Good afternoon, I am fairly new to Azure AD in general; I know my way around but I am stumped on something for a client of ours.
We have a client who has devices joined to Azure AD. They wish to create local administrator accounts on specific computers that only specific people can access and only that administrative account can be used on that workstation for administrative rights (just like a regular device local admin account)
For example:
CON-01 (PC name) should have a local admin account that's in Azure AD named JohnDoe_adm#contoso.com that can do elevated admin privileges' but this JohnDoe_adm#contoso.com account should not be allowed to have local administrative rights on CON-02. And vice versa. JaneDoe_adm#contoso.com should only have local administrative rights to CON-02 but her login can't be used on CON-01 for elevated permissions.
Devices will not be connected to the local AD frequently for policy updates (and we want to avoid VPN connection to the local AD DC). Client strictly wants these devices joined via Azure AD Joined but to have administrative accounts managed through Azure AD.
The clients accounts are synchronized in Azure with their local AD.
I saw that with a premium license for Azure you can add local administrators group on Azure AD joined devices but doing so will allow that user to have local administrative access on all devices that are joined and we are trying to prevent that.
Would it be possible to create a group called CONOTSO/CON-01 Local Administrators in Azure AD; and add JohnDoe_adm#contoso.com to this group and go onto CON-01 and manually apply CONOTSO/CON-01 Local Administrators group under Administrators in lusrmgr.msc on the workstation CON-01 ?
Or any suggestions to make this process easier to achieve what I am looking for?
Any advice is appreciated! Thanks!
You can do that, just not in the GUI. :-)
On an individual computer you can use "Net Group Administrators /Add AzureAD\JohnDoe_adm" to give that account admin rights to the machine.
You'll have to do that for each machine.
• Yes, you can create an Azure AD user, for example in this scenario, johndoe_adm#contoso.com as a member of the local administrators’ group on Azure AD joined devices. For that purpose, you will have to create a policy under ‘Endpoint Protection’ in Intune management portal for ‘local user/group membership’ for managing local admins of Windows 10/11 client devices. Please follow the below snapshots for more information: -
As shown in the above policy, you can create a policy for ‘local user group membership’. In it, you can create a profile for Windows 10/11 by selecting the appropriate option and selecting the correct local users’ group to be managed through it as shown below: -
Once the above options have been selected, then you can have the option of selecting Azure AD users or groups in the respective selected local administrators group so that the Azure AD users can be a member of local administrators’ group on client system as below: -
Thus, in this way, you can add an Azure AD user/group as a member of local administrators’ group on the Azure AD joined and Intune MDM managed and complaint system by assigning this policy on the said device groups.
• Also, please note that as you are saying that a particular Azure AD user, i.e., ABC should be a member of a local administrators’ group on an Azure AD joined device, viz., XYZ which is readily possible as per stated above but you also want that this user ABC should not be a member of another Azure AD joined device’s local administrators’ group, then for this purpose, you will have to create a separate Azure AD user for every Azure AD joined device and create one profile likewise for every Azure AD user/group as well as for every device that is going to be a part of the local administrators’ group on the client system which can be very hectic and time consuming given the options available in Intune MDM.
Thus, I would suggest you create a single Azure AD user for the purpose of adding it in the local administrators’ group on every Azure AD joined and Intune MDM managed Windows 10/11 device and further create a profile as shown above and deploy it on all the Windows 10/11 devices to be managed through Intune and required accordingly. Also, do keep the credentials of that Azure AD user with yourself only to maintain a level of confidentiality.
For more detailed information on the above, kindly refer the below link: -
https://www.anoopcnair.com/manage-local-admins-using-intune-group-mgmt/#:~:text=The%20local%20user%20group%20management,or%20Windows%2011%20local%20group.
Days ago I onboarded a customer using Service Principal with an ARM template in our blob storage, then the client went to this URL:
https://portal.azure.com/#create/Microsoft.Template/uri/{Blob Url}, accepted us as their resource manager, and we could make connections and go-to resources but via PowerShell, why it doesn't show to us in our Azure Lighthouse Customers page?
I can work with the resources, make deployments, and such but doesn't show in the list, I want to know if it is because we need to be gold competency or an expert MSP because we don't want to make a public offer in the market, we just want to manage certain customers.
