I know that we can migrate a subscription from one Azure AD to another AD, and move a resource from one subscription to another subscription. Wondering can we clone the Azure active directory (tenant) as well? like moving all/part of the AD roles, groups, settings, subscriptions and resources from one tenant to another?
Thanks,
There is no way to Migrate azure AD settings to other tenant.
you may submit your feedback here https://feedback.azure.com/forums/34192--general-feedback
Related
I have a structural question on the Azure portal. When I create a new Azure Active Directory B2C Tenant, it forces the creation of a new directory, with new org name, paired to the subscription ID from the directory where I created the tenant. This feels incredibly disjointed to me since my Active Directory is in my parent directory. So my questions are
Is this the standard model for using Azure Active Directory B2C?
Main Directory w/ subscription
-> B2C Tenant 1 (dev)
-> B2C Tenant 2 (staging)
-> B2C Tenant 3 (prod)
If so, does that mean that I should create all resources for the environment in the B2C Tenant directory?
Can I make multiple Azure Active Directory B2C tenants in my main account, and just separate them into different resource groups for dev, staging, and prod?
Reading the documentation, everything seems to show either creating a new Tenant which creates a new directory, or "Linking" and existing Tenant. The issue with that is when you create a tenant, you MUST specify a subscription, and to "Link" a Tenant, it can not have a subscription.. and since you can't remove a subscription from a Tenant, how is this option even possible?
Any help or guidance on these points would be greatly appreciated. I've spent days reading documentation and trying to get this set up along the lines of option 2 since that's the model that exists in a client account I need to replicate, but nothing has worked.
EDIT
I see that I can click on the B2C Tenant from my main Azure Active Directory account and see it's subscription status as
An Azure subscription is required to continue receiving SLA support for External Identities```
but when I click that it takes me to the Azure AD B2C directory and I'm confronted with this image
[![enter image description here][1]][1]
but when I look at the resource in the main Azure AD directory, I see I can move subscriptions but there is **already a subscription assigned** so what does it want me to do?
[![enter image description here][2]][2]
It seems like the answer is "An Azure AD B2C directory is ONLY meant to manage the B2C tenant, and nothing else" but the only person to reply to this so far is saying that you should create all your resources in the B2C tenant directory, not the Azure Active Directory Account which has the resource group referencing the created B2C tenant.
[1]: https://i.stack.imgur.com/g3dMY.png
[2]: https://i.stack.imgur.com/72sH7.png
• When you create an Azure B2C tenant in your existing subscription, a new Azure AD directory with the name of the given Azure AD B2C tenant is created and related to it, a separate Azure AD B2C tenant/directory is also created. That is, by the name of the Azure AD B2C tenant, a normal Azure AD B2C directory is available as well as an Azure AD B2C directory/tenant is also available.
• Thus, when you create an Azure AD B2C tenant, it will be shown under you resource group in which it is assigned. Also, if you want to create a new resource in this new Azure AD B2C tenant, then you will need to link it with an existing subscription or add a new subscription to it as it functions as full-fledged separate tenant with an existing Azure AD default directory to take care of the Identity and Access Management requirements.
If so, does that mean that I should create all resources for the environment in the B2C Tenant directory?
Yes, you can separate your ‘dev, staging and prod’ B2C tenants for your convenience and create resources in it for your management purposes but you will have to link every B2C tenant with an active subscription plan so that the billing costs of the resources deployed in it are taken care of.
Can I make multiple Azure Active Directory B2C tenants in my main account, and just separate them into different resource groups for dev, staging, and prod?
Yes, you can as per the above given explanation.
Thus, for creating a new B2C tenant, you need to have an existing subscription of Azure and an existing Azure AD tenant through which you can surely create an Azure AD B2C tenant and further if you want to deploy Azure resources in it, then you can add a subscription or link an existing one.
Please find the below snapshots for your reference: -
Is there any way to change the billing subscription on a Azure B2C tenant. I see this article which states: "Azure AD B2C tenants can be moved to another subscription if the source and destination subscriptions exist within the same Azure Active Directory tenant." but I suppose this did not clarify for me.
I have two different subscriptions which are just independant Azure subscriptions and neither is part of a corporate enrollment, so I don't think they are apart of the same AD tenant, unless onmicrosoft is the AD tenant.
Has anybody done this before?
Tenant means .onmicrosoft.com directory. If both subscriptions appear when selecting the directory in the Azure Portal, then the B2C resource can be moved between them. If not, then you first need to move the destination subscription to the tenant in which the subscription that holds the B2C resource lives, move the resource, then move the subscription back to the original tenant if you need to. Moving subscriptions between tenants will lose all RBAC assignments, since they are tied to the users in the original tenant/directory.
Following on from this question, I don't understand what the difference between an Azure Tenant, Azure Directory and Azure Active Directory.
When I log in to Azure and click my profile it lets me Switch Directory.
In my case I can switch to my company directory and also to the directory of another company where I have guest credits.
Does Directory in this context mean the same as Azure Active Directory?
