I actually have a subscription linked to my company Azure Active Directory, but for security reasons, we are unable to use the AAD from the company.
So, the IT department told us that we can created our own Azure AD within the subscription, but, when I created the new tenant and try to link with the subscription, is not possible for the kind of subscription CSP.
Do you know how to create a AAD within an specific subscription or if it's not possible?
Regards.
It's not possible with the CSP subscription, but this link should help you a little further on your journey - https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
Related
Days ago I onboarded a customer using Service Principal with an ARM template in our blob storage, then the client went to this URL:
https://portal.azure.com/#create/Microsoft.Template/uri/{Blob Url}, accepted us as their resource manager, and we could make connections and go-to resources but via PowerShell, why it doesn't show to us in our Azure Lighthouse Customers page?
I can work with the resources, make deployments, and such but doesn't show in the list, I want to know if it is because we need to be gold competency or an expert MSP because we don't want to make a public offer in the market, we just want to manage certain customers.
It should be displayed there. No special conditions are required such as the ones you've mentioned. Are you definitely signed in to your own partner/MSP tenant with an account that has delegated access to the customers? Does anything show up under delegations within the Azure Lighthouse section?
If you have access to the customer tenant, does your company show up under Service Providers within Azure Lighthouse on the Azure portal?
Case closed, the Service Principal itself doesn't have the privileges on the service provider's tenant to make your user a reader. So the solution for this was:
Remove the offer in the customer tenant.
Add new authorization in the ARM template for a user/group with "Reader" built-in role id. (In our case, we decided to use an AD group because people in the organization is temporary)
Upload the new ARM template and re-onboarded the client.
After a couple of hours, the client's subscription showed in the subscription list in the section: Directories + subscriptions, checked it, and saw all the resources from the service provider's tenant.
I found a solution for this issue.
The Azure Lighthouse->My customers list on the azure portal only shows subscriptions activated in the global directories and subscription filter.
Please go to the global directories and subscriptions filter (in the portal top navigation) and open the drop downs for directories and for subscriptions and check, if your customer subscription appears here.
If yes, select all entries in both drop downs.
After that go back to Azure Lighthouse->My customers
and check, if the customer subscription appears now.
I have a MSDN subscription from my work account, when I login, I can see there is already an azure active directory associated (which is company's one I have read only access). I need to provision another AAD directory for development purpose, however when I 'switch' the directory I can see it has no Azure subscription, which I need the credit for.
Question, how to change this behavior, I am thinking either a) change the default directory for my msdn subscription or b) transfer the subscription over to the new directory?
Please help!
Based on the current implementation, an Azure Subscription only trusts users from a single Azure AD.
From How Azure subscriptions are associated with Azure Active Directory:
Every Azure subscription has a trust relationship with an Azure AD
instance. This means that it trusts that directory to authenticate
users, services, and devices. Multiple subscriptions can trust the
same directory, but a subscription trusts only one directory. You can
see which directory is trusted by your subscription under the Settings
tab. You can edit the subscription settings to change which directory
it trusts.
To answer your questions specifically, please see this link on how you can change the trust relationship between an Azure AD and an Azure Subscription.
I am trying out ad-b2c and boy even the first step is turning out to be extremely frustrating. Anyway here's my problem:
I have an existing subscription with a default directory which has its own mydefaultdirectory.onmicrosoft.com domain
According to instructions here: I should be able to create an ad-b2c tenant, and then go into the portal B2C features blade.
I created the tenant, which included me creating a custom ad-b2c directory. I had to choose another domain such as myadb2ctest.onmicrosoft.com.
I go to the portal under b2c blade, but now I have no subscription. This is because now I am logged in to the myadb2ctest directory rather than mydefaultdirectory which has my subscription.
I DO NOT want to create a new subscription. I just want this directory associated with my already existing subscription so I can try this thing out.
An Azure AD (and B2C) is a higher level object than a subscription in the portal user interface. That's why you lose your subscription view when selecting B2C.
Internally this will be linked to your subscription, otherwise Microsoft couldn't send you a bill. if you go to the B2C dashboard, there is text containing the linked subscription:
Subscription status
If there is no subscription linked, there is a warning in the B2C Dashboard:
No Subscription linked to this B2C tenant or the Subscription needs your attention.
And then you will need to take these actions:
This B2C tenant must be linked to an active Azure subscription for communication, support and billing.
If your Subscription status is No Subscription, please link this B2C tenant to an Azure subscription,
Switch Directories to the location of your target Azure subscription
Under Marketplace, search for and select 'B2C'
Select Create to link this B2C Tenant to a subscription
Unfortunately today B2C features cannot be turned on in an existing tenant.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs
Please make your B2C directory a default directory for an Azure Subscription. You could think of a B2C directory as a normal AAD during this process.
This process of switching the default directory can only be done through Azure Classic Portal using Service Admin (live account ONLY) for the subscription.
You could refer this article for further steps:
https://ballance.in/default-directory-of-an-azure-subscription/
Following article describe how to move resources between Azure subscriptions.
https://azure.microsoft.com/en-us/documentation/articles/resource-group-move-resources/
However it says that both subscriptions must exist within the same tenant. Apparently that is not the case with my 2 Azure accounts and I didn't know until now that behind the scenes I have a Tenant ID linked to these accounts.
I'm now wondering how to get some of my accounts that I'm using for my company to be linked to a common Tenant ID.
Any ideas?
Updated answer for the new portal (early 2018).
Follow this link: How to associate or add an Azure subscription to Azure Active Directory to associate your subscription with the new tenant (directory).
Once you've done it, you can transfer between subscriptions.
Tenant here refers to Azure Active Directory (AAD) associated with your azure subscription.
The steps to change the associated AAD for an Azure subscription are described here.
The service admin of the Azure subscription, who is already a member of the current associated AAD, should also be member in AAD you want to associate.
Typically, existing AAD belongs to a Microsoft account. This accounts needs to be added to the target AAD.
I've set up Azure AD authentication on a existing web app and that works ok.
I then want to add "Users in partner companies" via CSV upload. But the account I use to administer Azure is my company account so the option is not available.
So I then created a APPNAME.onmicrosoft.com account.
But when I log in to the portal with that, it's not linked to any subscriptions so obviously it can't add any users to the AD.
And I can't add the user to the subscription as they are not recognised.
I appreciate I'm probably missing/misunderstanding something fundamental but can anyone explain what I need to do to be able to enable B2B collaboration?
If you look at your list of subscriptions is APPNAME.onmicrosoft.com the default directory for any subscription? You currently can't do B2B invites unless it is the default directory for some Azure subscription and unless you pick APPNAME.onmicrosoft.com from the drop down in the top right of the portal. We have had to create a new empty Azure subscription with APPNAME.onmicrosoft.com as the default directory and make the B2B a subscription admin.
Now in order to switch the default directory of the subscription my recollection is that you have to be logged in with a Microsoft account (LiveID) rather than an organizational account.