It should be displayed there. No special conditions are required such as the ones you've mentioned. Are you definitely signed in to your own partner/MSP tenant with an account that has delegated access to the customers? Does anything show up under delegations within the Azure Lighthouse section?
If you have access to the customer tenant, does your company show up under Service Providers within Azure Lighthouse on the Azure portal?
Case closed, the Service Principal itself doesn't have the privileges on the service provider's tenant to make your user a reader. So the solution for this was:
Remove the offer in the customer tenant.
Add new authorization in the ARM template for a user/group with "Reader" built-in role id. (In our case, we decided to use an AD group because people in the organization is temporary)
Upload the new ARM template and re-onboarded the client.
After a couple of hours, the client's subscription showed in the subscription list in the section: Directories + subscriptions, checked it, and saw all the resources from the service provider's tenant.
I found a solution for this issue.
The Azure Lighthouse->My customers list on the azure portal only shows subscriptions activated in the global directories and subscription filter.
Please go to the global directories and subscriptions filter (in the portal top navigation) and open the drop downs for directories and for subscriptions and check, if your customer subscription appears here.
If yes, select all entries in both drop downs.
After that go back to Azure Lighthouse->My customers
and check, if the customer subscription appears now.
We're a very small company, for unknown reasons our internal app infrastructure (based on PaaS VMs) was set up on the Azure subscription for a "personal" Windows Live account of an internal email address, with only that one user in the AD. (We also use the "correct" Azure instance, the AD is synced from the remnant of our old on-prem infrastructure and our Office 365 is based on it.)
We're about to recruit a second developer, I want to give him some level of access to our app infrastructure but not the global admin that sharing the existing single account would provide. I've experimentally added another user to the Azure AD as a global admin (so it should have access to everything) but when I log in with that user it takes me to the portal for the default free personal Azure instance you get if there's nothing set up. If I paste in a URL for a resource in the account it's global admin for I get "You do not have access" (403). (Audit trail of the user in Azure AD shows it logged in.)
Is there an inherent restriction on this type of account (in which case I'll have to bite the bullet and migrate the infrastructure where it belongs) or should I be able to expect this user to be able to access the right portal - and if so what do I need to do to get that to happen?
Having Global Admin role in Azure AD does not give you access to Azure resources, only to manage users etc. in Azure AD.
You need to add e.g. Owner/Contributor role on the subscription to the user through the Access Control (IAM) tab.
I have an Azure Devops organization that is linked to an Azure Active Directory. This organization has projects and pipelines for deploying applications to App Services in the linked Azure AD.
Recently, one of my user account (the one with the Visual Studio Enterprise Subscription) was made the organization owner and all other project users were deleted. However, my account that is now the only user in the Azure DevOps organization is just a guest account type of the linked Azure Ad, and not an actual member of the Azure AD.
I need to add new users back to the organization but since my user account is just a guest of the linked Azure AD, when I try to add users, I get an info dialog that states that since I am only a Guest of the Azure AD domain, I can't see the domain members I want to add and so the add user process fails.
As I stated earlier, my account is the Organization Owner. I also assigned my guest user account to the Global Administrators role in the linked Azure AD, but I still cannot add domain users to the Azure DevOps organization.
This organization has production code in the repo as well as build and deployment pipelines that I do not want to lose access to or lose the ability to deploy to the App Services in the linked Azure AD, so I am concerned about taking any action until I know exactly what I need to do to be able to add users from the linked Azure AD into the organization.
Any advice as to how I can add users from the linked Azure AD back to this organization would be greatly appreciated.
This is just a guess, but DevOps could be looking at your userType and show the message based on that.
Global admin would definitely allow you to list the users.
You could try using PowerShell to change your userType from Guest to Member.
E.g. with AAD PowerShell v2:
Set-AzureADUser -ObjectId 'your-user-object-id-in-tenant' -UserType 'Member'
It's actually something that isn't super-well-known.
Guest/member and local/external user are two different things.
External users just become Guests by default, which restricts what they can do.
Add the guest users to Azure AD directly, before you try to give them access in DevOps. After adding a new guest user, that new guest can be given access to DevOps by your subscription admin.
