For users that are assigned only a resource contributor role (such as Storage File Data SMB Share Contributor) the desired outcome is for them to see only the storage resources in Azure to which they are assigned
With this role, users can still see, however, the Subscription ID, a list of devices in Azure Active Directory, can log into Microsoft Intune, etc.
We have tried enabling "Restrict access to Azure Admin Portal" but some details are still visible. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#restrict-member-users-default-permissions
I am looking for guidance on how to ensure restricted access for users with a resource contributor role assigned.
Ability to see the existence of an Azure subscription when you have any role assigned to a resource in the subscription is special behavior provided by ARM to allow users to browse to the resources they have access to...
The other items (devices in Azure AD, Intune) are not controlled by Azure RBAC roles. You should find that the users have the same permissions even if you remove their Azure RBAC role assignments.
These systems have independent authorization logic which may be granting some access to all users.
I cannot set Azure Active Directory Admin in Azure SQL Database for myself.
attached pic
To set the as the Azure Active Directory Admin in the Azure SQL Server : You have to have the Owner role or the Contributor:
As, Azure AD is nothing but an identity store in Azure. Here we can
define users, groups, applications, and service principles. These
users can authenticate onto Azure and they can access resources that
are part of Azure subscription.
We can assign Azure AD roles to a user and these permissions are
normally given to manage the various aspects of Azure AD.
Role-based access control (RBAC), on the other hand, is used to authorise a user to use Azure resources.
For example, you might grant a user the ability to create a storage
account or manage resource groups by assigning them a role.
At the management group, subscription, resource group, or resource level, role-based access control can be implemented.
RBAC has three basic roles that apply to all resource types:
Owner: This role has full access to all the resources and can delegate
access to others.
Contributor: This role can create and manage all types of resources,
but can’t grant access to other users and groups.
Reader: This role can view existing Azure resources.
Here, is the way I am able to add, as the assigned role to me is Contributor Role.
Once you have the Owner or Contributor Role you will be able to add the Azure Active Directory Admin for the SQL server:
I am trying to set up octopus to deploy resources to azure.
Under azure active directory I've added a new app registration, and have generated a key and hooked up octopus with the correct Application ID, Tenant ID and key
The organisation has multiple azure subscriptions corresponding to the environments, so I've noticed if I use the Subscription ID of my "Visual Studio Professional MSDN" subscription it works and creates the resources, however if I try to use any of the other organisation Subscription IDs I get the following error:
Login-AzureRmAccount : The provided account c0b2.......76a6 does not
have access to subscription ID "f06.......2aa3". Please try logging in
with different credentials or a different subscription ID.
I have looked through all the settings of the Application Registration and granted it every "Windows Azure Active Directory" permission available, but still no luck.
How do I go about granting permissions to this Application Registration so that it can access the relevant subscriptions?
You need to give the app a role on the subscription/resource group/resource you want it to be able to access.
So for example, you can go to the Access Control (IAM) tab of the subscription, and give the app the Contributor role, which allows the app to read and modify anything in the subscription.
You can also give a more limited role if desired.
Roles can also be applied at a lower scope, like a resource group.
More info in the docs: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
I am struggling to distinguish how an Azure Subscription and an Azure tenant are different? I have tried figuring it out using examples but each time I come to the conclusion that they are the same thing in a way? If a tenant is a dedicated instance of the Azure AD service that an organization receives and owns when it signs up for a Microsoft cloud service, then is that not what a subscription is too?
Basic understanding:
a tenant is associated with a single identity (person, company, or organization) and can own one or several subscriptions
a subscription is linked to a payment setup and each subscription will result in a separate bill
in every subscription, you can add virtual resources (VM, storage, network, ...)
Additionally:
Every tenant is linked to a single Azure AD instance, which is shared with all tenant's subscriptions
Resources from one subscription are isolated from resources in other subscriptions
An owner of a tenant can decide to have multiple subscriptions:
when Subscriptions limits are reached
to use different payment methods
to isolate resources between different departments, projects, regional offices, and so on.
Example 1:
Contoso decides to have a tenant with 2 subscriptions:
one subscription for the Prod department with Credit Card A
one subscription for the Dev department with Credit Card B
(but could also be the same Credit Card as the one of another subscription)
In this example, the two departments share the same Azure AD database.
