I have created a native application in an Azure AD in Azure General region. The application has been granted appropriate permissions (Sign in on user's behalf, execute Service Management API requests etc.). Using this application, I am able to connect to any Azure Subscription in Azure General region using this application.
However when I try to connect to an Azure Subscription in Azure China, after successful login, I am getting the following error:
AADSTS70001: Application with identifier '01234567-890a-bcde-ffff-fcc63fc150ea' was not
found in the directory 'xxx.yyy.onmschina.cn'.
So my questions are:
Is it possible to connect to an Azure Subscription in Azure China (or for that matter to any Azure Subscription in Azure Sovereign Cloud like Germany etc.) using an application created in Azure General region?
Or do I need to create a separate application for each Azure Sovereign region in an Azure AD in that region?
If I indeed need to create a separate application (i.e. answer is yes to above question), is it possible to create an Azure AD tenant in these Sovereign regions without having an Azure Subscription there?
I believe the answer to the last question is yes considering Azure AD and Azure Subscription are two different things, yet I would very much like to get a confirmation on the same.
No,
it is NOT possible to connect Azure "General" with any sovereign clouds - these are Azure US Government, Azure China, Azure Germany. All these clouds are completely separate deployments with their own Azure AD. You cannot use B2B inter clouds, you cannot use your multi-tenant applications across clouds.
For that case you have to have a subscription in every cloud you would like to support and separate application registration, and separate instructions for your users. Check for example how Azure CLI is handling this. You are always only connected to one cloud with cloud's specific account.
In Azure Germany you can create an Azure AD tenant - just create a free trial subscription and you will also get a tenant. For China and US Gov will be hard - they both have very strict requirements who can create subscriptions there.
Related
Stuff in Azure are secured with Service Accounts. In order for me to see stuff I need to download the Service Account certificate and then log in via the Azure CLI using the extracted certificate and the Service Account Application Id. So now I can see everything the Service Account can see, great. But it is a pain in the neck and slow. So my question: Can I use the same certificate and credentials to log into the Azure Portal website so I can browse around using the web browser instead?
Using a Service Principal for interactive logins to the Azure Portal is not possible - which is by design. In order to be able to see the same resources as the Service Principal through the Azure Portal, you would require a user account that holds the Azure RBAC Reader role against those resources that are in scope of the Service Principal role assignments.
As you mentioned performance being an issue with using the Service Principal login, you could try Azure Resource Graph queries. These are supported by Azure CLI, Azure PowerShell as well as all the major Azure SDK's. Obviously, this won't bring you the visual experience like the Azure Portal but might resolve the performance piece maybe.
However, requesting/creating a user account that has the corresponding RBAC roles assigned would be the only way to allow you to see the resources through the Azure Portal.
We have a Visual Studio Enterprise Subscription – MPN subscription. Therefore, we can create several Azure accounts under the same subscription in the same tenet. So, Basically we have an one root Azure account and several Azure accounts which are inherited to the root Azure account In my environment, I have configured Azure ADDS under my root Azure account. I have several VMs in another Azure account under the same subscription as I described above. My requirement is to connect those Azure VMs to the Azure ADDS in the root Azure account. Is there any way to do it? I know how to do it when Azure ADDS and Azure VMs in the same account.
As you aware Azure Active Directory Domain services integrates with your existing Azure AD tenant. This integration lets users sign in to service and applications connected to the managed domain using their existing credentials. Joining the VM hosted in another Tenant is not applicable . You have mentioned different Azure Account if it is a different Tenant then there is no possibility at this time.
Can any Azure Active Directory gurus suggest the best answer to the following...
Currently a very large enterprise already is using Azure AD syncing onsight ADDS with Azure AD (Enterprise Azure AD/ADDS).
Is the best solution to create a new Azure AD Resource to keep seperation of concerns and to ensure that users from 1 Azure AD resource has no way of of accessing the other Azure AD resource (Enterprise Azure AD/ADDS) and is there any extra cost with create 1 to n... (except for premium licenses, which we already pay for)
Does 1 Azure subscription cover 1 to n.... Azure Active Directory Resources?
