How to test Azure AD in Azure government? - azure

I want to test some Azure AD features on Azure US government, but I don't know how. For normal azure active directory, I would go to demo.microsoft.com and create a tenant.
There, the only government related option is "World Wide Government" but there is nothing suggesting that it is actually on Azure Government cloud.
Also, after creating the tenant it says that it is in North America with "World Wide Government" content pack, which to me it means that it is on normal Azure.
So basically, the question is where to create a demo account and how to log in to the portal (is it still portal.azure.com)?

Go here and setup a free trial for Azure Government: https://azure.microsoft.com/en-us/global-infrastructure/government/request/

Related

We have purchased "AZURE AD PREMIUM P2" but we are not able to use this subscription

We have purchased "AZURE AD PREMIUM P2" but we are not able to use this subscription, as when i access azure portal, i will get this message to purchase a subscription:-
Any advice?
Thanks
You are looking at the default home screen, and the message on the left is a trial offer referring to an Azure subscription for resources such as virtual machines, SQL databases, function apps, etc. which is separate from an Azure AD tenant/subscription.
You can see your Azure AD license by:
Opening the Azure Active Directory blade
See your Azure AD license level from the basic information on the overview page

Is it possible to create Dev/Test subscription in Azure Government cloud (EA)

Can we create Dev/Test subscription in Azure Government cloud as part of Enterprise Agreement (EA)? I am unable to test it as my organization does not gave me enough permission to test it under Azure Gov Tenant. Has anyone able to create Dev/Test subscription in Azure Gov Cloud?
provided your organization has a government enterprise agreement, you should be able to create subscriptions for whatever purposes your organization allows in Azure Government. Do you know your enterprise agreement administrator? They should be able to ensure you're assigned access to create subscriptions that are billed to the right department within your organization.

Connecting to an Azure Subscription in Azure China using an application created in Azure General region gives "AADSTS70001" error

I have created a native application in an Azure AD in Azure General region. The application has been granted appropriate permissions (Sign in on user's behalf, execute Service Management API requests etc.). Using this application, I am able to connect to any Azure Subscription in Azure General region using this application.
However when I try to connect to an Azure Subscription in Azure China, after successful login, I am getting the following error:
AADSTS70001: Application with identifier '01234567-890a-bcde-ffff-fcc63fc150ea' was not
found in the directory 'xxx.yyy.onmschina.cn'.
So my questions are:
Is it possible to connect to an Azure Subscription in Azure China (or for that matter to any Azure Subscription in Azure Sovereign Cloud like Germany etc.) using an application created in Azure General region?
Or do I need to create a separate application for each Azure Sovereign region in an Azure AD in that region?
If I indeed need to create a separate application (i.e. answer is yes to above question), is it possible to create an Azure AD tenant in these Sovereign regions without having an Azure Subscription there?
I believe the answer to the last question is yes considering Azure AD and Azure Subscription are two different things, yet I would very much like to get a confirmation on the same.
No,
it is NOT possible to connect Azure "General" with any sovereign clouds - these are Azure US Government, Azure China, Azure Germany. All these clouds are completely separate deployments with their own Azure AD. You cannot use B2B inter clouds, you cannot use your multi-tenant applications across clouds.
For that case you have to have a subscription in every cloud you would like to support and separate application registration, and separate instructions for your users. Check for example how Azure CLI is handling this. You are always only connected to one cloud with cloud's specific account.
In Azure Germany you can create an Azure AD tenant - just create a free trial subscription and you will also get a tenant. For China and US Gov will be hard - they both have very strict requirements who can create subscriptions there.

Classic storage "The selected pricing tier is not supported in this location" Europe West

I have azure account and some services created on it(web app, database and server, web service and storage account), and noticed that some accounts are created on Europe North and others on Europe West farms. I wanted to move everything, or recreate on Europe West, but run into a problem when creating classic storage account. When I want to create classic storage account in Europe West location, I get the message "The selected pricing tier is not supported in this location". I have a B1 Basic service plan(tried to switch it to S1 but it didn't help). The thing that is bothering me is that my colleague tried to create the same thing from his azure account and he was able to do it. Also, I tried doing the same from my private account(account that it's not working for is company's account), and was also able to do it. I have Pay-as-you-go pricing plan on company's account. I seem to be missing something here and I'm simply not experienced enough in configuring azure, and couldn't find the solution by googling. I appreciate your help.
Please create a ticket with Billing Support via Azure Portal. They should be able to help you with this.
So I finally got the solution. b0rg was on a right track. So when I posted the problem here, I was in contact with MS partner company, and they told me that for some reason, when my account was created, options for some locations weren't enabled by default, and I should create a free billing support ticket through azure portal. So I did that. Told them what MS partner told me, and within 2 working days they just enabled the options and now I can create the storage in Europe West location. Microsoft.... :/

Azure using enterprise Active Directory

Before I am going to describe my questions, I would like to tell you that I am a web developer and not a security/Active Directory or Azure specialist, so please be gentle :-)
I work for a large international financial services company. We have a global IT department that provides member firms with services that we use (Active Directory 2012).
In my member firm, we are currently considering migrating custom build websites to Azure. All the custom build websites are implemented with Kerberos and Single Sign-On using Active Directory. Some of these websites read & write information in Active Directory.
The challenge that we are facing is how we can migrate these websites to Azure whilst using the enterprise's Active Directory. I searched for detailed information about solutions available but haven't found anything that answered my questions. My questions:
What solutions are there for connecting Azure with an enterprise's Active Directory?
What are the advantages and disadvantages for these solutions?
What are the requirements for these solutions?
Perhaps there is a book/blog/whitepaper that answers my questions?
AFAIK you cannot use directly the corp AD from Azure. You must use Azure Active Directory. However, there are solution to keep the corp AD and the Azure AD in sync. For example read Connecting AD and Azure AD: Only 4 clicks with Azure AD Connect, which shows how to use Azure AD Connect to link the Azure AD with your corp AD. It will basically mirror one corporate AD forest with an Azure AD account, and keep it up to date by periodic re-sync. The net effect is that you develop your cloud apps to authenticate and authorize based on the Azure AD, but the Azure AD will mirror the corp AD. There will be a delay in propagating changes to Azure AD, eg. an employee added to the "domain\sales" group will not be allowed to access the "Sales" app for some hours until the Azure AD sync catches up with the corp AD change.

Resources