Given situation
I have two Azure AD directories in one Azure portal tenant.
AD_1 - A directory that got automatically created when signed up for Azure cloud the first time
AD_2 - A directory that I have manually created for managing a different set of users.
I also have an office365 account, that got created using the same Azure account. In it first I purchased a subscription.
SUBSCRIPTION_1 - only office apps. The licenses are attached to users in AD_1
Later I purchased another subscription purely for non-office products for different set of users.
SUBSCRIPTION_2 - exchange, yammer etc apps - A new subscription.
Questions
Is it possible to associate SUBSCRIPTION_2 to only users in directory AD_2?
If above is YES, how to do?
Disclaimer: I am a noob to whole Azure AD, Office 365, for that matter Microsoft products. Please forgive my naivety.
No matter the originating subscription access to services or apps only depends on licenses. So just navigate to Office 365 Portal > Administration > Users > Active, there select a user and assign the appropriate license, no matter from which AD user comes from, in fact it is also possible to assign licenses to users created in a local AD that is synchronized to Azure AD (administration privileges are needed for this procedure)
Related
I'm trying to follow this tutorial on developing with Microsofts Graph Data Connect. The tutorial states:
The Azure subscription must be in the same tenant as the Microsoft 365 tenant. Microsoft Graph Data Connect will only export data to an Azure subscription in the same tenant, not across tenants.
Your Microsoft 365 and Azure tenants must be in the same Azure Active Directory (Azure AD) tenancy.
I already have an Azure account with an Azure for Students subscription. I signed up to the Microsoft 365 Developer Program and created a new sandbox. This creates a totally new tenant with a corresponding admin#[MYTENANT].onmicrosoft.com account.
The 365 sandbox has an Azure Directory, but no subscription or ability to create new services. The admin account cannot be used to sign up for a new free subscription, attempting to create an Azure free account results in a "Your current account type is not supported" message.
Is there a way to link these two accounts together so I can create an app in Azure that uses Graph Data Connect to access the dummy data in the 365 Sandbox?
You might be able to change your azure subscription to a new directory. (It might be blocked by policy however)
You'll need a user who exists in both directories, and who is an owner on the subscription. In the portal, click the "Change Directory" button on the ribbon and follow the prompts. Note, the directory change will delete all RBAC role assignments and possible some other configurations, but if this is a learning subscription there's probably not a lot that can't be recreated.
https://learn.microsoft.com/en-us/azure/devtest/offer/how-to-change-directory-tenants-visual-studio-azure
We have a Office365 account that uses Azure Active Directory for our company e-mail accounts. We have a totally separate (different login) Microsoft Azure account that we have been using without touching Azure Active Directory within.
We are looking to implement Azure Active Directory within our apps, and would like to use our existing O365 Active Directory since it already has all the users created. Is there any way for us to somehow link our Azure account to the O365 account so we can use that active directory in our Azure account?
I have found some examples, but they all seem to use the premise that you are logging into both Azure and O365 with the same credentials. That is not how ours is setup unfortunately.
If you are interested in combining the two (usually keeping O365 identities and making that AAD the default for your Azure subscription), you can contact Microsoft directly and they will be able to manually pair the two. As of 6 months ago (last time I did this) there was no way to do this yourself without assistance from MS.
You can open tickets through the Azure portal or the Office 365 web site.
Found a article that got me pointed pointed in the right direction and I was able to get this done:
How to associate or add an Azure subscription to Azure Active Directory
Ultimately I needed to have one Microsoft account that had sufficient permissions on both Active Directory tenants. It was tricky because both accounts were different Microsoft accounts using the same e-mail address, and either directory would not let me add another account with a duplicate e-mail address. I used a separate Microsoft account and added it as a AD guest on both directories. Once that was done, I was able to login with the new account with access to both directories and pick which directory I wanted to use within my Azure account.
Assume there exists and O365 instance where user identities are managed in the cloud - see the Cloud Identity section here: https://support.office.com/en-us/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9
Assume there also exists a separate Azure subscription that maintains it's own Active Directory, as well as an assortment of other resources such as SQL Databases, VMs, Virtual Networks, etc...
Can the two (the O365 instance and the Azure AD) use the same domain? Given it seems like Office 365 uses an Azure AD under the covers, my question is really just asking if two Azure Active Directories can use the same domain. Unfortunately, I can't find much online with regards to answers for this and I can't yet test it.
If you had two Active Directory tenants using the same example.com domain, and you logged into the portal with bob#example.com How would the portal know which tenant was responsible for bob?
An Azure Active Directory tenant much be authorative over the domains that are associated with it.
What you can do is associate the Office 365 Active Directory with an Azure subscription (or as many Azure Subscriptions as you have) and then you will have SSO across all of your subscriptions and Office 365.
This is probably the simplest guide on how to achieve that - it is for RemoteApp, but the underlying concept is the same.
Two Azure Active Directories cannot have same domain.
