Can any Azure Active Directory gurus suggest the best answer to the following...
Currently a very large enterprise already is using Azure AD syncing onsight ADDS with Azure AD (Enterprise Azure AD/ADDS).
Is the best solution to create a new Azure AD Resource to keep seperation of concerns and to ensure that users from 1 Azure AD resource has no way of of accessing the other Azure AD resource (Enterprise Azure AD/ADDS) and is there any extra cost with create 1 to n... (except for premium licenses, which we already pay for)
Does 1 Azure subscription cover 1 to n.... Azure Active Directory Resources?
We want the new Azure AD to only contain out side guests aka #gmail, #yahoo, but this is all B2B.
---1 Overall Azure Tenant
|
----+ (1) Azure AD Enterprise Synce with on premise ADDS (Office 365 and a
lot more) (Currently Exists)
|
----+ (2) Azure AD Contractors with access to specific applications that are
configured
If you have an Azure Subscription you can have multiple Azure AD resources (No Extra Cost), as many as you want. This allows for different Global Administrators to manage different Azure AD resources such as Users, Guests, Apps, Proxy connectors.
However, this does go without saying that you still have to pay for the Premium licenses if needed in each AD Azure Resource should you need them.
https://azure.microsoft.com/en-us/pricing/details/active-directory/
Related
Looking for ideal solution in Azure AD to automatically sync users between two Azure AD Tenants
The scenario i'm looking for is as follows
Corporate and our business project has separate Azure AD Tenants
Want to leverage Corp Azure AD to sync internal users directly to my projects Azure AD to avoid onboarding all new ppl into the company
When some internal employee leaves, sync off-boarding as well so that if Corp removes someone from Azure AD, it gets removed from my Projects AD as well
What are the best options for me ?
Azure B2B sync using external identities
Azure Lighthouse
Others ?
Can users be automatically synced without them requiring to click some activation/invitation link in emails ? Can this be fully automated without "invite link emails " etc ?
Looking for some assistance
AADConnect(AzureAD connect) can synchronize the same users, groups, and contacts from a single Active Directory to multiple Azure AD tenants.
These tenants can be in different Azure environments.
You will need to deploy an AADConnect server for every Azure AD tenant you want to synchronize to.
Note: One AADConnect server can synchronize to not more than one Azure AD tenant.
Reference:sync ad objects to multiple azure ad tenants
Also see use-scim-to-provision-users-and-groups
We have a Visual Studio Enterprise Subscription – MPN subscription. Therefore, we can create several Azure accounts under the same subscription in the same tenet. So, Basically we have an one root Azure account and several Azure accounts which are inherited to the root Azure account In my environment, I have configured Azure ADDS under my root Azure account. I have several VMs in another Azure account under the same subscription as I described above. My requirement is to connect those Azure VMs to the Azure ADDS in the root Azure account. Is there any way to do it? I know how to do it when Azure ADDS and Azure VMs in the same account.
As you aware Azure Active Directory Domain services integrates with your existing Azure AD tenant. This integration lets users sign in to service and applications connected to the managed domain using their existing credentials. Joining the VM hosted in another Tenant is not applicable . You have mentioned different Azure Account if it is a different Tenant then there is no possibility at this time.
I have created a native application in an Azure AD in Azure General region. The application has been granted appropriate permissions (Sign in on user's behalf, execute Service Management API requests etc.). Using this application, I am able to connect to any Azure Subscription in Azure General region using this application.
However when I try to connect to an Azure Subscription in Azure China, after successful login, I am getting the following error:
AADSTS70001: Application with identifier '01234567-890a-bcde-ffff-fcc63fc150ea' was not
found in the directory 'xxx.yyy.onmschina.cn'.
So my questions are:
Is it possible to connect to an Azure Subscription in Azure China (or for that matter to any Azure Subscription in Azure Sovereign Cloud like Germany etc.) using an application created in Azure General region?
Or do I need to create a separate application for each Azure Sovereign region in an Azure AD in that region?
If I indeed need to create a separate application (i.e. answer is yes to above question), is it possible to create an Azure AD tenant in these Sovereign regions without having an Azure Subscription there?
