I have an SharePoint Office 365 Developer account and initially it was created using #xyz.onmicrosoft.com account.
Now I have added #xyz.com. All the billing management happen using the admin#xyz.onmicrosoft.com and application access happen using user#xyz.com
Now I am planning to add Azure Pay-As-You-Go subscription but I am confused should I create the Azure portal account using admin#xyz.onmicrosoft.com or user#xyz.com
Is there any best practice or general recommendation available ?
this is completely up to your organization, there are no major advantages of using one or other.
Nevertheless, an "user#xyz.com" account will be friendlier than "user#xyz.onmicrosoft.com".
Related
We have two Azure subscriptions and an Office 365 subscription for our company.
In "Subscription #1", we have a VNET and a bunch of VMs. We have our "organizational AD" in this VNET. We also set our Office 365 subscription to use our organizational AD that is in this Subscription #1.
We then have a second Azure subscription (Subscription #2) in which we have WebApp's, databases and Visual Studio Team Services (VSTS - formerly Visual Studio Online) repositories. We set up our VSTS to use the directory service -- WAAD -- associated with this second subscription.
My question is: can we set it so that this second Azure subscription uses our organizational AD to manage user access? Our primary goal here is to have "single sign-on" in this second Azure subscription. For example, we want our developers to be able to use their organization AD accounts to access the VSTS repositories.
P.S. We do prefer keeping these two Azure subscriptions separate but still have single sign-on.
In short, yes you can. The easiest way to do this is by putting in a support ticket with Azure and asking them to perform this task for you. You should be able to put a ticket in with billing support to avoid costs.
The other way to do this involves having the Service Administrator of the 2nd Azure subscription be a Global Admin on the Azure Active Directory in question. You can then follow the steps found in this link.
I have a business requirement where Azure Subscription owner will Provision User Groups like Infrastructure Admin, Billing Admin, Enterprise Users. Ifra Admin people should login to this Portal & can only see options related to Infra provisioning. Billing Admin people should have access to Azure usage Enterprise wide - And they should be able to generate bills for respective teams(which are part of the organization). Enterprise Users are those who want to procure azure storage, VMs etc. and they want estimate cost for required infra.
I am looking out for a solution/approach for this requirement. If Azure Portal is already providing this feature then please provide me reference material. If i should build new custom Web application which internally use Azure APIs then let me know about that option as well.
If there are any products which already doing this even am open for that.
Deeply appreciating your help. Thanks a lot :)
Vishal.
Let me answer by breaking your question in 2 parts:
Managing Users - This is something you can do today in Azure. Some time ago, Azure announced Role-based access control (RBAC) and that fits the bill nicely for you as far as managing users and granting them permissions to do things. So in your scenario, the owner will create users and groups in Azure Active Directory and then put these users and groups in appropriate roles. When a user or a group member tries to manage the resources (either by logging into the portal or using other tools like Azure PowerShell Cmdlets), they will only be able to do things the role they are in allows.
Managing Billing - Though Azure Portal exposes the billing functionality (and there's a billing/usage REST API), it does not have the capability you're looking for. What you would need to do is look for ITFM (IT Financial Management) Systems that has support for Azure. Off the top of my head, two tools come to my mind - Cloudyn & Cloud Cruiser. You can learn more about it here: https://azure.microsoft.com/en-in/documentation/articles/billing-usage-rate-card-overview/. You could always consume the Billing/Usage REST API to create a solution of your own. If you're writing your own solution, you may want to check out Billing Samples on GitHub.
What is the difference between these two portals and why? And when should I use which of them?
For example:
When I want to configure if/which Java version I want to use in a WebApp, in the "manage"-portal I only can choose between off and v1.7.0_51. In the "portal"-portal I can choose between off, v7 and v8.
Or, if I want to create a new Ubuntu-VM, in the "manage"-portal I can choose between v12.04, v14.04 and v15.04. In the "portal"-portal there is only v14.04.
As commented by Mike, manage.windowsazure.com is the current production Azure Portal while portal.azure.com is the preview portal which will eventually replace the production portal.
From an underlying technology perspective, there's one big difference between the production and preview portal. Production portal makes use of Azure Service Management API while the Preview portal makes use of Azure Resource Manager (ARM). Along with ARM API, you get Role-based access control (RBAC) that enables you to grant granular permissions on your Azure resources to your team members. In the production portal, there's only a concept of Subscription Administrator and Subscription Co-Administrator.
Not all services in Azure has been ported to make use of ARM API as of today and that's why you see only few services in the preview portal. Services that make use of ARM API (all the new services) will only show up the preview portal.
