search

projectkudu / AzureResourceExplorer

Azure Resource Explorer - a site to explore and manage your ARM resources in style
https://resources.azure.com
Apache License 2.0
197 stars 76 forks source link

RE: Access to resources.azure.com was denied 403 Error #357

Closed backbackforward closed 1 year ago

backbackforward commented 1 year ago

Hello Team, I have a customer issue where they are unable to access resources.azure.com They receive a 403 error message when trying to access. This seems to be the similar to the issue below: https://github.com/projectkudu/AzureResourceExplorer/issues/350

Can you please advise or ping me on MSFT teams?

wirelessy commented 1 year ago

Can confirm, it seems to be related to guest users of a given tenant. Does not happen to native users of the tenant.

Should it be relevant, our guests have user roles, wheres our native users are typically global admins.

backbackforward commented 1 year ago

Can confirm, it seems to be related to guest users of a given tenant. Does not happen to native users of the tenant.

Should it be relevant, our guests have user roles, wheres our native users are typically global admins.

So are your guest users able to access resources.azure.com?

wirelessy commented 1 year ago

No. The 403 error happens as described for guests, and as mentioned in #350. Only native users are able to access the app. E.g. when I open Resource Explorer in my home tenant (the default selection), it loads. As soon as I switch to another tenant in which I am only guest > 403.

SriniYalamati commented 1 year ago

Same here, I have a customer issue, they also unable to access resource.azure.com because of 403 They are trying to access via Guest user account. Azure Portal is working fine. Please help unblock this asap.

gunsto commented 1 year ago

Same problem here: native tenant is fine, related "guest" tenants receive 403

balag0 commented 1 year ago

Hi, Guest accounts are not a supported scenario currently.

wirelessy commented 1 year ago

That is sort of ridicoulus, considering we are paying an awful lot for Azure, and also this has been working for the past three years.

gunsto commented 1 year ago

How can this not be a supported scenario? In larger corporations you have primary tenants for storing users in AAD and secondary tenants for deploying resources. Then all users on those secondary tenants are "guest". For me this sounds like an excuse, because the implementation might be tricky or time-consuming. @balag0 Please reconsider to re-open this issue!