I am failing to understand the difference and use of Azure Active Directory and Tenant. Subscriptions are services running under a tenant. But I can't understand the relationship between multi-tenant subscriptions or how directories are related to tenants Please help.
A tenant is a dedicated instance of an Azure AD directory that your organization receives when it signs up for a Microsoft cloud service such as Azure or Office 365. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
Each Azure tenant has a dedicated and trusted Azure AD directory. The Azure AD directory includes the tenant's users, groups, and apps and is used to perform identity and access management functions for tenant resources.
Related
We are running Azure AD B2C to authenticate users in our application. We also managed to codify almost everything with Terraform and are pretty happy with it. Now we are attempting to move these manifests under Azure Devops Pipelines and are stuck with access problems.
Azure Pipelines use a dedicated service principal in the main (non B2C) Active Directory to perform its operations. We granted this SP enough permissions within the target subscription to handle Terraform resources. But I cannot find any way to grant this SP any permissions on the B2C directory. I can invite users from the primary directory to the B2C, and it works fine, but SP is an application, not a user.
Is there any way to "invite" an application from the primary directory into the B2C directory?
Is there any way to "invite" an application from the primary directory
into the B2C directory?
If your app registration support account types is Accounts in any organizational directory (Any Azure AD directory - Multitenant), you would be able to add the same service principal in your Azure AD B2C Tenant
As you want to use the service principal in Azure Pipelines to handle Terraform resources, it is suggested to use separate service principals for Azure AD and Azure AD B2C as Authentication will be different for the service principal with multi-tenant account support type
I want to deploy an application on Azure. I want users to be able to authenticate in my app without a Microsoft account. This guided me to use the AAD-B2C service. I followed the tutorial shown here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant expecting that this will create a new AAD-B2C Directory in my existing Directory and tenant. I had in my mind something like the following tree:
Subscription: Pay-As-You-Go
Directory: Default
Resource Group: Default-EU
Tenants: Default, Application
User Pools: Default(Internal Users), Application(External Users)
I'm not sure I understand how this works and I'm very confused. Is it possible to use external sign-ins from users that don't have a Microsoft account without creating 2 tenants and 2 directories under my subscription?
When you create a B2C tenant, there are two completely different entities that get created - B2C Tenant Resource and B2C Tenant/Directory itself.
The B2C Tenant Resource gets created in the subscription linked to your standard Azure AD tenant (Default Directory e.g., contosocorp.onmicrosoft.com) you used to create the B2C tenant from. This resource is primarily used to change your Azure AD B2C tenant's pricing tier.
A separate tenant for your B2C directory gets created (e.g. contosob2c.onmicrosoft.com). This is an independent tenant/directory than your Default Directory and is not stored in the default tenant.
The way subscription is linked to standard Azure AD tenant is different than the B2C tenant. A subscription in B2C is required for Support, Billing, Custom Policies, and using the Identity Experience Framework. You cannot create resources for Static Web App or Function App, or Cosmos DB in the B2C tenant and you will have to use your Default Directory for this purpose.
Azure AD B2C is different from Azure AD. So, when you create Azure AD B2C, it creates another tenant
You need to create Azure AD B2C Tenant in the same subscription in which your application is deployed
Create an App Registration in your Azure AD B2C Tenant
Go to your web application and select Authentication. You can add your app registration details in the identity provider
Reference: Azure App Service Authentication (Ez Auth) with Azure AD B2C - DEV Community
I started learning Microsoft Azure but I'm stuck
Can anyone tell me what is the difference between Microsoft account vs tenant vs Subscription in detail?
When you say "Microsoft account", this usually refers to personal Microsoft accounts (outlook.com/live.com/hotmail.com).
But it could also refer to organizational Azure Active Directory accounts.
They are both kinds of user accounts, both types can exist as members in an Azure Active Directory "tenant".
This tenant is basically an instance of Azure AD for your users, in your control.
When you log in to Azure, you are logging in to Azure AD.
An Azure subscription is where you deploy your services, create resources like databases etc.
A subscription is always linked to an Azure AD tenant.
