Managed Identity in B2B scenario across different subscription? - azure

Can managed identity be configured for accessing Azure resources across different Azure subscriptions?
Could you point me out in right direction, isn't Azure federation supposed to take care of this?
Seems not feasible based on my R & D as well.
Do I seem to be overestimating this Azure AD feature.
Accounts in any organizational directory?

Based on your and my comment:
Comment Question: is those subscriptions on same Azure AD tenants?
Comment Answer: No. Thinks of all together different Business Org. Different subscription
My Answer to your question is:
Managed identities exist in the Azure AD tenant as service principals. It is therefore can only be assigned access to any subscription connected to that Azure AD tenant.
So in short, if the subscriptions are connected to different Azure AD tenants, it wont be possible to achieve what you are asking about as far as I know.
EDIT
In addition to your comment
Comment: Can managed identity be used if all tenants were in same subscription?
My answer is: Each subscription can only belong to one tenant. please check Microsoft doc https://learn.microsoft.com/en-us/microsoft-365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings?view=o365-worldwide
Note: if this is feasible by one or other way and there are answer that can show the opposite of my experience and knowledge, I will be glad to know that as well.

Related

SCIM 2.0 and external AD groups

We implemented SCIM for an enterprise app and it is working fine. We were told that we could add external AD groups to allow our partners users to be able to access the app as well. For example, Company A (us) uses Azure AD and wants to add a specific AD group from Company B (different network/domain) to be provisioned in the app. I was told this was possible, but I can't find documentation on setup of external groups.
I may have the terminology wrong which is probably not helping.
Any directions to documentation or examples would be appreciated.
Thanks.
Groups can only be provisioned/assigned to an application if they are managed in the same Azure AD tenant as the application that is configured to do provisioning. You can create a group in your Azure AD tenant and populate it with external/guest users as members - in that case, the group will be managed by your organization's tenant, but the members will be guests homed in another tenant.

Azure tenants, AD and subscriptions

I am a little bit confused about Azure tenants, AD and subscriptions.
Imagine a customer starting from scratch.
Can I say that the first step is creating (subscribing) a tenant?
After creating a tenant, is there a default AD? Can they create other ADs inside the same tenamt?
Can they create more subscriprions for a single tenant?
Given they can, can a subscription be associated to one or more ADs?
Is there any page or document describing the concepts and the design of Azure components (tenants, AD and subscriptions)?
Regards
marius
When you signed up to Azure using a Microsoft account, then you will get Azure with a Default Directory. A tenant is associated with a single identity (person, company, or organization) and can own one or several subscriptions. Single tenant can have multiple Active directories, but a single directory can only have 1 tenant.
There is similar SO question which can help you in understanding more.

Linked existing b2c tenant to my azure subscription but not able to create resource?

Getting error You are currently signed into the 'Azure AD B2C tenant' directory which does not have any subscriptions. when I try to create a resource in Azure AD B2C.
Please help I am new to Azure
Switch back to the directory where you have your subscription and create the resources there.
Don't take my answer as definitive, since I'm still a newbie, but at this point my understanding is this: B2C needs a new tenant because of the way it is designed (it isn't just an add-on for AD) and you link it to your subscription for billing purposes. But that's it. You don't need to create the resources for your app there, although I guess you could do it if you get a new subscription or transfer another one.
I already created a mobile app in my default tenant and successfully used the linked B2C tenant for authentication and I guess you've done that already. But since this was one of the few results that I got when I googled the message you quoted, I think it's worth sharing.
Have you done this ?
The Azure subscription has a trust relationship with Azure Active
Directory (Azure AD), which means that the subscription trusts Azure
AD to authenticate users, services, and devices. Multiple
subscriptions can trust the same Azure AD directory, but each
subscription can only trust a single directory.
Following link might help (check To associate an existing subscription to your Azure AD directory)
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
Azure AD B2C needs a Microsoft Azure Subscription for billing purposes. You're going to need 3 things to make that message go away:
Azure AD Tenant
MS Azure Subscription
Associate your Azure AD B2C tenant to the MS Azure Subscription
It's a bit strange as Azure AD B2C tenants feel very similar to Azure AD (and run on a lot of the the same infrastructure behind the scenes) ... but from a billing standpoint, they are almost treated like MS Azure resources (e.g. VM, App Service, etc)

How to move resources from subscriptions in different directories in Azure

In my azure account I have 2 directories, lets call them directory A and B.
With some recent changes I need to switch a app service from a subscription in directory A to a subscription that is on directory B.
Is this possible to achieve, and if it is how?
EDIT 1
As directory I mean the directory that you can see in the image below:
EDIT 2
Since It seems that I have mislead people I will try to explain what i want to achieve with images.
I want to move the App Service from the App Service Plan in the directory A as you can see in here:
to the App Service Plan in the directory B that you can see in here:
It looks like you want to move resources between subscriptions. It is possible to do this but there are a few restictions and rules around what you can do.
You can definitely move an App Service between subscriptions. However, in your case, as the subscriptions in question exist in different AD tenants, you will need to change the tenant of one of the subscriptions. You can only do this if you are a Service Administrator and signed in using a Microsoft i.e non organizational account.
Check this reference document from Microsoft, it explains in detail how the transfer process works.
I think we might need some additional information, since it seems that the terms we're using are sometimes equivocal. Microsoft Azure subscriptions are not associated to Azure Active Directories, but to an Service Account. You can add how many Azure ADs you want to an Azure subscription, but the Azure subscription itself will be managed by the service account (which is not necessarily member of a certain Azure AD).
Further, only the service administrator can manage Azure resources, like VMs, App Services and so on. Azure AD admins can only manage identity aspects that define identity life cycles within that specific Azure AD. The service admin could add a co-admin a user from the default Azure AD and that user would then also be able to manage Azure resources, like App Services and so on.
So the Azure App Service is tied to a Azure subscription that is managed by a service account, not by the Azure AD. Please check the official documentation on this topic. Also please clarify exactly what you would like to do.

Migrate Azure AD to a new subscription

We have an Azure AD which is managed by a third party. Our domainname is validated against it. We are now bringing this in-house and want to know the easiest way to move it? It doesn't have many objects, so happy to recreate them but to do so, I need to validate our domain against this Azure AD instance. If I do this, I am concerned it will break the existing which would be a problem as we have users using it. Can you have a single domain validated against two directories (no on-prem integration). Also, is there an easier option? I don't mind users having to reset their password.
No, you cannot have one domain name verified in two Azure AD tenants.
The title of this question indicates a common misunderstanding is at play here: Azure AD tenants are not resources within an Azure subscription. If anything, it's the other way around: an Azure subscription is associated to an Azure AD tenant. Read more on the relationship between an Azure subscription and an Azure AD tenant at "How Azure subscriptions are associated with Azure Active Directory", and on how to transfer Azure subscriptions across Azure AD tenants at "Transferring ownership of an Azure subscription."
If there already exists an Azure AD tenant with your domain name, you should simply take control of the tenant. If you already have access to a user account that is a tenant administrator, then you simply need to evict (demote, disable or delete, depending on your situation) the users from the third party. If you don't, you can ask the third party to make your user an admin. (And if that is not possible either, you can contact support to prove ownership of the domain name.)

Resources