What do you mean by Microsoft Account, Tenant, Subscription? - azure

I started learning Microsoft Azure but I'm stuck
Can anyone tell me what is the difference between Microsoft account vs tenant vs Subscription in detail?

When you say "Microsoft account", this usually refers to personal Microsoft accounts (outlook.com/live.com/hotmail.com).
But it could also refer to organizational Azure Active Directory accounts.
They are both kinds of user accounts, both types can exist as members in an Azure Active Directory "tenant".
This tenant is basically an instance of Azure AD for your users, in your control.
When you log in to Azure, you are logging in to Azure AD.
An Azure subscription is where you deploy your services, create resources like databases etc.
A subscription is always linked to an Azure AD tenant.
The users in this linked tenant can be given roles in the subscription to access/modify resources.
If anyone wants access to the subscription, they need to be added to the Azure AD tenant first.
This can be done by creating them an account there, or by inviting them by their email as a "guest".

microsoft account: the one used to log in
tenant: your azure active directory (usually the default is [account].onmicrosoft.com
subscription: your microsoft azure subscription, the one used to create services/ deploy your applications

Related

How can I link a Microsoft 365 Developer Sandbox to an Azure Student account so that they share a tenancy?

I'm trying to follow this tutorial on developing with Microsofts Graph Data Connect. The tutorial states:
The Azure subscription must be in the same tenant as the Microsoft 365 tenant. Microsoft Graph Data Connect will only export data to an Azure subscription in the same tenant, not across tenants.
Your Microsoft 365 and Azure tenants must be in the same Azure Active Directory (Azure AD) tenancy.
I already have an Azure account with an Azure for Students subscription. I signed up to the Microsoft 365 Developer Program and created a new sandbox. This creates a totally new tenant with a corresponding admin#[MYTENANT].onmicrosoft.com account.
The 365 sandbox has an Azure Directory, but no subscription or ability to create new services. The admin account cannot be used to sign up for a new free subscription, attempting to create an Azure free account results in a "Your current account type is not supported" message.
Is there a way to link these two accounts together so I can create an app in Azure that uses Graph Data Connect to access the dummy data in the 365 Sandbox?
You might be able to change your azure subscription to a new directory. (It might be blocked by policy however)
You'll need a user who exists in both directories, and who is an owner on the subscription. In the portal, click the "Change Directory" button on the ribbon and follow the prompts. Note, the directory change will delete all RBAC role assignments and possible some other configurations, but if this is a learning subscription there's probably not a lot that can't be recreated.
https://learn.microsoft.com/en-us/azure/devtest/offer/how-to-change-directory-tenants-visual-studio-azure

What Is The Difference Between An Azure Tenent, Azure Directory and Azure Active Directory?

Following on from this question, I don't understand what the difference between an Azure Tenant, Azure Directory and Azure Active Directory.
When I log in to Azure and click my profile it lets me Switch Directory.
In my case I can switch to my company directory and also to the directory of another company where I have guest credits.
Does Directory in this context mean the same as Azure Active Directory?
The documentation says a tenant is:
Azure tenant: A dedicated and trusted instance of Azure AD that's
automatically created when your organization signs up for a Microsoft
cloud service subscription, such as Microsoft Azure, Microsoft Intune,
or Office 365. An Azure tenant represents a single organization.
So is Tenant the same as Directory in this case as well?
Yes, in this case the tenant is the same as an Azure AD. In the Azure portal you are changing Azure Active Directories when you use the Switch Directory feature. You can currently only be in the context of a single directory at a time; however, as the previous question you pointed to indicates, multiple subscriptions can be tied to a tenant/directory. So when you are in the context of a directory you'll see all the subscriptions under that tenant to which you have access to one or more resources based on security.
To be fair, I use Azure AD Tenant/Azure AD Directory interchangeably. The Portal UI calls them directories; however, the properties on resources, REST APIs, CLI commands, etc. all refer to it as a tenant.
Directory == Tenant.
When you utilize azure services, the TenantId will be requested. The TenantId is non other than the DirectoryId which can be found in the Properties tab within Azure Active Directory.
Furthermore, as answered in the link you provided:
"Subscriptions are tied to tenants. so 1 tenant can have many subscriptions, but not vice versa."
Azure Active Directory is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources
Tenant is a digital representation of the organization. 
Azure Active Directory creating a directory objects in the form of tenant name. Azure Active Directory and tenants are interrelated.
In total, the Azure AD Tenant provides identity and access management (IAM) capabilities to applications and resources. 
Link : https://learn.microsoft.com/en-us/microsoft-365/education/deploy/intro-azure-active-directory#what-is-an-azure-ad-tenant

Linked existing b2c tenant to my azure subscription but not able to create resource?

