I've created some Microsoft Live accounts for managing my Azure subscriptions (I've got five). I can log in using, for example, joe#mycompany.com and manage my web services using the public portal. I think I've got the hang of Azure Active Directory and the Domain Services that go along with it. So now I'm wondering, can I associate my domain ('mycompany.com') with an Azure Active Directory in my corporate portal, add my user 'joe' to it, and use 'joe#mycompany.com' to sign into the portal? That is, will the Azure Portals use Azure Active Directory for logins?
The Azure Portal allows users to sign in with both Azure AD Accounts AND Microsoft accounts (aka MSAs, LiveIDs, #outlook.com).
If you associate your domain with an Azure AD tenant, you'll be able to log in to the Azure portal with your Azure AD account.
It is important to note that if you have a joe#mycompany.com Microsoft account and a joe#mycompany.com Azure AD account (which you get by adding the mycompany.com domain to an Azure AD tenant and then creating joe#mycompany.com that tenant), you effectively have tow DIFFERENT ACCOUNTS. When you type in joe#mycompany.com, you'll see a prompt like this one:
You'll have to make sure you pick the right one since your existing Azure subscriptions will be associated with your MSA and any new ones you create with your Azure AD account will, by default, not be accessible to your MSA.
Your best bet is to setup an Azure AD tenant, migrate your Azure subscriptions from your MSA to your Azure AD tenant by transfering ownership of the subscription and ensure all new subscriptions are created with Azure AD accounts (and not MSAs). At that point, you can always pick Organizational account and not have to worry about which which Azure subscription is linked to which account.
Other relevant info:
Comprehensive explanation of MSAs, Azure AD and Azure Subscriptions
Creating an Azure subscription using an Azure AD tenant
Related
We have a Visual Studio Enterprise Subscription – MPN subscription. Therefore, we can create several Azure accounts under the same subscription in the same tenet. So, Basically we have an one root Azure account and several Azure accounts which are inherited to the root Azure account In my environment, I have configured Azure ADDS under my root Azure account. I have several VMs in another Azure account under the same subscription as I described above. My requirement is to connect those Azure VMs to the Azure ADDS in the root Azure account. Is there any way to do it? I know how to do it when Azure ADDS and Azure VMs in the same account.
As you aware Azure Active Directory Domain services integrates with your existing Azure AD tenant. This integration lets users sign in to service and applications connected to the managed domain using their existing credentials. Joining the VM hosted in another Tenant is not applicable . You have mentioned different Azure Account if it is a different Tenant then there is no possibility at this time.
I am failing to understand the difference and use of Azure Active Directory and Tenant. Subscriptions are services running under a tenant. But I can't understand the relationship between multi-tenant subscriptions or how directories are related to tenants Please help.
A tenant is a dedicated instance of an Azure AD directory that your organization receives when it signs up for a Microsoft cloud service such as Azure or Office 365. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
Each Azure tenant has a dedicated and trusted Azure AD directory. The Azure AD directory includes the tenant's users, groups, and apps and is used to perform identity and access management functions for tenant resources.
I started learning Microsoft Azure but I'm stuck
Can anyone tell me what is the difference between Microsoft account vs tenant vs Subscription in detail?
When you say "Microsoft account", this usually refers to personal Microsoft accounts (outlook.com/live.com/hotmail.com).
But it could also refer to organizational Azure Active Directory accounts.
They are both kinds of user accounts, both types can exist as members in an Azure Active Directory "tenant".
This tenant is basically an instance of Azure AD for your users, in your control.
When you log in to Azure, you are logging in to Azure AD.
An Azure subscription is where you deploy your services, create resources like databases etc.
A subscription is always linked to an Azure AD tenant.
The users in this linked tenant can be given roles in the subscription to access/modify resources.
If anyone wants access to the subscription, they need to be added to the Azure AD tenant first.
This can be done by creating them an account there, or by inviting them by their email as a "guest".
microsoft account: the one used to log in
tenant: your azure active directory (usually the default is [account].onmicrosoft.com
subscription: your microsoft azure subscription, the one used to create services/ deploy your applications
Getting error You are currently signed into the 'Azure AD B2C tenant' directory which does not have any subscriptions. when I try to create a resource in Azure AD B2C.
Please help I am new to Azure
Switch back to the directory where you have your subscription and create the resources there.
Don't take my answer as definitive, since I'm still a newbie, but at this point my understanding is this: B2C needs a new tenant because of the way it is designed (it isn't just an add-on for AD) and you link it to your subscription for billing purposes. But that's it. You don't need to create the resources for your app there, although I guess you could do it if you get a new subscription or transfer another one.
I already created a mobile app in my default tenant and successfully used the linked B2C tenant for authentication and I guess you've done that already. But since this was one of the few results that I got when I googled the message you quoted, I think it's worth sharing.
Have you done this ?
The Azure subscription has a trust relationship with Azure Active
Directory (Azure AD), which means that the subscription trusts Azure
AD to authenticate users, services, and devices. Multiple
subscriptions can trust the same Azure AD directory, but each
subscription can only trust a single directory.
Following link might help (check To associate an existing subscription to your Azure AD directory)
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
Azure AD B2C needs a Microsoft Azure Subscription for billing purposes. You're going to need 3 things to make that message go away:
Azure AD Tenant
MS Azure Subscription
Associate your Azure AD B2C tenant to the MS Azure Subscription
It's a bit strange as Azure AD B2C tenants feel very similar to Azure AD (and run on a lot of the the same infrastructure behind the scenes) ... but from a billing standpoint, they are almost treated like MS Azure resources (e.g. VM, App Service, etc)
I have created a group with some users in my Azure AD.
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-groups-create-azure-portal
(membership i set to assigned)
Now i want to assign these users to a application inside the AD.
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-group-saasapps
In the classic portal (step 4) there is only a users tab at my application not a groups and users.
In the new portal there is users and groups but the groups won't show up.
I tried this also in the
Somehow, when i use the add user/group button, i find all my users from the AD but not the group i created.
Update:
My APP was not created as Enterprise Apllication.Instead i created the APP just as new Application registration (Web app / API).
But it is also listed in the Enterprise Applications list
Question:
What could be the reason for this?
Solution:
It is a license problem, so we didn't get this feature at all.
Using Azure Active Directory (Azure AD) with an Azure AD Premium or
Azure AD Basic license, you can use groups to assign access to a SaaS
application that's integrated with Azure AD.
As the documentation mentioned, Using Azure Active Directory (Azure AD) with an Azure AD Premium or Azure AD Basic license, you can use groups to assign access to a SaaS application that's integrated with Azure AD.
Here the screenshot about the premium Azure AD, please check it:
Under the Azure Active Directory editions documentation it states Group-based access management / provisioning is an Azure AD Basic feature. This is also covered in the Azure AD Premium P1/P2 SKU.
"Group-Based Access Management" is the feature name for having the ability to assign a group to an application.
Azure Active Directory Free is available to configure 10 applications to Azure Active Directory and assign user access based by user assignment - not group assignment.
Here is a chart that outlines FREE, BASIC, PREMIUM P1, PREMIUM P2