We may assign Roles, Policies, ARM templates and Resource groups to users via Azure Blueprints during deployments at organization's scope or to one or more subscriptions. But can we do the vice-versa. I mean can a VNET or VM be assigned to interact with some other user via Azure Blueprints.
This is a deployment question raised by my management. We currently are searching for an answer.
Each Published Version of an Azure Blueprint can be assigned only to an existing management group or subscription.
For more information read here.
Currently i am trying to dig deeper into the organizational/entity structure of ms azure. All I find online in discussions and official ms documentation only shows parts of the bigger picture but never the underlying relationships between them.
I try to formulate statements which I ask you to correct in case they are wrong:
I log in to the azure portal using an email adress witch is called account
In the azure portal I am acting in the context of a directory
The account i use to log in is associated with an identity in the directory
A directory belongs to a tenant
Signing up for MS Azure using my Microsoft Account will create a Tenant
A Subscription I create is assoiciated with but not created/stored within a directory (not with a tenant)
A Subscription I create is associated with the Account I am currently logged in, called Azure Account
A Management Group will be created within the directory per default, called Root Management Group
When no other Management Group is created, all Subscriptions I create are associated with this Root Management Group
Any thoughts on that?
Thanks TGY for your question. The terms "tenant" and "directory" are for the most part interchangeable and are used in Azure.
A tenant is an instance of an Azure Active Directory. The tenant is an account in Azure that comes with a subdomain and an associated Azure Active Directory. In order to use an Azure Active Directory you need to become a tenant within the system. So a tenant is basically securing a .onmicrosoft.com subdomain. At that point you would have one account registered in your Azure AD.
An Azure subscription is a logical container used to provision resources in Azure.It serves as a single billing unit for Azure resources in that services used in Azure are billed to a subscription. An Azure subscription is linked to a single account, but you can add multiple subscriptions to the same directory.
Please see this DOC if it helps you.
Root Management>>Management Group>>Subscription>>Resources Group>>Resources. So for IAM(Identity & Access Management) purpose, management Group is higher level than Subscription. Subscription is higher than Resource Group and Resource Group is higher than a particular resource level.
Please find below Architectural structure for more understanding and pictorial representation --
I have two web apps in different Resource Groups. I want to use a shared App Service Plan. Please guide how this can be done, When I try to use "Change Service Plan" I can not see another resource group service plan. Both Resource groups are in same region. When I try to create a App Service Plan I can not see option as a shared resource.
I am too late for the show, but still - it's possible to at least CREATE an App Service with App Service Plan from another resource group (not geographical region though).
You can pick up some details from here:
https://praveenkumarsreeram.com/2019/09/11/share-azure-app-service-plan-across-resource-groups/
It is not possible to move App Service to App Service plan in another resource group.
You can move an app to another App Service plan, as long as the source
plan and the target plan are in the same resource group and
geographical region.
Additional Info:
Azure deploys each new App Service plan into a deployment unit,
internally called a webspace. Each region can have many webspaces, but
your app can only move between plans that are created in the same
webspace. An App Service Environment is an isolated webspace, so apps
can be moved between plans in the same App Service Environment, but
not between plans in different App Service Environments.
You can’t specify the webspace you want when creating a plan, but it’s
possible to ensure that a plan is created in the same webspace as an
existing plan. In brief, all plans created with the same resource
group and region combination are deployed into the same webspace. For
example, if you created a plan in resource group A and region B, then
any plan you subsequently create in resource group A and region B is
deployed into the same webspace. Note that plans can’t move webspaces
after they’re created, so you can’t move a plan into “the same
webspace” as another plan by moving it to another resource group.
Ref: https://learn.microsoft.com/en-us/azure/app-service/app-service-plan-manage#move-an-app-to-another-app-service-plan
I am struggling to distinguish how an Azure Subscription and an Azure tenant are different? I have tried figuring it out using examples but each time I come to the conclusion that they are the same thing in a way? If a tenant is a dedicated instance of the Azure AD service that an organization receives and owns when it signs up for a Microsoft cloud service, then is that not what a subscription is too?
