Do the security questions policy take a couple hours to apply?Function app script stopped working
I have a simple function app that uses this script to shut down inactive AVD VMs that had worked for about two years simply stopped working. Instead, it produce this error: ERROR: Error stopping the VM: GenericArguments[0], 'Microsoft.Azure.Management.Compute.Models.VirtualMachine', on 'System.Nullable`1[T] MaxInteger[T](System.Collections.Generic.IEnumerable`1[System.Nullable`1[T]])' violates the constraint of type 'T'. After much troubleshooting and searching for something relevant, I discovered that the function app's host.json file was set to: { "version":"2.0", "managedDependency": { "Enabled": true }, "extensionBundle": { "id": "Microsoft.Azure.Functions.ExtensionBundle", "version": "[2.*, 3.0.0]" } } Since v.2 and v.3 are [no longer supported](http://learn.microsoft.com/en-us/azure/azure-functions/functions-versions?tabs=isolated-process%2Cv4&pivots=programming-language-powershell), I changed it to { "version":"2.0", "managedDependency": { "Enabled": true }, "extensionBundle": { "id": "Microsoft.Azure.Functions.ExtensionBundle", "version": "[4.0.0, 5.0.0]" } } ``` I also noticed that the `requirements.psd1` file was set to # This file enables modules to be automatically managed by the Functions service. # See https://aka.ms/functionsmanageddependency for additional information. # @{ # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'. # To use the Az module in your function app, please uncomment the line below. 'Az' = '8.*' } So I changed it to # This file enables modules to be automatically managed by the Functions service. # See https://aka.ms/functionsmanageddependency for additional information. # @{ # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'. # To use the Az module in your function app, please uncomment the line below. 'Az' = '13.*' } None of this helped. The same error was generated. I then realized I might need to restart the app, which I did. After this, I see this warning and error: 2025-03-03T21:42:45Z [Warning] The first managed dependency download is in progress, function execution will continue when it's done. Depending on the content of requirements.psd1, this can take a few minutes. Subsequent function executions will not block and updates will be performed in the background. 2025-03-03T21:42:45Z [Error] Executed 'Functions.TwelveMinuteTimerTrigger' (Failed, Id=58b46678-c1d2-4ca8-8083-fab1e657c608, Duration=95ms) After waiting a while for the download to finish, I get this error: [Error] ERROR: Error getting a list of user sessions: The term 'Get-AzWvdUserSession' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. The line "Get-AzWvdUserSession is not recognized" seems to indicate that the download of the Az modules has failed. Does anyone know what would cause the download to fail and how to fix it?
Understanding Cloud Cost Fluctuations with Power BI
Staying on top of your cloud costs requires regular reviews. There are many ways to slice and dice your cloud costs; one approach I find helpful is comparing daily and monthly cost deltas. Below is a visual from my Power BI report showing how my previous month’s costs compare to the month prior. The visual is filtered to only show delta increases/decreases over $1K. I can quickly see we spent $5K more on Azure SQL Database in the selected month compared to the previous month. I call this my 'large cost swings' graph. I understand that everything is not linear, nor do things translate nicely from one day or month to the next. However, the data has a story to tell. What I ask my team to focus on is the story the data is telling. In this case, we made some modifications to ADF and SQL, leading to a $4K net reduction in costs. Some stories explain the outcome of one or more actions. Then there are those stories which can help shape your future consumption and spending.
Data Migration from azure devops serveer to new one
I have a problem in data migration from Azure DevOps server to the new one in my case, i have a split database on a different machine. So, I have two environments: each one contains a devops server and database in splitter machines i want to migrate the whole data from different tools to a new one and the problem is as the organization roles i do not have all administration privileges on databases and devops machines So, I want a determined way to get the whole data from the old one to the new one (especially privileges that are required to ask the admin to give me ) with clear steps
Recent Blogs
- At the Migrate to Innovate Summit, you’ll learn how Azure provides an optimized platform to fully embrace AI while addressing your most pressing business priorities by maximizing ROI, performance, a...Mar 07, 2025
- Data Vault has been designed to integrate data from multiple data sources, creatively destruct the data into its fundamental components, and store and organize it so that any target structure can be ...Mar 07, 2025