Or create yourself a domain user in your Azure AD with the proper privileges too.
e.g. If your Azure AD domains is "MyMsdnAzureADDomain.onmicrosoft.com" (or a Custom Doamin like "mycompany.com" if you have such domain registered in Azure).
A) Create new domain user in MyMsdnAzureADDomain.onmicrosoft.com
The new user is would be MyNewUser#MyMsdnAzureADDomain.onmicrosoft.com
B) Give that new user full admin in Azure AD and your DevOps (or tailor your permissions to your needs).
C) Login into Azure using that new user to manage your DevOps.
I am struggling to distinguish how an Azure Subscription and an Azure tenant are different? I have tried figuring it out using examples but each time I come to the conclusion that they are the same thing in a way? If a tenant is a dedicated instance of the Azure AD service that an organization receives and owns when it signs up for a Microsoft cloud service, then is that not what a subscription is too?
Basic understanding:
a tenant is associated with a single identity (person, company, or organization) and can own one or several subscriptions
a subscription is linked to a payment setup and each subscription will result in a separate bill
in every subscription, you can add virtual resources (VM, storage, network, ...)
Additionally:
Every tenant is linked to a single Azure AD instance, which is shared with all tenant's subscriptions
Resources from one subscription are isolated from resources in other subscriptions
An owner of a tenant can decide to have multiple subscriptions:
when Subscriptions limits are reached
to use different payment methods
to isolate resources between different departments, projects, regional offices, and so on.
Example 1:
Contoso decides to have a tenant with 2 subscriptions:
one subscription for the Prod department with Credit Card A
one subscription for the Dev department with Credit Card B
(but could also be the same Credit Card as the one of another subscription)
In this example, the two departments share the same Azure AD database.
However, resources are isolated between departments, and budgets can be separated too.
Example 2:
A holding company decides to have 2 tenants:
one tenant for subsidiary Contoso with one subscription for Dev and Prod
one tenant for subsidiary Fabrikam with one subscription for Dev and another subscription for Prod
In this example, both companies have a different Azure AD database.
Example 3:
You have a tenant for your personal training.
In this tenant, you can have:
one free Azure subscription (linked to a credit card but not charged, and can be converted to a Pay-As-You-Go subscription after the free trial)
one or several Pay-As-You-Go subscriptions (linked to different credit cards)
one or several Azure Pass Sponsorship subscriptions, not linked to any credit card because these subscriptions are obtained during Microsoft trainings
one Visual Studio subscription (linked to a credit card) and with different quotas (of free resources) than the free subscription
Despite all those subscriptions have isolated resources (per subscription), and some are free while you have to pay for others, all subscriptions share the same Azure AD database.
Azure tenant is a directory. Azure subscription is an object that represents a "folder" that you can put resources in. Subscriptions are tied to tenants. so 1 tenant can have many subscriptions, but not vice versa.
Link:
https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits
It helps to take a scenario:
Let's say you logged into portal.azure.com for the first time and created a free tier account.
When you login to Azure, you have a single tenant ID associated with your account which will not change unless you ask Microsoft to delete your account(this is not your Azure domain user, this is your Microsoft subscription account - eg. bob#gmail.com).
You will only have 1 subscription unless you've purchased or manage other subscriptions (by using the 'transfer billing ownership' function), then they will all be listed under subscriptions.
You will have FULL access to all "resources" associated with your tenant ID. These resources can be part of your own Azure 'directory' or from another domain that someone has given you access to.
You can create up to 20 directories, and you can belong to up to 500 directories.
When you own the subscription (eg. a free account) you'll have full rights up to the 'root' of the subscription - eg. if you click on your name in the top right corner and select "... > your permissions" you see something like:
Your account 'YOURACCOUNT#gmail.com' has been assigned the role 'User Access Administrator' (type BuiltInRole) and has access to scope /.
Your resources have Role Based Access controls that you, the subscription owner, can assign to other users in your Azure Active Directory (or other trusted directories).
By default, for a new subscription, the Account Administrator is assigned the "Service Administrator" privilege. This is 'above' the RBAC roles - there can only be one service administrator per subscription. In RBAC terms this is an 'owner'.
