I'm sorry to ask this here because I know it's not the standard place for a question like this, but the Azure forums keep redirecting me away from the actual forum to the portal so I've given up for now.
Question: Should I create all of my resources for a project in a "Directory" created when creating an Azure Active Directory B2C Tenant, or is that directory supposed to be empty except for the Tenant?
I'm coming from AWS where I'm used to the structure of infrastructure, so when there's essentially what seem to be new accounts being created when I create a service, it really throws me off.
I've attempted
https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant
https://learn.microsoft.com/en-us/azure/active-directory-b2c/billing#link-an-azure-ad-b2c-tenant-to-a-subscription
and all of that just creates new "Directories" instead of making the new Azure AD B2C Tenant in the "Directory" I am working in. Is that how it should be?
Azure AD B2C is a seperate directory. If you want to create “container” directories, you just have to create a new AAD B2C directory. The links you followed are correct.
Related
I am trying to get a Database configured to use Integrated Auth. In other words, I have an App Service, and I want it to use Integrated Auth so that I don't have to use Sql Server username/password in a connection string.
So I went to my existing Azure Account and created an Azure Active Directory.
The Active Directory was created, and I then switched to this Directory. However, all of the resources of my usual Azure account are not to be found. It is as if I had created a brand new Azure account.
If I try to create a resource, it tells me that I have no subscription, and that I need to create one. So I created one, but it ended up getting linked to my original account, not the new Active Directory Account.
I tried again to add a subscription, but it asks me to sign in, but I don't understand how I am supposed to sign in to the new AD account.
I am not understanding what is going on here. Is an Azure Active Directory a new and different account than my original?
How do I "sign in" to the new active directory so I can add a subscription?
An Azure subscription is always linked to an Azure AD tenant (directory).
The hierarchy looks like this:
Your default Azure AD
Subscription
SQL DB
The new Azure AD you created
So you can see the SQL DB is looking at the Azure AD you already had.
Because that's the one linked to the sub where the DB is.
Make sure you are looking at the directory where your DB is, you should be able to go to "Azure Active Directory" from the service list.
"Integrated auth" usually means AD authentication, so I want to clarify that Azure SQL does not support that.
Neither does App Service.
What they do support is Azure AD authentication, which is documented here: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication.
Mostly I recommend enabling a Managed Identity on the App Service, granting it access to the database, and then using that from within the app to connect.
I am trying to understand why several lectures say that an Azure tenat is a directory (example here). According to the docs an Azure tenant is a trusted instance of the Azure AD, and, again, according that docs a Azure AD is a service a not a directory. Could you help me to understand why several lectures say the Azure tenant is a directory if docs say that is an instance of a service, please?
I think what is confusing is that the word directory has several meanings. When directory is used in this context it means an Azure Active Directory instance. An instance of the Azure Active Directory service is a tenant. If you created multiple Azure ADs in your Azure Portal you would have multiple instances therefore you would have multiple tenants or as some would say directories. I hope that clarifies it a little.
I have a requirement to be able to create an Azure subscription and Azure AD Tenant programmatically (e.g with Terraform or an ARM Template etc - this part is not important, as long as I can find an API).
Looking at the Azure RM it doesn't seem to be possible. Even the UI seems to redirect to a different app to create a subscription.
Any ideas on how to go about this?
We had a similar requirement on a project two years ago and we found no way to programatically provision a subscription nor an Azure Active Directory.
As far as I know, this is still not possible. However, we "solved" it by manually creating a pool of subscription and AAD and used them in our tenant boarding application.
I'm working on an application that will allow users to authenticate to Azure Active Directory and then manage resources in their Azure account via Azure Resource Manager API calls.
I've found several walkthroughs on building such an app including this post. However, in the part that discusses authentication with Azure Active Directory, there's a step showing the need to manually retrieve the Azure Active Directory name from the Azure Portal.
The directory name is plugged into app settings (and ultimately authentication calls to the directory) as follows
http://login.microsoftonline.com/{directory_domain_name}/OAuth2/Authorize
Is there any way to programmatically retrieve {directory_domain_name} without requiring users to login and lookup the information in the Azure Portal?
The one answer to this question has a dead link and another pointing to the Graph API, which seems to still require the domain name.
For your particular scenario, look like you want to build an app that will be users from different Azure AD tenants. This scenario is best addressed by building a multi-tenant application.
To make your application multi-tenant, you'll need to go to the Azure Portal and in the Configure tab of your Azure AD application, set the "Application is Mult-Tenant" option to yes.
Once you do this, you can just call
http://login.microsoftonline.com/common/oauth/authorize
http://login.microsoftonline.com/common/oauth/token
And Azure AD will resolve the figure out which tenant to authenticate against based on the the credential that the user types in.
More information on multi-tenant applications:https://azure.microsoft.com/en-us/documentation/articles/guidance-multitenant-identity-authenticate/
Sample multi-tenant application: https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect
I can't seem to figure out how I can delete the tenant which I have created from my Azure Subscription. Can anyone help me figure out how to do this? It sounds like it should be easy to do, but maybe I'm missing something.
Currently you cannot remove AAD tenant from the Azure Portal. You also cannot rename it. The good thing is that you are not being charged for it if you are not using any special features (i.e. even if you use for just authenticating without the Two-Factor-Authentication it is still free!). And I don't recall to have seen an API via which you would be able to remove an AAD tenant.
UPDATE
As of November 2013 you are able to rename Azure AD, Add new Azure AD, change default AD for a subscription, delete Azure AD(as long as there is not subscription attached, and no user/groups/apps objects in it).
We were eventually able to delete an Azure Active Directory instance after we deleted all mapped users (except for the administrator who was logged in) and groups.
Make sure you go through the following list of possible causes for not being able to delete your Azure AD:
You are signed in as a user for whom <Your Company Name> is the home directory
Directory contains users besides yourself
Directory has one or more subscriptions to Microsoft Online Services.
Directory has one or more Azure subscriptions.
Directory has one or more applications.
Directory has one or more Multi-Factor Authentication providers.
Directory is a "Partner" directory.
Directory contains one or more applications that were added by a user or administrator.