Getting error You are currently signed into the 'Azure AD B2C tenant' directory which does not have any subscriptions. when I try to create a resource in Azure AD B2C.
Please help I am new to Azure
Switch back to the directory where you have your subscription and create the resources there.
Don't take my answer as definitive, since I'm still a newbie, but at this point my understanding is this: B2C needs a new tenant because of the way it is designed (it isn't just an add-on for AD) and you link it to your subscription for billing purposes. But that's it. You don't need to create the resources for your app there, although I guess you could do it if you get a new subscription or transfer another one.
I already created a mobile app in my default tenant and successfully used the linked B2C tenant for authentication and I guess you've done that already. But since this was one of the few results that I got when I googled the message you quoted, I think it's worth sharing.
Have you done this ?
The Azure subscription has a trust relationship with Azure Active
Directory (Azure AD), which means that the subscription trusts Azure
AD to authenticate users, services, and devices. Multiple
subscriptions can trust the same Azure AD directory, but each
subscription can only trust a single directory.
Following link might help (check To associate an existing subscription to your Azure AD directory)
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
Azure AD B2C needs a Microsoft Azure Subscription for billing purposes. You're going to need 3 things to make that message go away:
Azure AD Tenant
MS Azure Subscription
Associate your Azure AD B2C tenant to the MS Azure Subscription
It's a bit strange as Azure AD B2C tenants feel very similar to Azure AD (and run on a lot of the the same infrastructure behind the scenes) ... but from a billing standpoint, they are almost treated like MS Azure resources (e.g. VM, App Service, etc)

Can you use an Azure AD identity to log into the Azure Portal?

I've created some Microsoft Live accounts for managing my Azure subscriptions (I've got five).  I can log in using, for example, joe#mycompany.com and manage my web services using the public portal. I think I've got the hang of Azure Active Directory and the Domain Services that go along with it. So now I'm wondering, can I associate my domain ('mycompany.com') with an Azure Active Directory in my corporate portal, add my user 'joe' to it, and use 'joe#mycompany.com' to sign into the portal?  That is, will the Azure Portals use Azure Active Directory for logins?
The Azure Portal allows users to sign in with both Azure AD Accounts AND Microsoft accounts (aka MSAs, LiveIDs, #outlook.com).
If you associate your domain with an Azure AD tenant, you'll be able to log in to the Azure portal with your Azure AD account.
It is important to note that if you have a joe#mycompany.com Microsoft account and a joe#mycompany.com Azure AD account (which you get by adding the mycompany.com domain to an Azure AD tenant and then creating joe#mycompany.com that tenant), you effectively have tow DIFFERENT ACCOUNTS. When you type in joe#mycompany.com, you'll see a prompt like this one:
You'll have to make sure you pick the right one since your existing Azure subscriptions will be associated with your MSA and any new ones you create with your Azure AD account will, by default, not be accessible to your MSA.
Your best bet is to setup an Azure AD tenant, migrate your Azure subscriptions from your MSA to your Azure AD tenant by transfering ownership of the subscription and ensure all new subscriptions are created with Azure AD accounts (and not MSAs). At that point, you can always pick Organizational account and not have to worry about which which Azure subscription is linked to which account.
Other relevant info:
Comprehensive explanation of MSAs, Azure AD and Azure Subscriptions
Creating an Azure subscription using an Azure AD tenant

Azure AD Tenant = Organizational Account?

I reading through various articles on how a headless app can authenticate with Azure. I'm a little confused with the terminologies. In this sample code, it says it needs an Azure AD Tenant account.
My understanding is an Azure account can be a Microsoft account or an Organizational account. Is Azure AD Tenant either of the two or is it just an Organizational account? Can someone show me where this is clarified in the documentation?
From the definition here: https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx (See section What is an Azure Tenant):
With the identity platform provided by Microsoft Azure, a tenant is
simply a dedicated instance of Azure Active Directory (Azure AD) that
your organization receives and owns when it signs up for a Microsoft
cloud service such as Azure or Office 365.
An Azure AD will have one or more users. These users could be native to that Azure AD, sourced from other Azure ADs (or even local AD) or could be Microsoft Accounts. AFAIK, as of today if a user account is not a Microsoft Account that means it is an organization account.
An Azure tenant can be either of the two... and organizational account (often based on Office 365) or one based off a Microsoft Account (which is really just a user in a directory you don't control).
I'm a big fan of the "start from scratch" method - where you create tenant not tied to Office 365 - https://azure.microsoft.com/en-us/documentation/articles/active-directory-howto-tenant/

Resources