I have power platform portal, and i'am using Azure AD for registering.
Only Guest users in Azure AD may register on the portal.
I have two problems/questions:
When I create a guest user on Azure AD, I fill in his company name. But when this guest registers on portal, his company name isn't mentionned on his portal profile.
So, for the workaround, I created an automated flow to get the user data from Azure AD, But the connector did not return the company name. In other words, the company name is not on the returned attributes list.
Ideas?
Thank you for your help
The Power Apps Per app plan and user plan can retrieve Company name as Premium connectors (A connector may provide tables of data or actions) are added. If its Include only with Office, it cannot retrieve.
You must assign your guest the same license that's required for non-guests to run the app. For instance, if the app uses premium connectors, a Power Apps per app plan or a Power Apps per user plan must be assigned to the guest.
Reference Docs:
https://learn.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app-guests
https://learn.microsoft.com/en-us/powerapps/maker/canvas-apps/connections-list
Given situation
I have two Azure AD directories in one Azure portal tenant.
AD_1 - A directory that got automatically created when signed up for Azure cloud the first time
AD_2 - A directory that I have manually created for managing a different set of users.
I also have an office365 account, that got created using the same Azure account. In it first I purchased a subscription.
SUBSCRIPTION_1 - only office apps. The licenses are attached to users in AD_1
Later I purchased another subscription purely for non-office products for different set of users.
SUBSCRIPTION_2 - exchange, yammer etc apps - A new subscription.
Questions
Is it possible to associate SUBSCRIPTION_2 to only users in directory AD_2?
If above is YES, how to do?
Disclaimer: I am a noob to whole Azure AD, Office 365, for that matter Microsoft products. Please forgive my naivety.
No matter the originating subscription access to services or apps only depends on licenses. So just navigate to Office 365 Portal > Administration > Users > Active, there select a user and assign the appropriate license, no matter from which AD user comes from, in fact it is also possible to assign licenses to users created in a local AD that is synchronized to Azure AD (administration privileges are needed for this procedure)
I am struggling to distinguish how an Azure Subscription and an Azure tenant are different? I have tried figuring it out using examples but each time I come to the conclusion that they are the same thing in a way? If a tenant is a dedicated instance of the Azure AD service that an organization receives and owns when it signs up for a Microsoft cloud service, then is that not what a subscription is too?
Basic understanding:
a tenant is associated with a single identity (person, company, or organization) and can own one or several subscriptions
a subscription is linked to a payment setup and each subscription will result in a separate bill
in every subscription, you can add virtual resources (VM, storage, network, ...)
Additionally:
Every tenant is linked to a single Azure AD instance, which is shared with all tenant's subscriptions
Resources from one subscription are isolated from resources in other subscriptions
An owner of a tenant can decide to have multiple subscriptions:
when Subscriptions limits are reached
to use different payment methods
to isolate resources between different departments, projects, regional offices, and so on.
Example 1:
Contoso decides to have a tenant with 2 subscriptions:
one subscription for the Prod department with Credit Card A
one subscription for the Dev department with Credit Card B
(but could also be the same Credit Card as the one of another subscription)
In this example, the two departments share the same Azure AD database.
However, resources are isolated between departments, and budgets can be separated too.
Example 2:
A holding company decides to have 2 tenants:
one tenant for subsidiary Contoso with one subscription for Dev and Prod
one tenant for subsidiary Fabrikam with one subscription for Dev and another subscription for Prod
In this example, both companies have a different Azure AD database.
Example 3:
You have a tenant for your personal training.
In this tenant, you can have:
one free Azure subscription (linked to a credit card but not charged, and can be converted to a Pay-As-You-Go subscription after the free trial)
one or several Pay-As-You-Go subscriptions (linked to different credit cards)
one or several Azure Pass Sponsorship subscriptions, not linked to any credit card because these subscriptions are obtained during Microsoft trainings
one Visual Studio subscription (linked to a credit card) and with different quotas (of free resources) than the free subscription
Despite all those subscriptions have isolated resources (per subscription), and some are free while you have to pay for others, all subscriptions share the same Azure AD database.
Azure tenant is a directory. Azure subscription is an object that represents a "folder" that you can put resources in. Subscriptions are tied to tenants. so 1 tenant can have many subscriptions, but not vice versa.
Link:
https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits
It helps to take a scenario:
Let's say you logged into portal.azure.com for the first time and created a free tier account.
When you login to Azure, you have a single tenant ID associated with your account which will not change unless you ask Microsoft to delete your account(this is not your Azure domain user, this is your Microsoft subscription account - eg. bob#gmail.com).
You will only have 1 subscription unless you've purchased or manage other subscriptions (by using the 'transfer billing ownership' function), then they will all be listed under subscriptions.
You will have FULL access to all "resources" associated with your tenant ID. These resources can be part of your own Azure 'directory' or from another domain that someone has given you access to.
You can create up to 20 directories, and you can belong to up to 500 directories.
