When installing an azure data gateway, the installer requires an email address of an organizational account, which it then signs into azure with.
For testing, i have been using my own account, but for a live system, should a dedicated "service" account be created for the data gateway?
During gateway installation, you sign in with your Azure account, which links your gateway installation to your Azure account and only that account. Later, in the Azure portal, you must use the same Azure account and Azure AD tenant when you create an Azure gateway resource that registers and claims your gateway installation. In Azure Logic Apps, on-premises triggers and actions then use the gateway resource for connecting to on-premises data sources.
You need to sign in with either a work account or school account, also known as an organization account, which looks like username#contoso.com. You can't use Azure B2B (guest) accounts or personal Microsoft accounts, such as #hotmail.com or #outlook.com.
For more details, you could refer to this article.
Related
Stuff in Azure are secured with Service Accounts. In order for me to see stuff I need to download the Service Account certificate and then log in via the Azure CLI using the extracted certificate and the Service Account Application Id. So now I can see everything the Service Account can see, great. But it is a pain in the neck and slow. So my question: Can I use the same certificate and credentials to log into the Azure Portal website so I can browse around using the web browser instead?
Using a Service Principal for interactive logins to the Azure Portal is not possible - which is by design. In order to be able to see the same resources as the Service Principal through the Azure Portal, you would require a user account that holds the Azure RBAC Reader role against those resources that are in scope of the Service Principal role assignments.
As you mentioned performance being an issue with using the Service Principal login, you could try Azure Resource Graph queries. These are supported by Azure CLI, Azure PowerShell as well as all the major Azure SDK's. Obviously, this won't bring you the visual experience like the Azure Portal but might resolve the performance piece maybe.
However, requesting/creating a user account that has the corresponding RBAC roles assigned would be the only way to allow you to see the resources through the Azure Portal.
We have a Visual Studio Enterprise Subscription – MPN subscription. Therefore, we can create several Azure accounts under the same subscription in the same tenet. So, Basically we have an one root Azure account and several Azure accounts which are inherited to the root Azure account In my environment, I have configured Azure ADDS under my root Azure account. I have several VMs in another Azure account under the same subscription as I described above. My requirement is to connect those Azure VMs to the Azure ADDS in the root Azure account. Is there any way to do it? I know how to do it when Azure ADDS and Azure VMs in the same account.
As you aware Azure Active Directory Domain services integrates with your existing Azure AD tenant. This integration lets users sign in to service and applications connected to the managed domain using their existing credentials. Joining the VM hosted in another Tenant is not applicable . You have mentioned different Azure Account if it is a different Tenant then there is no possibility at this time.
When Installing Azure Data Gateway, I need to sign-in with an account to register the Azure Data Gateway within the Azure Subscription. Normally, this works great. But now I have access to multiple subscriptions (multiple customers). When I sign in, I cannot choose a specific tenant/subscription. It always registers the gateway in my own tenant.
Any idea's on how to get this done?
I've tried:
Delete Chrome signin information
Delete accounts in Credential Manager
first login with az login + az set-subscription
More information about the Azure Onpremise Data Gateway
https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-install#install-data-gateway
It's written in prerequisites that your account must belongs to single AD or directory.
I would suggest for life long perspective ask your client to create a service account and register data gateway with that service account.
we have an Infrastructure for one customer in Azure which require many configurations like MFA with VPN and Remote Desktop (this one is the reason why I'm confused with Azure AD).
The installation should be only in Azure, that's mean there is no local AD which could be synced to it.
I've created an seperated Azure Directory for them and configured an AD DS inside it so I can join the Azure VMs to it.
My problem here is I was asked to configure MFA for remote desktop users along with the VPN connection. The requirement the MFA that I should install an local NPS with MFA Extenstion and the local AD users should be synced with Azure AD. Which in my case it's not possible to do it since there is no local Network for this customer.
This problem as I understood is because that we don't have permissions to administrate Azure AD DS Active Directory and by this we can't register the NPS with MFA Extension with it. here are some Links related to this topic:
Request to Support NPS/RADIUS for Azure AD Domain Services
Integrate Remote Desktop Gateway with Azure MFA
Integrate VPN with Azure MFA
My question here is:
1) the seperated Azure AD for this tenant is a good Idea? Is it not better to just create an Azure AD Domain Services inside our Company Azure AD and sync the required groups to it? what is the best practice for this situation?
2) In order to use the Azure MFA here, what should I do? is there any other option in Azure to implement such a scenario?
I will be glad for any help or explaination.
I've created some Microsoft Live accounts for managing my Azure subscriptions (I've got five). I can log in using, for example, joe#mycompany.com and manage my web services using the public portal. I think I've got the hang of Azure Active Directory and the Domain Services that go along with it. So now I'm wondering, can I associate my domain ('mycompany.com') with an Azure Active Directory in my corporate portal, add my user 'joe' to it, and use 'joe#mycompany.com' to sign into the portal? That is, will the Azure Portals use Azure Active Directory for logins?
The Azure Portal allows users to sign in with both Azure AD Accounts AND Microsoft accounts (aka MSAs, LiveIDs, #outlook.com).
If you associate your domain with an Azure AD tenant, you'll be able to log in to the Azure portal with your Azure AD account.
It is important to note that if you have a joe#mycompany.com Microsoft account and a joe#mycompany.com Azure AD account (which you get by adding the mycompany.com domain to an Azure AD tenant and then creating joe#mycompany.com that tenant), you effectively have tow DIFFERENT ACCOUNTS. When you type in joe#mycompany.com, you'll see a prompt like this one:
You'll have to make sure you pick the right one since your existing Azure subscriptions will be associated with your MSA and any new ones you create with your Azure AD account will, by default, not be accessible to your MSA.
Your best bet is to setup an Azure AD tenant, migrate your Azure subscriptions from your MSA to your Azure AD tenant by transfering ownership of the subscription and ensure all new subscriptions are created with Azure AD accounts (and not MSAs). At that point, you can always pick Organizational account and not have to worry about which which Azure subscription is linked to which account.
Other relevant info:
Comprehensive explanation of MSAs, Azure AD and Azure Subscriptions
Creating an Azure subscription using an Azure AD tenant