Basic understanding:
a tenant is associated with a single identity (person, company, or organization) and can own one or several subscriptions
a subscription is linked to a payment setup and each subscription will result in a separate bill
in every subscription, you can add virtual resources (VM, storage, network, ...)
Additionally:
Every tenant is linked to a single Azure AD instance, which is shared with all tenant's subscriptions
Resources from one subscription are isolated from resources in other subscriptions
An owner of a tenant can decide to have multiple subscriptions:
when Subscriptions limits are reached
to use different payment methods
to isolate resources between different departments, projects, regional offices, and so on.
Example 1:
Contoso decides to have a tenant with 2 subscriptions:
one subscription for the Prod department with Credit Card A
one subscription for the Dev department with Credit Card B
(but could also be the same Credit Card as the one of another subscription)
In this example, the two departments share the same Azure AD database.
However, resources are isolated between departments, and budgets can be separated too.
Example 2:
A holding company decides to have 2 tenants:
one tenant for subsidiary Contoso with one subscription for Dev and Prod
one tenant for subsidiary Fabrikam with one subscription for Dev and another subscription for Prod
In this example, both companies have a different Azure AD database.
Example 3:
You have a tenant for your personal training.
In this tenant, you can have:
one free Azure subscription (linked to a credit card but not charged, and can be converted to a Pay-As-You-Go subscription after the free trial)
one or several Pay-As-You-Go subscriptions (linked to different credit cards)
one or several Azure Pass Sponsorship subscriptions, not linked to any credit card because these subscriptions are obtained during Microsoft trainings
one Visual Studio subscription (linked to a credit card) and with different quotas (of free resources) than the free subscription
Despite all those subscriptions have isolated resources (per subscription), and some are free while you have to pay for others, all subscriptions share the same Azure AD database.
Azure tenant is a directory. Azure subscription is an object that represents a "folder" that you can put resources in. Subscriptions are tied to tenants. so 1 tenant can have many subscriptions, but not vice versa.
Link:
https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits
It helps to take a scenario:
Let's say you logged into portal.azure.com for the first time and created a free tier account.
When you login to Azure, you have a single tenant ID associated with your account which will not change unless you ask Microsoft to delete your account(this is not your Azure domain user, this is your Microsoft subscription account - eg. bob#gmail.com).
You will only have 1 subscription unless you've purchased or manage other subscriptions (by using the 'transfer billing ownership' function), then they will all be listed under subscriptions.
You will have FULL access to all "resources" associated with your tenant ID. These resources can be part of your own Azure 'directory' or from another domain that someone has given you access to.
You can create up to 20 directories, and you can belong to up to 500 directories.
When you own the subscription (eg. a free account) you'll have full rights up to the 'root' of the subscription - eg. if you click on your name in the top right corner and select "... > your permissions" you see something like:
Your account 'YOURACCOUNT#gmail.com' has been assigned the role 'User Access Administrator' (type BuiltInRole) and has access to scope /.
Your resources have Role Based Access controls that you, the subscription owner, can assign to other users in your Azure Active Directory (or other trusted directories).
By default, for a new subscription, the Account Administrator is assigned the "Service Administrator" privilege. This is 'above' the RBAC roles - there can only be one service administrator per subscription. In RBAC terms this is an 'owner'.
More points:
A single tenant can have multiple AD directories, but a single directory can only have 1 tenant.
*It is recommended to maintain only a single tenant and manage all of your AD domains from that single tenant, otherwise the user experience between domains will not be a seamless.
*A tenant is directly associated with an AD resource - if you mouse over your username in the top right corner you'll see the AD domain you're connected to and a long alphanumeric string - that's the same string in AD > properties.
*If you switch to another directory (assuming you have one) your subscription name (bob#gmail.com) doesn't change, but the tenant ID will be different.