The documentation says a tenant is:
Azure tenant: A dedicated and trusted instance of Azure AD that's
automatically created when your organization signs up for a Microsoft
cloud service subscription, such as Microsoft Azure, Microsoft Intune,
or Office 365. An Azure tenant represents a single organization.
So is Tenant the same as Directory in this case as well?
Yes, in this case the tenant is the same as an Azure AD. In the Azure portal you are changing Azure Active Directories when you use the Switch Directory feature. You can currently only be in the context of a single directory at a time; however, as the previous question you pointed to indicates, multiple subscriptions can be tied to a tenant/directory. So when you are in the context of a directory you'll see all the subscriptions under that tenant to which you have access to one or more resources based on security.
To be fair, I use Azure AD Tenant/Azure AD Directory interchangeably. The Portal UI calls them directories; however, the properties on resources, REST APIs, CLI commands, etc. all refer to it as a tenant.
Directory == Tenant.
When you utilize azure services, the TenantId will be requested. The TenantId is non other than the DirectoryId which can be found in the Properties tab within Azure Active Directory.
Furthermore, as answered in the link you provided:
"Subscriptions are tied to tenants. so 1 tenant can have many subscriptions, but not vice versa."
Azure Active Directory is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources
Tenant is a digital representation of the organization.
Azure Active Directory creating a directory objects in the form of tenant name. Azure Active Directory and tenants are interrelated.
In total, the Azure AD Tenant provides identity and access management (IAM) capabilities to applications and resources.
Link : https://learn.microsoft.com/en-us/microsoft-365/education/deploy/intro-azure-active-directory#what-is-an-azure-ad-tenant
Getting error You are currently signed into the 'Azure AD B2C tenant' directory which does not have any subscriptions. when I try to create a resource in Azure AD B2C.
Please help I am new to Azure
Switch back to the directory where you have your subscription and create the resources there.
Don't take my answer as definitive, since I'm still a newbie, but at this point my understanding is this: B2C needs a new tenant because of the way it is designed (it isn't just an add-on for AD) and you link it to your subscription for billing purposes. But that's it. You don't need to create the resources for your app there, although I guess you could do it if you get a new subscription or transfer another one.
I already created a mobile app in my default tenant and successfully used the linked B2C tenant for authentication and I guess you've done that already. But since this was one of the few results that I got when I googled the message you quoted, I think it's worth sharing.
Have you done this ?
The Azure subscription has a trust relationship with Azure Active
Directory (Azure AD), which means that the subscription trusts Azure
AD to authenticate users, services, and devices. Multiple
subscriptions can trust the same Azure AD directory, but each
subscription can only trust a single directory.
Following link might help (check To associate an existing subscription to your Azure AD directory)
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
Azure AD B2C needs a Microsoft Azure Subscription for billing purposes. You're going to need 3 things to make that message go away:
Azure AD Tenant
MS Azure Subscription
Associate your Azure AD B2C tenant to the MS Azure Subscription
It's a bit strange as Azure AD B2C tenants feel very similar to Azure AD (and run on a lot of the the same infrastructure behind the scenes) ... but from a billing standpoint, they are almost treated like MS Azure resources (e.g. VM, App Service, etc)
I am trying out ad-b2c and boy even the first step is turning out to be extremely frustrating. Anyway here's my problem:
I have an existing subscription with a default directory which has its own mydefaultdirectory.onmicrosoft.com domain
According to instructions here: I should be able to create an ad-b2c tenant, and then go into the portal B2C features blade.
I created the tenant, which included me creating a custom ad-b2c directory. I had to choose another domain such as myadb2ctest.onmicrosoft.com.
I go to the portal under b2c blade, but now I have no subscription. This is because now I am logged in to the myadb2ctest directory rather than mydefaultdirectory which has my subscription.
I DO NOT want to create a new subscription. I just want this directory associated with my already existing subscription so I can try this thing out.
An Azure AD (and B2C) is a higher level object than a subscription in the portal user interface. That's why you lose your subscription view when selecting B2C.
Internally this will be linked to your subscription, otherwise Microsoft couldn't send you a bill. if you go to the B2C dashboard, there is text containing the linked subscription:
Subscription status
If there is no subscription linked, there is a warning in the B2C Dashboard:
No Subscription linked to this B2C tenant or the Subscription needs your attention.
And then you will need to take these actions:
This B2C tenant must be linked to an active Azure subscription for communication, support and billing.
If your Subscription status is No Subscription, please link this B2C tenant to an Azure subscription,
Switch Directories to the location of your target Azure subscription
Under Marketplace, search for and select 'B2C'
Select Create to link this B2C Tenant to a subscription
Unfortunately today B2C features cannot be turned on in an existing tenant.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs
Please make your B2C directory a default directory for an Azure Subscription. You could think of a B2C directory as a normal AAD during this process.
This process of switching the default directory can only be done through Azure Classic Portal using Service Admin (live account ONLY) for the subscription.
You could refer this article for further steps:
https://ballance.in/default-directory-of-an-azure-subscription/