More points:
A single tenant can have multiple AD directories, but a single directory can only have 1 tenant.
*It is recommended to maintain only a single tenant and manage all of your AD domains from that single tenant, otherwise the user experience between domains will not be a seamless.
*A tenant is directly associated with an AD resource - if you mouse over your username in the top right corner you'll see the AD domain you're connected to and a long alphanumeric string - that's the same string in AD > properties.
*If you switch to another directory (assuming you have one) your subscription name (bob#gmail.com) doesn't change, but the tenant ID will be different.
References:
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
https://marckean.com/2016/06/01/azure-vs-azure-ad-accounts-tenants-subscriptions/
https://blogit.create.pt/miguelisidoro/2019/01/07/pros-and-cons-of-single-tenant-vs-multiple-tenants-in-office-365/
This MS doc has explained everything very nicely - Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings
Quoting from the Summary of the hierarchy section in the documentation:
Here is a quick recap:
An organization can have multiple subscriptions
A subscription can have multiple licenses
Licenses can be assigned to individual user accounts
User accounts are stored in an Azure AD tenant
Later in the same section it says:
Multiple Microsoft cloud offering subscriptions can use the same Azure
AD tenant that acts as a common identity provider. A central Azure AD
tenant that contains the synchronized accounts of your on-premises AD
DS provides cloud-based Identity as a Service (IDaaS) for your
organization.
Let us try to understand all this with the help of a real-life example. Let's assume that I'm the owner of a company named FooBar which manufactures software products. Now here is what I'll do to setup Azure infrastructure for my company:
I'll crete an Azure account using my email id.
Then for managing the employees of the company, I created below mentioned Azure Active Directories (AAD aka tenant) in my Azure account:
PermanentAad
AdhocAad
User account of all full-time employees (FTEs) will be added into PermanentAad AAD and all temporary or contractual employees will be added into AdhocAad AAD.
Similarly, I would like to manage the billing of adhoc employees and FTEs separately. So I creates two subscriptions namely PermanenetSub and AdhocSub. I'll setup a trust relationship between PermanentAad and PermanentSub. Similarly for AdhocAad and AdhocSub. So when any FTE creates an Azure resource e.g. a virtual machine(VM) then the cost of that VM will get added to total bill in PermanentSub subscription.
Now comes the licensing part. Licenses empower a user to do things in Azure e.g. creating resources, VMs etc. I can give Enterprise Mobility + Security E5 license to an FTE so that he can create VMs for testing any stuff.
To summarize:
If you want to work in Azure you need an Azure account. To create an Azure account you need an active email id.
If you want to add people/employees or machines/devices who would be part of your IT infrastructure you need a tenant/AAD. You get one tenant/AAD by default when you create an Azure account. You can create more if you require for any kind of logical separation. AAD service is a global service spanning across all locations in Azure which manages all of our AAD instances. AAD is also known as Azure Active Directory, AAD, an Azure AD instance, an AAD Instance, an Azure AD Tenant, an AAD tenant, simply tenant or an organization, etc. They all mean the same. Therefore:
Organization == Tenant == Azure Active Directory
If you require logical separation of billing for users of your Azure account then you need multiple subscriptions. You get one subscription by default when you create a new Azure account. Subscription can be of four types as per below list:
Free
Pay-as-you-go
Enterprise agreement
Cloud Solution Provider
If you want to enable the users to do things then you issue license(s) e.g. license to be able to create VM or Azure app service. Also remember that license and Role Based Access Control (RBAC) are not same although both enable you to do things in Azure portal. But they've different nuances which you can explore on your own.
Below image summarizes the above explanation. I've taken it from the same documentation that I referred at the starting of this answer - Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings
Quoting from the User accounts section in the documentation:
So, all the user accounts and devices of an organization reside in a common Azure AD tenant/instance.
Adding more to existing answers
Tenant is a domain, If these are email addresses of a certain company,
user#exampledomain.com
admin#exampledomain.com
The tenant can be recognized as "exampledomain", in a practical scenario you create a tenant against a company or a client.