References:
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
https://marckean.com/2016/06/01/azure-vs-azure-ad-accounts-tenants-subscriptions/
https://blogit.create.pt/miguelisidoro/2019/01/07/pros-and-cons-of-single-tenant-vs-multiple-tenants-in-office-365/
This MS doc has explained everything very nicely - Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings
Quoting from the Summary of the hierarchy section in the documentation:
Here is a quick recap:
An organization can have multiple subscriptions
A subscription can have multiple licenses
Licenses can be assigned to individual user accounts
User accounts are stored in an Azure AD tenant
Later in the same section it says:
Multiple Microsoft cloud offering subscriptions can use the same Azure
AD tenant that acts as a common identity provider. A central Azure AD
tenant that contains the synchronized accounts of your on-premises AD
DS provides cloud-based Identity as a Service (IDaaS) for your
organization.
Let us try to understand all this with the help of a real-life example. Let's assume that I'm the owner of a company named FooBar which manufactures software products. Now here is what I'll do to setup Azure infrastructure for my company:
I'll crete an Azure account using my email id.
Then for managing the employees of the company, I created below mentioned Azure Active Directories (AAD aka tenant) in my Azure account:
PermanentAad
AdhocAad
User account of all full-time employees (FTEs) will be added into PermanentAad AAD and all temporary or contractual employees will be added into AdhocAad AAD.
Similarly, I would like to manage the billing of adhoc employees and FTEs separately. So I creates two subscriptions namely PermanenetSub and AdhocSub. I'll setup a trust relationship between PermanentAad and PermanentSub. Similarly for AdhocAad and AdhocSub. So when any FTE creates an Azure resource e.g. a virtual machine(VM) then the cost of that VM will get added to total bill in PermanentSub subscription.
Now comes the licensing part. Licenses empower a user to do things in Azure e.g. creating resources, VMs etc. I can give Enterprise Mobility + Security E5 license to an FTE so that he can create VMs for testing any stuff.
To summarize:
If you want to work in Azure you need an Azure account. To create an Azure account you need an active email id.
If you want to add people/employees or machines/devices who would be part of your IT infrastructure you need a tenant/AAD. You get one tenant/AAD by default when you create an Azure account. You can create more if you require for any kind of logical separation. AAD service is a global service spanning across all locations in Azure which manages all of our AAD instances. AAD is also known as Azure Active Directory, AAD, an Azure AD instance, an AAD Instance, an Azure AD Tenant, an AAD tenant, simply tenant or an organization, etc. They all mean the same. Therefore:
Organization == Tenant == Azure Active Directory
If you require logical separation of billing for users of your Azure account then you need multiple subscriptions. You get one subscription by default when you create a new Azure account. Subscription can be of four types as per below list:
Free
Pay-as-you-go
Enterprise agreement
Cloud Solution Provider
If you want to enable the users to do things then you issue license(s) e.g. license to be able to create VM or Azure app service. Also remember that license and Role Based Access Control (RBAC) are not same although both enable you to do things in Azure portal. But they've different nuances which you can explore on your own.
Below image summarizes the above explanation. I've taken it from the same documentation that I referred at the starting of this answer - Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings
Quoting from the User accounts section in the documentation:
So, all the user accounts and devices of an organization reside in a common Azure AD tenant/instance.
Adding more to existing answers
Tenant is a domain, If these are email addresses of a certain company,
user#exampledomain.com
admin#exampledomain.com
The tenant can be recognized as "exampledomain", in a practical scenario you create a tenant against a company or a client.
Subscriptions are like another logical high-level grouping. For example, you can create a subscription for each environment you work with in the same tenant.
as an example, exampledomain.com tenant can have Development, QA, and Production subscriptions. Those will be billed separately according to the plans you take in
Below are succinct descriptions of key terms and the relationship between them.
They are all sourced from official Microsoft documentation.
Account
Tenant
Identity
Subscription
Resource
Resource Group
Account
To create and use Azure services, you first need to sign up [for an
Azure account].
Source:
Learning Path: Manage identity and access in Azure Active Directory
Module: Create an Azure account
Exercise: Create an Azure account
Tenant
An Azure tenant is a single dedicated and trusted instance of Azure
AD. Each tenant (also called a directory) represents a single
organization. When your organization signs up for a Microsoft cloud
service subscription, a new tenant is automatically created. Because
each tenant is a dedicated and trusted instance of Azure AD, you can
create multiple tenants or instances.