However, resources are isolated between departments, and budgets can be separated too.
Example 2:
A holding company decides to have 2 tenants:
one tenant for subsidiary Contoso with one subscription for Dev and Prod
one tenant for subsidiary Fabrikam with one subscription for Dev and another subscription for Prod
In this example, both companies have a different Azure AD database.
Example 3:
You have a tenant for your personal training.
In this tenant, you can have:
one free Azure subscription (linked to a credit card but not charged, and can be converted to a Pay-As-You-Go subscription after the free trial)
one or several Pay-As-You-Go subscriptions (linked to different credit cards)
one or several Azure Pass Sponsorship subscriptions, not linked to any credit card because these subscriptions are obtained during Microsoft trainings
one Visual Studio subscription (linked to a credit card) and with different quotas (of free resources) than the free subscription
Despite all those subscriptions have isolated resources (per subscription), and some are free while you have to pay for others, all subscriptions share the same Azure AD database.
Azure tenant is a directory. Azure subscription is an object that represents a "folder" that you can put resources in. Subscriptions are tied to tenants. so 1 tenant can have many subscriptions, but not vice versa.
Link:
https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits
It helps to take a scenario:
Let's say you logged into portal.azure.com for the first time and created a free tier account.
When you login to Azure, you have a single tenant ID associated with your account which will not change unless you ask Microsoft to delete your account(this is not your Azure domain user, this is your Microsoft subscription account - eg. bob#gmail.com).
You will only have 1 subscription unless you've purchased or manage other subscriptions (by using the 'transfer billing ownership' function), then they will all be listed under subscriptions.
You will have FULL access to all "resources" associated with your tenant ID. These resources can be part of your own Azure 'directory' or from another domain that someone has given you access to.
You can create up to 20 directories, and you can belong to up to 500 directories.
When you own the subscription (eg. a free account) you'll have full rights up to the 'root' of the subscription - eg. if you click on your name in the top right corner and select "... > your permissions" you see something like:
Your account 'YOURACCOUNT#gmail.com' has been assigned the role 'User Access Administrator' (type BuiltInRole) and has access to scope /.
Your resources have Role Based Access controls that you, the subscription owner, can assign to other users in your Azure Active Directory (or other trusted directories).
By default, for a new subscription, the Account Administrator is assigned the "Service Administrator" privilege. This is 'above' the RBAC roles - there can only be one service administrator per subscription. In RBAC terms this is an 'owner'.
More points:
A single tenant can have multiple AD directories, but a single directory can only have 1 tenant.
*It is recommended to maintain only a single tenant and manage all of your AD domains from that single tenant, otherwise the user experience between domains will not be a seamless.
*A tenant is directly associated with an AD resource - if you mouse over your username in the top right corner you'll see the AD domain you're connected to and a long alphanumeric string - that's the same string in AD > properties.
*If you switch to another directory (assuming you have one) your subscription name (bob#gmail.com) doesn't change, but the tenant ID will be different.
References:
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
https://marckean.com/2016/06/01/azure-vs-azure-ad-accounts-tenants-subscriptions/
https://blogit.create.pt/miguelisidoro/2019/01/07/pros-and-cons-of-single-tenant-vs-multiple-tenants-in-office-365/
This MS doc has explained everything very nicely - Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings
Quoting from the Summary of the hierarchy section in the documentation:
Here is a quick recap:
An organization can have multiple subscriptions
A subscription can have multiple licenses
Licenses can be assigned to individual user accounts
User accounts are stored in an Azure AD tenant
Later in the same section it says:
Multiple Microsoft cloud offering subscriptions can use the same Azure
AD tenant that acts as a common identity provider. A central Azure AD
tenant that contains the synchronized accounts of your on-premises AD
DS provides cloud-based Identity as a Service (IDaaS) for your
organization.
Let us try to understand all this with the help of a real-life example. Let's assume that I'm the owner of a company named FooBar which manufactures software products. Now here is what I'll do to setup Azure infrastructure for my company:
I'll crete an Azure account using my email id.