Subscriptions are like another logical high-level grouping. For example, you can create a subscription for each environment you work with in the same tenant.
as an example, exampledomain.com tenant can have Development, QA, and Production subscriptions. Those will be billed separately according to the plans you take in
Below are succinct descriptions of key terms and the relationship between them.
They are all sourced from official Microsoft documentation.
Account
Tenant
Identity
Subscription
Resource
Resource Group
Account
To create and use Azure services, you first need to sign up [for an
Azure account].
Source:
Learning Path: Manage identity and access in Azure Active Directory
Module: Create an Azure account
Exercise: Create an Azure account
Tenant
An Azure tenant is a single dedicated and trusted instance of Azure
AD. Each tenant (also called a directory) represents a single
organization. When your organization signs up for a Microsoft cloud
service subscription, a new tenant is automatically created. Because
each tenant is a dedicated and trusted instance of Azure AD, you can
create multiple tenants or instances.
Identity
An identity is an object that can be authenticated. The identity can
be a user with a username and password. Identities can also be
applications or other servers that require authentication by using
secret keys or certificates. Azure AD is the underlying product that
provides the identity service.
Source:
Learning Path: AZ-104: Manage identities and governance in Azure
Module: Configure Azure Active Directory
Exercise: Describe Azure Active Directory concepts
Subscription
To create and use Azure services, you need an Azure
subscription...you're free to create additional subscriptions. For
example, your company might use a single Azure account for your
business and separate subscriptions for development, marketing, and
sales departments. After you've created an Azure subscription, you can start
creating Azure resources within each subscription.
Source:
Learning Path: Azure Fundamentals: Describe Azure architecture and services
Module: Get started with Azure accounts
In Azure, subscriptions are a unit of management, billing, and scale.
Similar to how resource groups are a way to logically organize
resources, subscriptions allow you to logically organize your resource
groups and facilitate billing...An account can have multiple
subscriptions, but it’s only required to have one. In a
multi-subscription account, you can use the subscriptions to configure
different billing models and apply different access-management
policies. You can use Azure subscriptions to define boundaries around
Azure products, services, and resources.
Source:
Learning Path: Azure Fundamentals: Describe Azure architecture and services
Module: Describe Azure management infrastructure
Resource
A resource is the basic building block of Azure. Anything you create,
provision, deploy, etc. is a resource. Virtual Machines (VMs), virtual
networks, databases, cognitive services, etc. are all considered
resources within Azure.
Resource Group
Resource groups are simply groupings of resources. When you create a
resource, you’re required to place it into a resource group. While a
resource group can contain many resources, a single resource can only
be in one resource group at a time. Some resources may be moved
between resource groups, but when you move a resource to a new group,
it will no longer be associated with the former group. Additionally,
resource groups can't be nested, meaning you can’t put resource group
B inside of resource group A.
Resource groups provide a convenient way to group resources together.
When you apply an action to a resource group, that action will apply
to all the resources within the resource group. If you delete a
resource group, all the resources will be deleted. If you grant or
deny access to a resource group, you’ve granted or denied access to
all the resources within the resource group.
When you’re provisioning resources, it’s good to think about the
resource group structure that best suits your needs.
For example, if you’re setting up a temporary dev environment,
grouping all the resources together means you can deprovision all of
the associated resources at once by deleting the resource group. If
you’re provisioning compute resources that will need three different
access schemas, it may be best to group resources based on the access
schema, and then assign access at the resource group level.
There aren’t hard rules about how you use resource groups, so consider
how to set up your resource groups to maximize their usefulness for
you.
Source:
Learning Path: Azure Fundamentals: Describe Azure architecture and services
Module: Describe Azure management infrastructure
Simply put, an instance of Azure AD is what an organization receives when the organization creates a relationship with Microsoft such as signing up for Azure, Microsoft Intune, or Microsoft 365.
A tenant is similar to a forest in an on-premise environment.
An Active Directory forest (AD forest) is the topmost logical container in an Active Directory configuration that contains domains, users, computers, and group policies
Think of a tenant as a user/domain entity that is registered in Azure. Tenants are Azure 'customer' - a unique entity that will be registered in Azure directories.
Subscription is an operational level of grouping resources. Tenants have subscriptions.
Tenant is quite a useful approach, which, in my opinion, is missing in AWS.