Technically O365 instance with a tenant name (.onmicrosoft.com) is an Azure AD. Office 365 is just a SaaS application attached to every Azure AD. Basically for Office 365, Identity Management backend is Azure AD. Basically if we have a domain abc.com added/verified in tenant A , it means that we can create users in tenant A with user#abc.com. If we were able to add the same domain in tenant B, which is not possible practically but if we consider theoretically, there would be a user user#abc.com in tenant B too! Hence its impossible to have same domain with two Azure AD.
If you have a domain abc.com under a tenant - contoso.onmicrosoft.com (does not matter whether its in Office 365). If we want to view this directory in azure portal (classic) and if you know the global administrator of this directory, we can add it to the Azure Classic portal (use custom directory) option (comes up for live account service admin).
https://azure.microsoft.com/en-us/documentation/articles/active-directory-how-subscriptions-associated-directory/#manage-the-directory-for-your-office-365-subscription-in-azure
Also, Office 365 subscription gives you benefit of free "Access to Azure Active
Directory" subscription to all office 365 Global administrators. This is given to effectively manage the users in office 365 via Azure AD as well (SSPR, MFA settings- which is not available via O365 portal).
https://support.office.com/en-us/article/Register-your-free-Azure-Active-Directory-subscription-d104fb44-1c42-4541-89a6-1f67be22e4ad
I added for testing purposes Access to Azure Active Directory in Windows Azure. Now I realize there is no button to cancel the subscription:
As discussed here "the underlying directory for Office 365 is Azure Active Directory (AAD). This means that if you have an Office 365 account, you already have a directory -or "tenant"- in AAD."
1) Does this mean that this particular subscription has always been there - just not visible?
2) Can you cancel it?
3) According to the pricing list adding objects is free (Free up to 500,000 objects), Application Enhancements (Preview) and Access Control. At which point would I be billed? (I know Azure generally bills for usage, the question is what counts as the usage in this particular situation)
1) The Azure AD was created when you signed up for Office365. This Azure subscription however was created when you signed up for Azure. Azure subscription is required to manage the many aspects of Azure AD that aren't available in the O365 portal.
2) you can create a support ticket (type billing) to have the subscription cancelled. If it's a free trial subscription it will automatically get cancelled. If it's a pay-as-you-go - it won't cost you anything until you use paid services. Which takes us to your last question ...
3) general Azure AD usage is free. If you need paid services of Azure AD like multi-factor auth for users, application access, self-service password reset you will need to but Azure AD licenses. As a thumb rule - if you haven't turned on multi-factor auth for users and you haven't bought AAD basic or AAD premium licenses - you won't spend any money on Azure AD. The object limit is a cap.
Hope that helps
In my company, we are using Office365 for our emails.
In addition to this, we are using Windows Azure Active Directory to secure some applications.
Now I've been asked to create some kind of link between our users in Office 365 and Windows Azure Active Directory.
The point would be to have some admin applications deployed and secured with WAAD but for which the users are the ones from Office365.
I've found lots of documentation on the web on how to sync directories but not really anything stating clearly that this is possible.
I'd like to insist on the fact that it is our own application that we'd like to secure like this.
Thanks
(Edit 2018-03-23: This answer was updated to reflect changes in the new Azure portal.)
The underlying directory for Office 365 is Azure Active Directory (Azure AD). This means that if you have an Office 365 account, you already have a directory -or "tenant"- in Azure AD.
In your case, I think what you want to do is move from securing your application with a different Azure AD tenant (under a different domain), to securing your applications with the tenant you got when you started using Office 365. The key here is to be able to get access to your Office 365 tenant from the Azure portal.
All you need to do is sign in to the Azure portal (https://portal.azure.com) with you Office 365 account (which, remember, is an Azure AD account), and head over to the "Azure Active Directory" blade. (Note: You do not need an Azure subscription in order to manage your Azure AD tenant in the Azure portal.)
Now you can go about adding and configuring apps to the Office 365 tenant so that you can use that tenant to secure your apps.
Extra: Since you've already started doing things with another Azure subscription (presumably your Microsoft Account, MSA --formerly LiveID--), you might be interested in transferring that Azure subscription to be owned by an account in your primary Azure AD tenant: https://learn.microsoft.com/en-us/azure/billing/billing-subscription-transfer
If the aim is to make the Office 365 directory available inside the Azure portal, this currently works:
In the Azure portal, under Active Directory, click the New button, then Directory, then Custom Create. In the Directory pull-down, select 'Use existing directory' and follow the instructions to sign out and sign in using your Office 365 admin user. This will make your Office 365 directory available inside your Azure portal (in addition to any other Azure directories you have access to.)
When you setup your Azure Subcription did you use the same account you used when you setup your Office 365 Subscription? If so you should be able to see an existing WAAD instance when you log into Azure that has your #*.onmicrosoft.com domain registered against it. If you don't see that you may be able to add the domain to Azure subscription assuming of you are the domain admin. See here: http://blogs.msdn.com/b/bspann/archive/2013/10/20/adding-existing-o365-directory-to-azure-msdn-subscription.aspx
For the sake of completion, I hope the OP would come back and accept the answer provided by Philippe.
I found this that was quite helpful: http://blogs.technet.com/b/ad/archive/2013/04/29/using-a-existing-windows-azure-ad-tenant-with-windows-azure.aspx