Then for managing the employees of the company, I created below mentioned Azure Active Directories (AAD aka tenant) in my Azure account:
PermanentAad
AdhocAad
User account of all full-time employees (FTEs) will be added into PermanentAad AAD and all temporary or contractual employees will be added into AdhocAad AAD.
Similarly, I would like to manage the billing of adhoc employees and FTEs separately. So I creates two subscriptions namely PermanenetSub and AdhocSub. I'll setup a trust relationship between PermanentAad and PermanentSub. Similarly for AdhocAad and AdhocSub. So when any FTE creates an Azure resource e.g. a virtual machine(VM) then the cost of that VM will get added to total bill in PermanentSub subscription.
Now comes the licensing part. Licenses empower a user to do things in Azure e.g. creating resources, VMs etc. I can give Enterprise Mobility + Security E5 license to an FTE so that he can create VMs for testing any stuff.
To summarize:
If you want to work in Azure you need an Azure account. To create an Azure account you need an active email id.
If you want to add people/employees or machines/devices who would be part of your IT infrastructure you need a tenant/AAD. You get one tenant/AAD by default when you create an Azure account. You can create more if you require for any kind of logical separation. AAD service is a global service spanning across all locations in Azure which manages all of our AAD instances. AAD is also known as Azure Active Directory, AAD, an Azure AD instance, an AAD Instance, an Azure AD Tenant, an AAD tenant, simply tenant or an organization, etc. They all mean the same. Therefore:
Organization == Tenant == Azure Active Directory
If you require logical separation of billing for users of your Azure account then you need multiple subscriptions. You get one subscription by default when you create a new Azure account. Subscription can be of four types as per below list:
Free
Pay-as-you-go
Enterprise agreement
Cloud Solution Provider
If you want to enable the users to do things then you issue license(s) e.g. license to be able to create VM or Azure app service. Also remember that license and Role Based Access Control (RBAC) are not same although both enable you to do things in Azure portal. But they've different nuances which you can explore on your own.
Below image summarizes the above explanation. I've taken it from the same documentation that I referred at the starting of this answer - Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings
Quoting from the User accounts section in the documentation:
So, all the user accounts and devices of an organization reside in a common Azure AD tenant/instance.
Adding more to existing answers
Tenant is a domain, If these are email addresses of a certain company,
user#exampledomain.com
admin#exampledomain.com
The tenant can be recognized as "exampledomain", in a practical scenario you create a tenant against a company or a client.
Subscriptions are like another logical high-level grouping. For example, you can create a subscription for each environment you work with in the same tenant.
as an example, exampledomain.com tenant can have Development, QA, and Production subscriptions. Those will be billed separately according to the plans you take in
Below are succinct descriptions of key terms and the relationship between them.
They are all sourced from official Microsoft documentation.
Account
Tenant
Identity
Subscription
Resource
Resource Group
Account
To create and use Azure services, you first need to sign up [for an
Azure account].
Source:
Learning Path: Manage identity and access in Azure Active Directory
Module: Create an Azure account
Exercise: Create an Azure account
Tenant
An Azure tenant is a single dedicated and trusted instance of Azure
AD. Each tenant (also called a directory) represents a single
organization. When your organization signs up for a Microsoft cloud
service subscription, a new tenant is automatically created. Because
each tenant is a dedicated and trusted instance of Azure AD, you can
create multiple tenants or instances.
Identity
An identity is an object that can be authenticated. The identity can
be a user with a username and password. Identities can also be
applications or other servers that require authentication by using
secret keys or certificates. Azure AD is the underlying product that
provides the identity service.
Source:
Learning Path: AZ-104: Manage identities and governance in Azure
Module: Configure Azure Active Directory
Exercise: Describe Azure Active Directory concepts
Subscription
To create and use Azure services, you need an Azure
subscription...you're free to create additional subscriptions. For
example, your company might use a single Azure account for your
business and separate subscriptions for development, marketing, and
sales departments. After you've created an Azure subscription, you can start
creating Azure resources within each subscription.
Source:
Learning Path: Azure Fundamentals: Describe Azure architecture and services
Module: Get started with Azure accounts
In Azure, subscriptions are a unit of management, billing, and scale.