The users in this linked tenant can be given roles in the subscription to access/modify resources.
If anyone wants access to the subscription, they need to be added to the Azure AD tenant first.
This can be done by creating them an account there, or by inviting them by their email as a "guest".
microsoft account: the one used to log in
tenant: your azure active directory (usually the default is [account].onmicrosoft.com
subscription: your microsoft azure subscription, the one used to create services/ deploy your applications
Following on from this question, I don't understand what the difference between an Azure Tenant, Azure Directory and Azure Active Directory.
When I log in to Azure and click my profile it lets me Switch Directory.
In my case I can switch to my company directory and also to the directory of another company where I have guest credits.
Does Directory in this context mean the same as Azure Active Directory?
The documentation says a tenant is:
Azure tenant: A dedicated and trusted instance of Azure AD that's
automatically created when your organization signs up for a Microsoft
cloud service subscription, such as Microsoft Azure, Microsoft Intune,
or Office 365. An Azure tenant represents a single organization.
So is Tenant the same as Directory in this case as well?
Yes, in this case the tenant is the same as an Azure AD. In the Azure portal you are changing Azure Active Directories when you use the Switch Directory feature. You can currently only be in the context of a single directory at a time; however, as the previous question you pointed to indicates, multiple subscriptions can be tied to a tenant/directory. So when you are in the context of a directory you'll see all the subscriptions under that tenant to which you have access to one or more resources based on security.
To be fair, I use Azure AD Tenant/Azure AD Directory interchangeably. The Portal UI calls them directories; however, the properties on resources, REST APIs, CLI commands, etc. all refer to it as a tenant.
Directory == Tenant.
When you utilize azure services, the TenantId will be requested. The TenantId is non other than the DirectoryId which can be found in the Properties tab within Azure Active Directory.
Furthermore, as answered in the link you provided:
"Subscriptions are tied to tenants. so 1 tenant can have many subscriptions, but not vice versa."
Azure Active Directory is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources
Tenant is a digital representation of the organization.
Azure Active Directory creating a directory objects in the form of tenant name. Azure Active Directory and tenants are interrelated.
In total, the Azure AD Tenant provides identity and access management (IAM) capabilities to applications and resources.
Link : https://learn.microsoft.com/en-us/microsoft-365/education/deploy/intro-azure-active-directory#what-is-an-azure-ad-tenant
I've created some Microsoft Live accounts for managing my Azure subscriptions (I've got five). I can log in using, for example, joe#mycompany.com and manage my web services using the public portal. I think I've got the hang of Azure Active Directory and the Domain Services that go along with it. So now I'm wondering, can I associate my domain ('mycompany.com') with an Azure Active Directory in my corporate portal, add my user 'joe' to it, and use 'joe#mycompany.com' to sign into the portal? That is, will the Azure Portals use Azure Active Directory for logins?
The Azure Portal allows users to sign in with both Azure AD Accounts AND Microsoft accounts (aka MSAs, LiveIDs, #outlook.com).
If you associate your domain with an Azure AD tenant, you'll be able to log in to the Azure portal with your Azure AD account.
It is important to note that if you have a joe#mycompany.com Microsoft account and a joe#mycompany.com Azure AD account (which you get by adding the mycompany.com domain to an Azure AD tenant and then creating joe#mycompany.com that tenant), you effectively have tow DIFFERENT ACCOUNTS. When you type in joe#mycompany.com, you'll see a prompt like this one:
You'll have to make sure you pick the right one since your existing Azure subscriptions will be associated with your MSA and any new ones you create with your Azure AD account will, by default, not be accessible to your MSA.
Your best bet is to setup an Azure AD tenant, migrate your Azure subscriptions from your MSA to your Azure AD tenant by transfering ownership of the subscription and ensure all new subscriptions are created with Azure AD accounts (and not MSAs). At that point, you can always pick Organizational account and not have to worry about which which Azure subscription is linked to which account.
Other relevant info:
Comprehensive explanation of MSAs, Azure AD and Azure Subscriptions
Creating an Azure subscription using an Azure AD tenant