When you own the subscription (eg. a free account) you'll have full rights up to the 'root' of the subscription - eg. if you click on your name in the top right corner and select "... > your permissions" you see something like:
Your account 'YOURACCOUNT#gmail.com' has been assigned the role 'User Access Administrator' (type BuiltInRole) and has access to scope /.
Your resources have Role Based Access controls that you, the subscription owner, can assign to other users in your Azure Active Directory (or other trusted directories).
By default, for a new subscription, the Account Administrator is assigned the "Service Administrator" privilege. This is 'above' the RBAC roles - there can only be one service administrator per subscription. In RBAC terms this is an 'owner'.
More points:
A single tenant can have multiple AD directories, but a single directory can only have 1 tenant.
*It is recommended to maintain only a single tenant and manage all of your AD domains from that single tenant, otherwise the user experience between domains will not be a seamless.
*A tenant is directly associated with an AD resource - if you mouse over your username in the top right corner you'll see the AD domain you're connected to and a long alphanumeric string - that's the same string in AD > properties.
*If you switch to another directory (assuming you have one) your subscription name (bob#gmail.com) doesn't change, but the tenant ID will be different.
References:
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
https://marckean.com/2016/06/01/azure-vs-azure-ad-accounts-tenants-subscriptions/
https://blogit.create.pt/miguelisidoro/2019/01/07/pros-and-cons-of-single-tenant-vs-multiple-tenants-in-office-365/
This MS doc has explained everything very nicely - Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings
Quoting from the Summary of the hierarchy section in the documentation:
Here is a quick recap:
An organization can have multiple subscriptions
A subscription can have multiple licenses
Licenses can be assigned to individual user accounts
User accounts are stored in an Azure AD tenant
Later in the same section it says:
Multiple Microsoft cloud offering subscriptions can use the same Azure
AD tenant that acts as a common identity provider. A central Azure AD
tenant that contains the synchronized accounts of your on-premises AD
DS provides cloud-based Identity as a Service (IDaaS) for your
organization.
Let us try to understand all this with the help of a real-life example. Let's assume that I'm the owner of a company named FooBar which manufactures software products. Now here is what I'll do to setup Azure infrastructure for my company:
I'll crete an Azure account using my email id.
Then for managing the employees of the company, I created below mentioned Azure Active Directories (AAD aka tenant) in my Azure account:
PermanentAad
AdhocAad
User account of all full-time employees (FTEs) will be added into PermanentAad AAD and all temporary or contractual employees will be added into AdhocAad AAD.
Similarly, I would like to manage the billing of adhoc employees and FTEs separately. So I creates two subscriptions namely PermanenetSub and AdhocSub. I'll setup a trust relationship between PermanentAad and PermanentSub. Similarly for AdhocAad and AdhocSub. So when any FTE creates an Azure resource e.g. a virtual machine(VM) then the cost of that VM will get added to total bill in PermanentSub subscription.
Now comes the licensing part. Licenses empower a user to do things in Azure e.g. creating resources, VMs etc. I can give Enterprise Mobility + Security E5 license to an FTE so that he can create VMs for testing any stuff.
To summarize:
If you want to work in Azure you need an Azure account. To create an Azure account you need an active email id.
If you want to add people/employees or machines/devices who would be part of your IT infrastructure you need a tenant/AAD. You get one tenant/AAD by default when you create an Azure account. You can create more if you require for any kind of logical separation. AAD service is a global service spanning across all locations in Azure which manages all of our AAD instances. AAD is also known as Azure Active Directory, AAD, an Azure AD instance, an AAD Instance, an Azure AD Tenant, an AAD tenant, simply tenant or an organization, etc. They all mean the same. Therefore:
Organization == Tenant == Azure Active Directory
If you require logical separation of billing for users of your Azure account then you need multiple subscriptions. You get one subscription by default when you create a new Azure account. Subscription can be of four types as per below list:
Free
Pay-as-you-go
Enterprise agreement
Cloud Solution Provider
If you want to enable the users to do things then you issue license(s) e.g. license to be able to create VM or Azure app service. Also remember that license and Role Based Access Control (RBAC) are not same although both enable you to do things in Azure portal. But they've different nuances which you can explore on your own.
Below image summarizes the above explanation. I've taken it from the same documentation that I referred at the starting of this answer - Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings
Quoting from the User accounts section in the documentation:
So, all the user accounts and devices of an organization reside in a common Azure AD tenant/instance.
Adding more to existing answers
Tenant is a domain, If these are email addresses of a certain company,
user#exampledomain.com
admin#exampledomain.com
The tenant can be recognized as "exampledomain", in a practical scenario you create a tenant against a company or a client.
Subscriptions are like another logical high-level grouping. For example, you can create a subscription for each environment you work with in the same tenant.
as an example, exampledomain.com tenant can have Development, QA, and Production subscriptions. Those will be billed separately according to the plans you take in
Below are succinct descriptions of key terms and the relationship between them.
They are all sourced from official Microsoft documentation.
Account
Tenant
Identity
Subscription
Resource
Resource Group
Account
To create and use Azure services, you first need to sign up [for an
Azure account].
