I am trying to create
Azure Verizon Premium CDN profiles cannot be created with a PayAsYouGo account.
I was able to create it last time on 17-Oct-2022. My account is in excellent standing with 27 subscriptions PayAsYouGo working all good in the previous 12 years
I can not create a new Subscription - Do you have any thoughts?
Azure Verizon CDN profiles cannot be created with a PayAsYouGo account.
Azure support replied to me and that was the solution
After further research the engineering team has determined that the best path to follow to try to solve the situation is you to complete an internal takeover of the unmanaged directory which seems to be the reason why the system is preventing the subscription to be created.
Basically the next steps are:
Create a new user account
Give it Global Admin role
Use new Global Admin to perform internal takeover as per documentation :
Admin takeover of an unmanaged directory - Azure AD - Microsoft Entra | Microsoft Learn
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-admin-takeover
Please follow the steps above and let me know if further assistance is needed
Related
I have a client who has an azure payasyougo account, it has inside office 365 services and Azure resources. These services uses a common Azure directory.
The client has decided to use our services as CSP service provider and the solution requires the following:
The new destination CSP suscriptions must handle the same active directory of the original payasyougo suscription.
The Azure resources must be migrated from the source subscription to the target subscription keeping all the permissions intact.
The source subscription has 4 custom domains with their respective users being synchronized through Azure AD connect. All of the must be configured in the target subscription.
Is it possible to link the directory of the existing subscription paysasyougo with the new target subscription CSP?
Note: The directory change option is available in the source subscription payasyou, but it is not available under the CSP subscription which is where it is needed.
Further details: Both PAYSASYOUGO and CSP azure subcriptions resides on different tenants.
I would 100% recommend reaching out to Microsoft for the specifics on this especially since you are a CSP and already have an established relationship with them!
Microsoft do provide some documentation on the questions you are asking though:
At the very least you would be able to migrate it or copy it across / grant permissions to the new subscriptions to manage the old AD that's providing access, However moving the Azure AD I believe would haven as per the same answer to Question 2
How to Migrate subscriptions from PAYG to Azure CSP:
https://learn.microsoft.com/en-us/azure/cloud-solution-provider/migration/migration-from-payg-to-csp
Further Reading;
https://learn.microsoft.com/en-us/partner-center/switch-azure-subscriptions-to-a-different-partner
This maybe possible but would most likely cause an outage.
Detailed Blog on the process:
https://blogs.technet.microsoft.com/hybridcloudbp/2016/08/26/azure-subscription-migration-to-csp/
What resources are available in Azure CSP:
https://learn.microsoft.com/en-us/azure/cloud-solution-provider/overview/azure-csp-available-services
Again 100% I would recommend getting an official answer from Microsoft
This problem may stem from the dependency on MS accounts for MSDN instead of work accounts, but maybe some one has found a solution?
I use the same email address for both my MS and Work Accounts.
Our Company Subscriptions seems to be linked to our MS Accounts, as does our VSTS accounts. I can sign into Azure Portals using both MS and Work Account. I want to be able to deploy do our company subscription from VSTS.
When I sign into Azure, using my work account, I can see our Azure AD. I am a global admin and can make changes, etc. This is not visible when I sign in using the MS account. It tells me I don't not have access, which I can understand.
In VSTS, I have linked my MS Account to my work account. But I cant access some of the projects # {whatever}.visualstudio.com VSTS sites with my work account, I must use my MS account.
The main problem is when I try to set up a build and deploy from VSTS into the Company Azure Subscription. To achieve this I need to set up a Service Endpoitn to ARM in Azure. So I go ahead and try to do that.
It fails as it says that the account does not have the sufficient privileges needed in Azure Active Directory. Remember, AAD is only accessible when I log into my work account in the azure portal.
One last point, AAD would see my MS account as a guest account, so I thought 'hey, I will add that account to AAD as a guest and assign privileges necessary to perform the tasks I need'. But because the same email address was used for both my MS account and work account, it tells me when I try to add the guest account, that it already exists.
Is there any way around this problem? How can I associate/move all VSTS subscriptions to my work account?
When the VSTS identity you are using does not have access to the Azure subscription your trying to deploy to, the best way to do this is to create your service endpoint manually.
The steps are [here][1]. See the Azure Resource Manager service endpoint -> Manual subscription definition section. It has a few more steps, but once you create that, just use that service endpoint in your build or release definitions & your good to go.
I have an SharePoint Office 365 Developer account and initially it was created using #xyz.onmicrosoft.com account.
