If you have access to Azure, then you're certainly a member of an Azure Active Directory tenant. This might be a user account created for you in that tenant or that you were invited into that tenant.
You've certainly wanted to update your Azure account profile's picture to better represent your personality or mood, and probably found out that it's not as easy as you might have thought it would be.
Today, we'll see how (and what it takes) to update your user's profile information.
Once logged in into your account, you click on your user account (in the top right corner of the Azure Portal) and try to click on your profile picture:
Unless you’re the account owner, you won’t be able to click on your profile picture.
But this doesn’t stop you. You click on the “View account” option under your user profile’s name and land on this page:
Even there, you can’t change that picture (neither other information such as your first or last name).
You remember that your user account is part of the Azure AD tenant, so you look for “Azure Active Directory” hoping to be able to update your account from there. However, you face this error:
There is a switch in Azure AD that prevents non-administrative Directory roles from accessing this service.
This switch is called “Administration portal” and can be found under “User settings” in the “Users” entry in the Azure AD service blade:
By default, the switch is set to “No”, but expect every security administrator to set it to “Yes”.
If the “Administration portal” switch is set to “No”, you’ll be able to edit your user’s profile information no matter what your role is.
If this isn’t the case, you’ll need to either have been granted one of the Azure AD administrator roles or ask one of the tenant administrator to perform the update for you.
In either case, you’ll be able to edit your user’s profile information by clicking on your user’s name in the “All users” list and then hit the “Edit” button and make the required changes:
However, you won’t be able to edit another user’s profile unless you’ve been granted one of these two Azure AD roles: “User administrator” or “Global administrator”.
These two roles have also the permission to assign Azure AD roles to other users.
We are not talking about Azure RBAC roles here but rather about Azure AD roles.
There are some key differences between these two types of roles, the most important is the scope:
- Azure RBAC roles are applied at the “resources-based” scopes (subscription, resource group, resource)
- Azure AD roles are applied at the Directory level
Here’s how you can check your roles:
Click on your user’s name from the “All users” list in the Azure AD service blade. Then:
For RBAC roles: click on “Azure role assignments”
For Azure AD roles: click on “Assigned roles”
It might seems weird but there’s no error here. Nothing is shown simply because our user has no “resource-based” role assigned. It only has a Directory role as we saw earlier.
This approach, of course, assumes that you have access to the Azure AD service blade.
If you don’t have that access, that means that you don’t have an administrative Directory role. However, you can still check your “resource-based” roles by navigating to the “Subscriptions” blade, selecting your Azure subscription and then clicking on “My permissions”:
Your Azure profile information identifies you and is part of your identity. It’s not always as easy as you’d think to update it, but I believe that this article had put some lights on how to update it and why it’s not always possible for you to do it.
Stay safe out there!