As to when to use what portal, just see the Azure services you need to manage. Based on how they can be managed, you will choose between production and preview portal. Also please note that functionality for a service may differ between portals even though it is present in both portals. That may be another criteria between choosing the portal.
More information Can be find from microsoft site
Azure Resource Manager vs. classic deployment: Understand deployment models and the state of your resources
I currently have an Office 365 tenant with around 1,400 users all licensed. We have enabled the Azure AD tenant with the same account and are now using Azure AD Dirsync to have same sign-on to Office 365.
We are now having an external Sharepoint site developed and have been offered either ADFS or Azure AD ACS as an authentication method. As we've already got an Azure AD subscription (through Office 365) I thought this would be the easiest method. However, when in my tenant on https://manage.windowsazure.com, I have access to Active Directory, can add a new directory but cannot add a new Access Control service. It's greyed out and says "not available" underneath.
I've tried talking to Office 365 support, who referred me to Azure support, who then said we don't have support so can't help. I've spoken to Azure sales and they've referred me to Azure support, who then guess what, said we don't have support.
Has anyone else managed to implement an Azure Access Control service from an Office 365 tenancy using the free Azure Active Directory subscription? I get the feeling I just need to buy a cheap Azure subscription and the option would become available, but without knowing for sure I'm a bit hesitant about taking the plunge.
Thanks.
I can imagine that you cannot use the free Azure subscription for this purpose because using the Access Control Service brings costs. The free subscription is not tied to any creditcard. When you have e.g. a pay-as-you-go subscription you should be able to create a ACS namespace. I just tried in one of my pay-as-you-go subscriptions.
You are (still) able to create a namespace but I suggest you to also take a look into the identity possibilities Azure AD itself has. Azure AD has currently only support for SAML 2.0 (and a lot of other protocols but they are not directly relevant for SharePoint). I know SharePoint (on-premises) only talks SAML 1.1 so that's where ACS comes in. You can read more about this topic here. Azure AD itself is going to support SAML 1.1. The only question is when. (see one of the comments from the source mentioned below this answer)
I also would make one remark about Azure AD ACS because this is going to be replaced by Azure AD. The only question left is when.
ACS Capabilities in Azure AD
As we've mentioned previously, we are adding ACS-like capabilities into Azure AD. In the coming months, as part of a feature preview Azure AD administrators will be able to add federation with social identity providers, and later custom identity providers to Azure AD. This will allow app developers to use Azure AD to simplify the identity implementation in their apps, similar to how developers use ACS today. We look forward to getting your feedback on the preview to improve these experiences.
Migrating ACS Customers to Azure AD
Once these new ACS capabilities of Azure AD are out of preview and generally available, we will start migrating ACS namespaces to use the new Azure AD capabilities.
Source: The future of Azure ACS is Azure Active Directory
Quick solution:
Create an Azure paid account. Add the administrator user of the paid account in the Office 365 directory, and set it as global administrator of this later directory (you can add users from other directories).
Then switch back to the paid account. The new global administrator will be able to manage the Office 365 directory and add a namespace.
We are spinning up a development against Microsoft Azure and will be making use of Visual Studio Online in conjunction with Microsoft Azure capabilities (PaaS, and IaaS). The majority of our developers will have MSDN subscriptions.
To get started I have set up the Azure Portal with what is being called a "Microsoft Account" (definition based on the FAQ below). I did this in order to establish a POC and demonstration but now I am wondering if this account needs to be an "Organizational Account." My company does use Office365/Outlook so I think it is possible to establish "Organizational Accounts" but I have not been able to determine with our Operations resources what would be necessary.
The question then is should I be using strictly Organizational Accounts for all Azure and Visual Studio Online accounts? If an account has already been set up as a Microsoft account can it be transitioned to an Organizational account? Are there any implications to be aware of?
One of the problems I am currently experiencing is that I cannot be logged into Outlook and Azure at the same time (assume Chrome for this example) unless I use Incognito mode for one of the sites. I am using the same email account for both but for Outlook it is being treated as an organizational account but for Azure it is a Microsoft account.
http://msdn.microsoft.com/en-us/library/dn531048.aspx
I would suggest using Org Accounts only once you have your domain synced to WAAD. This is what we have concluded is the best way to move forward and now are waiting on the Infrastructure gods to approve syncing our AD with WAAD. ...be prepared for resistance in this area.
The link to the FAQ says to contact MS to transition MS to Org account.
We have found this to be a very messy area with little direction from Microsoft to be found. We are not yet adopting VSO until we can use Org\WAAD accounts. They say new VSO accounts now support Org\WAAD accounts but if you have already created a VSO account you currently cannot switch over to Org\WAAD.