I believe the answer to the last question is yes considering Azure AD and Azure Subscription are two different things, yet I would very much like to get a confirmation on the same.
No,
it is NOT possible to connect Azure "General" with any sovereign clouds - these are Azure US Government, Azure China, Azure Germany. All these clouds are completely separate deployments with their own Azure AD. You cannot use B2B inter clouds, you cannot use your multi-tenant applications across clouds.
For that case you have to have a subscription in every cloud you would like to support and separate application registration, and separate instructions for your users. Check for example how Azure CLI is handling this. You are always only connected to one cloud with cloud's specific account.
In Azure Germany you can create an Azure AD tenant - just create a free trial subscription and you will also get a tenant. For China and US Gov will be hard - they both have very strict requirements who can create subscriptions there.
I have created a group with some users in my Azure AD.
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-groups-create-azure-portal
(membership i set to assigned)
Now i want to assign these users to a application inside the AD.
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-group-saasapps
In the classic portal (step 4) there is only a users tab at my application not a groups and users.
In the new portal there is users and groups but the groups won't show up.
I tried this also in the
Somehow, when i use the add user/group button, i find all my users from the AD but not the group i created.
Update:
My APP was not created as Enterprise Apllication.Instead i created the APP just as new Application registration (Web app / API).
But it is also listed in the Enterprise Applications list
Question:
What could be the reason for this?
Solution:
It is a license problem, so we didn't get this feature at all.
Using Azure Active Directory (Azure AD) with an Azure AD Premium or
Azure AD Basic license, you can use groups to assign access to a SaaS
application that's integrated with Azure AD.
As the documentation mentioned, Using Azure Active Directory (Azure AD) with an Azure AD Premium or Azure AD Basic license, you can use groups to assign access to a SaaS application that's integrated with Azure AD.
Here the screenshot about the premium Azure AD, please check it:
Under the Azure Active Directory editions documentation it states Group-based access management / provisioning is an Azure AD Basic feature. This is also covered in the Azure AD Premium P1/P2 SKU.
"Group-Based Access Management" is the feature name for having the ability to assign a group to an application.
Azure Active Directory Free is available to configure 10 applications to Azure Active Directory and assign user access based by user assignment - not group assignment.
Here is a chart that outlines FREE, BASIC, PREMIUM P1, PREMIUM P2
I've created some Microsoft Live accounts for managing my Azure subscriptions (I've got five). I can log in using, for example, joe#mycompany.com and manage my web services using the public portal. I think I've got the hang of Azure Active Directory and the Domain Services that go along with it. So now I'm wondering, can I associate my domain ('mycompany.com') with an Azure Active Directory in my corporate portal, add my user 'joe' to it, and use 'joe#mycompany.com' to sign into the portal? That is, will the Azure Portals use Azure Active Directory for logins?
The Azure Portal allows users to sign in with both Azure AD Accounts AND Microsoft accounts (aka MSAs, LiveIDs, #outlook.com).
If you associate your domain with an Azure AD tenant, you'll be able to log in to the Azure portal with your Azure AD account.
It is important to note that if you have a joe#mycompany.com Microsoft account and a joe#mycompany.com Azure AD account (which you get by adding the mycompany.com domain to an Azure AD tenant and then creating joe#mycompany.com that tenant), you effectively have tow DIFFERENT ACCOUNTS. When you type in joe#mycompany.com, you'll see a prompt like this one:
You'll have to make sure you pick the right one since your existing Azure subscriptions will be associated with your MSA and any new ones you create with your Azure AD account will, by default, not be accessible to your MSA.
Your best bet is to setup an Azure AD tenant, migrate your Azure subscriptions from your MSA to your Azure AD tenant by transfering ownership of the subscription and ensure all new subscriptions are created with Azure AD accounts (and not MSAs). At that point, you can always pick Organizational account and not have to worry about which which Azure subscription is linked to which account.
Other relevant info:
Comprehensive explanation of MSAs, Azure AD and Azure Subscriptions
Creating an Azure subscription using an Azure AD tenant