Identity
An identity is an object that can be authenticated. The identity can
be a user with a username and password. Identities can also be
applications or other servers that require authentication by using
secret keys or certificates. Azure AD is the underlying product that
provides the identity service.
Source:
Learning Path: AZ-104: Manage identities and governance in Azure
Module: Configure Azure Active Directory
Exercise: Describe Azure Active Directory concepts
Subscription
To create and use Azure services, you need an Azure
subscription...you're free to create additional subscriptions. For
example, your company might use a single Azure account for your
business and separate subscriptions for development, marketing, and
sales departments. After you've created an Azure subscription, you can start
creating Azure resources within each subscription.
Source:
Learning Path: Azure Fundamentals: Describe Azure architecture and services
Module: Get started with Azure accounts
In Azure, subscriptions are a unit of management, billing, and scale.
Similar to how resource groups are a way to logically organize
resources, subscriptions allow you to logically organize your resource
groups and facilitate billing...An account can have multiple
subscriptions, but it’s only required to have one. In a
multi-subscription account, you can use the subscriptions to configure
different billing models and apply different access-management
policies. You can use Azure subscriptions to define boundaries around
Azure products, services, and resources.
Source:
Learning Path: Azure Fundamentals: Describe Azure architecture and services
Module: Describe Azure management infrastructure
Resource
A resource is the basic building block of Azure. Anything you create,
provision, deploy, etc. is a resource. Virtual Machines (VMs), virtual
networks, databases, cognitive services, etc. are all considered
resources within Azure.
Resource Group
Resource groups are simply groupings of resources. When you create a
resource, you’re required to place it into a resource group. While a
resource group can contain many resources, a single resource can only
be in one resource group at a time. Some resources may be moved
between resource groups, but when you move a resource to a new group,
it will no longer be associated with the former group. Additionally,
resource groups can't be nested, meaning you can’t put resource group
B inside of resource group A.
Resource groups provide a convenient way to group resources together.
When you apply an action to a resource group, that action will apply
to all the resources within the resource group. If you delete a
resource group, all the resources will be deleted. If you grant or
deny access to a resource group, you’ve granted or denied access to
all the resources within the resource group.
When you’re provisioning resources, it’s good to think about the
resource group structure that best suits your needs.
For example, if you’re setting up a temporary dev environment,
grouping all the resources together means you can deprovision all of
the associated resources at once by deleting the resource group. If
you’re provisioning compute resources that will need three different
access schemas, it may be best to group resources based on the access
schema, and then assign access at the resource group level.
There aren’t hard rules about how you use resource groups, so consider
how to set up your resource groups to maximize their usefulness for
you.
Source:
Learning Path: Azure Fundamentals: Describe Azure architecture and services
Module: Describe Azure management infrastructure
Simply put, an instance of Azure AD is what an organization receives when the organization creates a relationship with Microsoft such as signing up for Azure, Microsoft Intune, or Microsoft 365.
A tenant is similar to a forest in an on-premise environment.
An Active Directory forest (AD forest) is the topmost logical container in an Active Directory configuration that contains domains, users, computers, and group policies
Think of a tenant as a user/domain entity that is registered in Azure. Tenants are Azure 'customer' - a unique entity that will be registered in Azure directories.
Subscription is an operational level of grouping resources. Tenants have subscriptions.
Tenant is quite a useful approach, which, in my opinion, is missing in AWS.
I have several App Services, and storage accounts set up in Azure. We have a Resource Group, which is a handy way to bundle together all the services and storage - for example, for tracking billing (other teams use the same subscription).
Now, I want to add a new Cloud Service, and have it included in the Resource Group. But then I see the Cloud Service listed at the same level as Resource Groups, which makes no sense.
Is it possible to include Cloud Services inside a Resource Groups, along with our App Services - and if not, what's the rationale?
Currently azure cloud services( web roles and worker roles) are not part of the Azure resource manager feature. Hence you cannot add a cloud service to a resource group. This is a requested feature in the azure feedback portal. You can go add your comments and cast your vote.
https://feedback.azure.com/forums/169386-cloud-services-web-and-worker-role/suggestions/7899432-add-cloud-services-as-an-available-resource-when-w