Source:
Learning Path: Manage identity and access in Azure Active Directory
Module: Create an Azure account
Exercise: Create an Azure account
Tenant
An Azure tenant is a single dedicated and trusted instance of Azure
AD. Each tenant (also called a directory) represents a single
organization. When your organization signs up for a Microsoft cloud
service subscription, a new tenant is automatically created. Because
each tenant is a dedicated and trusted instance of Azure AD, you can
create multiple tenants or instances.
Identity
An identity is an object that can be authenticated. The identity can
be a user with a username and password. Identities can also be
applications or other servers that require authentication by using
secret keys or certificates. Azure AD is the underlying product that
provides the identity service.
Source:
Learning Path: AZ-104: Manage identities and governance in Azure
Module: Configure Azure Active Directory
Exercise: Describe Azure Active Directory concepts
Subscription
To create and use Azure services, you need an Azure
subscription...you're free to create additional subscriptions. For
example, your company might use a single Azure account for your
business and separate subscriptions for development, marketing, and
sales departments. After you've created an Azure subscription, you can start
creating Azure resources within each subscription.
Source:
Learning Path: Azure Fundamentals: Describe Azure architecture and services
Module: Get started with Azure accounts
In Azure, subscriptions are a unit of management, billing, and scale.
Similar to how resource groups are a way to logically organize
resources, subscriptions allow you to logically organize your resource
groups and facilitate billing...An account can have multiple
subscriptions, but it’s only required to have one. In a
multi-subscription account, you can use the subscriptions to configure
different billing models and apply different access-management
policies. You can use Azure subscriptions to define boundaries around
Azure products, services, and resources.
Source:
Learning Path: Azure Fundamentals: Describe Azure architecture and services
Module: Describe Azure management infrastructure
Resource
A resource is the basic building block of Azure. Anything you create,
provision, deploy, etc. is a resource. Virtual Machines (VMs), virtual
networks, databases, cognitive services, etc. are all considered
resources within Azure.
Resource Group
Resource groups are simply groupings of resources. When you create a
resource, you’re required to place it into a resource group. While a
resource group can contain many resources, a single resource can only
be in one resource group at a time. Some resources may be moved
between resource groups, but when you move a resource to a new group,
it will no longer be associated with the former group. Additionally,
resource groups can't be nested, meaning you can’t put resource group
B inside of resource group A.
Resource groups provide a convenient way to group resources together.
When you apply an action to a resource group, that action will apply
to all the resources within the resource group. If you delete a
resource group, all the resources will be deleted. If you grant or
deny access to a resource group, you’ve granted or denied access to
all the resources within the resource group.
When you’re provisioning resources, it’s good to think about the
resource group structure that best suits your needs.
For example, if you’re setting up a temporary dev environment,
grouping all the resources together means you can deprovision all of
the associated resources at once by deleting the resource group. If
you’re provisioning compute resources that will need three different
access schemas, it may be best to group resources based on the access
schema, and then assign access at the resource group level.
There aren’t hard rules about how you use resource groups, so consider
how to set up your resource groups to maximize their usefulness for
you.
Source:
Learning Path: Azure Fundamentals: Describe Azure architecture and services
Module: Describe Azure management infrastructure
Simply put, an instance of Azure AD is what an organization receives when the organization creates a relationship with Microsoft such as signing up for Azure, Microsoft Intune, or Microsoft 365.
A tenant is similar to a forest in an on-premise environment.
An Active Directory forest (AD forest) is the topmost logical container in an Active Directory configuration that contains domains, users, computers, and group policies
Think of a tenant as a user/domain entity that is registered in Azure. Tenants are Azure 'customer' - a unique entity that will be registered in Azure directories.
Subscription is an operational level of grouping resources. Tenants have subscriptions.
Tenant is quite a useful approach, which, in my opinion, is missing in AWS.
I added for testing purposes Access to Azure Active Directory in Windows Azure. Now I realize there is no button to cancel the subscription:
As discussed here "the underlying directory for Office 365 is Azure Active Directory (AAD). This means that if you have an Office 365 account, you already have a directory -or "tenant"- in AAD."
1) Does this mean that this particular subscription has always been there - just not visible?
2) Can you cancel it?
3) According to the pricing list adding objects is free (Free up to 500,000 objects), Application Enhancements (Preview) and Access Control. At which point would I be billed? (I know Azure generally bills for usage, the question is what counts as the usage in this particular situation)
1) The Azure AD was created when you signed up for Office365. This Azure subscription however was created when you signed up for Azure. Azure subscription is required to manage the many aspects of Azure AD that aren't available in the O365 portal.
2) you can create a support ticket (type billing) to have the subscription cancelled. If it's a free trial subscription it will automatically get cancelled. If it's a pay-as-you-go - it won't cost you anything until you use paid services. Which takes us to your last question ...
3) general Azure AD usage is free. If you need paid services of Azure AD like multi-factor auth for users, application access, self-service password reset you will need to but Azure AD licenses. As a thumb rule - if you haven't turned on multi-factor auth for users and you haven't bought AAD basic or AAD premium licenses - you won't spend any money on Azure AD. The object limit is a cap.
Hope that helps