Now I have added #xyz.com. All the billing management happen using the admin#xyz.onmicrosoft.com and application access happen using user#xyz.com
Now I am planning to add Azure Pay-As-You-Go subscription but I am confused should I create the Azure portal account using admin#xyz.onmicrosoft.com or user#xyz.com
Is there any best practice or general recommendation available ?
this is completely up to your organization, there are no major advantages of using one or other.
Nevertheless, an "user#xyz.com" account will be friendlier than "user#xyz.onmicrosoft.com".
Before I am going to describe my questions, I would like to tell you that I am a web developer and not a security/Active Directory or Azure specialist, so please be gentle :-)
I work for a large international financial services company. We have a global IT department that provides member firms with services that we use (Active Directory 2012).
In my member firm, we are currently considering migrating custom build websites to Azure. All the custom build websites are implemented with Kerberos and Single Sign-On using Active Directory. Some of these websites read & write information in Active Directory.
The challenge that we are facing is how we can migrate these websites to Azure whilst using the enterprise's Active Directory. I searched for detailed information about solutions available but haven't found anything that answered my questions. My questions:
What solutions are there for connecting Azure with an enterprise's Active Directory?
What are the advantages and disadvantages for these solutions?
What are the requirements for these solutions?
Perhaps there is a book/blog/whitepaper that answers my questions?
AFAIK you cannot use directly the corp AD from Azure. You must use Azure Active Directory. However, there are solution to keep the corp AD and the Azure AD in sync. For example read Connecting AD and Azure AD: Only 4 clicks with Azure AD Connect, which shows how to use Azure AD Connect to link the Azure AD with your corp AD. It will basically mirror one corporate AD forest with an Azure AD account, and keep it up to date by periodic re-sync. The net effect is that you develop your cloud apps to authenticate and authorize based on the Azure AD, but the Azure AD will mirror the corp AD. There will be a delay in propagating changes to Azure AD, eg. an employee added to the "domain\sales" group will not be allowed to access the "Sales" app for some hours until the Azure AD sync catches up with the corp AD change.
I currently have an Office 365 tenant with around 1,400 users all licensed. We have enabled the Azure AD tenant with the same account and are now using Azure AD Dirsync to have same sign-on to Office 365.
We are now having an external Sharepoint site developed and have been offered either ADFS or Azure AD ACS as an authentication method. As we've already got an Azure AD subscription (through Office 365) I thought this would be the easiest method. However, when in my tenant on https://manage.windowsazure.com, I have access to Active Directory, can add a new directory but cannot add a new Access Control service. It's greyed out and says "not available" underneath.
I've tried talking to Office 365 support, who referred me to Azure support, who then said we don't have support so can't help. I've spoken to Azure sales and they've referred me to Azure support, who then guess what, said we don't have support.
Has anyone else managed to implement an Azure Access Control service from an Office 365 tenancy using the free Azure Active Directory subscription? I get the feeling I just need to buy a cheap Azure subscription and the option would become available, but without knowing for sure I'm a bit hesitant about taking the plunge.
Thanks.
I can imagine that you cannot use the free Azure subscription for this purpose because using the Access Control Service brings costs. The free subscription is not tied to any creditcard. When you have e.g. a pay-as-you-go subscription you should be able to create a ACS namespace. I just tried in one of my pay-as-you-go subscriptions.
You are (still) able to create a namespace but I suggest you to also take a look into the identity possibilities Azure AD itself has. Azure AD has currently only support for SAML 2.0 (and a lot of other protocols but they are not directly relevant for SharePoint). I know SharePoint (on-premises) only talks SAML 1.1 so that's where ACS comes in. You can read more about this topic here. Azure AD itself is going to support SAML 1.1. The only question is when. (see one of the comments from the source mentioned below this answer)
I also would make one remark about Azure AD ACS because this is going to be replaced by Azure AD. The only question left is when.
ACS Capabilities in Azure AD
As we've mentioned previously, we are adding ACS-like capabilities into Azure AD. In the coming months, as part of a feature preview Azure AD administrators will be able to add federation with social identity providers, and later custom identity providers to Azure AD. This will allow app developers to use Azure AD to simplify the identity implementation in their apps, similar to how developers use ACS today. We look forward to getting your feedback on the preview to improve these experiences.
Migrating ACS Customers to Azure AD
Once these new ACS capabilities of Azure AD are out of preview and generally available, we will start migrating ACS namespaces to use the new Azure AD capabilities.
Source: The future of Azure ACS is Azure Active Directory
Quick solution:
Create an Azure paid account. Add the administrator user of the paid account in the Office 365 directory, and set it as global administrator of this later directory (you can add users from other directories).
Then switch back to the paid account. The new global administrator will be able to manage the Office 365 directory and add a namespace.