We want the new Azure AD to only contain out side guests aka #gmail, #yahoo, but this is all B2B.
---1 Overall Azure Tenant
|
----+ (1) Azure AD Enterprise Synce with on premise ADDS (Office 365 and a
lot more) (Currently Exists)
|
----+ (2) Azure AD Contractors with access to specific applications that are
configured
If you have an Azure Subscription you can have multiple Azure AD resources (No Extra Cost), as many as you want. This allows for different Global Administrators to manage different Azure AD resources such as Users, Guests, Apps, Proxy connectors.
However, this does go without saying that you still have to pay for the Premium licenses if needed in each AD Azure Resource should you need them.
https://azure.microsoft.com/en-us/pricing/details/active-directory/
In my azure account I have 2 directories, lets call them directory A and B.
With some recent changes I need to switch a app service from a subscription in directory A to a subscription that is on directory B.
Is this possible to achieve, and if it is how?
EDIT 1
As directory I mean the directory that you can see in the image below:
EDIT 2
Since It seems that I have mislead people I will try to explain what i want to achieve with images.
I want to move the App Service from the App Service Plan in the directory A as you can see in here:
to the App Service Plan in the directory B that you can see in here:
It looks like you want to move resources between subscriptions. It is possible to do this but there are a few restictions and rules around what you can do.
You can definitely move an App Service between subscriptions. However, in your case, as the subscriptions in question exist in different AD tenants, you will need to change the tenant of one of the subscriptions. You can only do this if you are a Service Administrator and signed in using a Microsoft i.e non organizational account.
Check this reference document from Microsoft, it explains in detail how the transfer process works.
I think we might need some additional information, since it seems that the terms we're using are sometimes equivocal. Microsoft Azure subscriptions are not associated to Azure Active Directories, but to an Service Account. You can add how many Azure ADs you want to an Azure subscription, but the Azure subscription itself will be managed by the service account (which is not necessarily member of a certain Azure AD).
Further, only the service administrator can manage Azure resources, like VMs, App Services and so on. Azure AD admins can only manage identity aspects that define identity life cycles within that specific Azure AD. The service admin could add a co-admin a user from the default Azure AD and that user would then also be able to manage Azure resources, like App Services and so on.
So the Azure App Service is tied to a Azure subscription that is managed by a service account, not by the Azure AD. Please check the official documentation on this topic. Also please clarify exactly what you would like to do.
Before I am going to describe my questions, I would like to tell you that I am a web developer and not a security/Active Directory or Azure specialist, so please be gentle :-)
I work for a large international financial services company. We have a global IT department that provides member firms with services that we use (Active Directory 2012).
In my member firm, we are currently considering migrating custom build websites to Azure. All the custom build websites are implemented with Kerberos and Single Sign-On using Active Directory. Some of these websites read & write information in Active Directory.
The challenge that we are facing is how we can migrate these websites to Azure whilst using the enterprise's Active Directory. I searched for detailed information about solutions available but haven't found anything that answered my questions. My questions:
What solutions are there for connecting Azure with an enterprise's Active Directory?
What are the advantages and disadvantages for these solutions?
What are the requirements for these solutions?
Perhaps there is a book/blog/whitepaper that answers my questions?
AFAIK you cannot use directly the corp AD from Azure. You must use Azure Active Directory. However, there are solution to keep the corp AD and the Azure AD in sync. For example read Connecting AD and Azure AD: Only 4 clicks with Azure AD Connect, which shows how to use Azure AD Connect to link the Azure AD with your corp AD. It will basically mirror one corporate AD forest with an Azure AD account, and keep it up to date by periodic re-sync. The net effect is that you develop your cloud apps to authenticate and authorize based on the Azure AD, but the Azure AD will mirror the corp AD. There will be a delay in propagating changes to Azure AD, eg. an employee added to the "domain\sales" group will not be allowed to access the "Sales" app for some hours until the Azure AD sync catches up with the corp AD change.