Similar to how resource groups are a way to logically organize
resources, subscriptions allow you to logically organize your resource
groups and facilitate billing...An account can have multiple
subscriptions, but it’s only required to have one. In a
multi-subscription account, you can use the subscriptions to configure
different billing models and apply different access-management
policies. You can use Azure subscriptions to define boundaries around
Azure products, services, and resources.
Source:
Learning Path: Azure Fundamentals: Describe Azure architecture and services
Module: Describe Azure management infrastructure
Resource
A resource is the basic building block of Azure. Anything you create,
provision, deploy, etc. is a resource. Virtual Machines (VMs), virtual
networks, databases, cognitive services, etc. are all considered
resources within Azure.
Resource Group
Resource groups are simply groupings of resources. When you create a
resource, you’re required to place it into a resource group. While a
resource group can contain many resources, a single resource can only
be in one resource group at a time. Some resources may be moved
between resource groups, but when you move a resource to a new group,
it will no longer be associated with the former group. Additionally,
resource groups can't be nested, meaning you can’t put resource group
B inside of resource group A.
Resource groups provide a convenient way to group resources together.
When you apply an action to a resource group, that action will apply
to all the resources within the resource group. If you delete a
resource group, all the resources will be deleted. If you grant or
deny access to a resource group, you’ve granted or denied access to
all the resources within the resource group.
When you’re provisioning resources, it’s good to think about the
resource group structure that best suits your needs.
For example, if you’re setting up a temporary dev environment,
grouping all the resources together means you can deprovision all of
the associated resources at once by deleting the resource group. If
you’re provisioning compute resources that will need three different
access schemas, it may be best to group resources based on the access
schema, and then assign access at the resource group level.
There aren’t hard rules about how you use resource groups, so consider
how to set up your resource groups to maximize their usefulness for
you.
Source:
Learning Path: Azure Fundamentals: Describe Azure architecture and services
Module: Describe Azure management infrastructure
Simply put, an instance of Azure AD is what an organization receives when the organization creates a relationship with Microsoft such as signing up for Azure, Microsoft Intune, or Microsoft 365.
A tenant is similar to a forest in an on-premise environment.
An Active Directory forest (AD forest) is the topmost logical container in an Active Directory configuration that contains domains, users, computers, and group policies
Think of a tenant as a user/domain entity that is registered in Azure. Tenants are Azure 'customer' - a unique entity that will be registered in Azure directories.
Subscription is an operational level of grouping resources. Tenants have subscriptions.
Tenant is quite a useful approach, which, in my opinion, is missing in AWS.
What is the difference between IAM and Azure AD on the azure cloud?
They don't make it clear.
Identity Access Management is what they call the Role-Based Access Control system in Azure subscriptions. Basically, it allows you to give users certain roles on subscriptions, resource groups, or individual resources.
Azure AD is a more general identity management solution. It allows you to manage users and applications, users' access to those applications and more. Calling it the "same as on-prem AD" is not really quite right, since their features differ quite a lot. The general purpose is similar to on-prem AD of course.
Logically Azure subscriptions exist within one Azure AD (they are linked to one). But having your user account in Azure AD does not give you access to Azure subscriptions! In addition to a user having to be a member (or invited guest user) of the AAD assigned to the subscription, you also have to use the RBAC (IAM) system to assign roles for users.
Azure AD is for Authentiction - User must prove who they are using a Username and Password
IAM (RBAC) is for Authorization - a User is assigned a role or permissions to use a specific resource.
What is the difference between IAM and Azure AD on the azure cloud?
Azure IAM is Azure Role-Based Access control (RBAC). Work for Azure subscription, to manage Azure resources.
Using RBAC, you can segregate duties within your team and grant only
the amount of access to users that they need to perform their jobs.
Instead of giving everybody unrestricted permissions in your Azure
subscription or resources, you can allow only certain actions. For
example, use RBAC to let one employee manage virtual machines in a
subscription, while another can manage SQL databases within the same
subscription.
Azure AD same as on-prem AD, create users to access or manage some applications.
Azure IAM same as Active directory group(have some permissions), Azure AD users in this group will have those permissions.
Identify and access management (IAM) is called RBAC (Role-Based Access Control). This is used to grant level of access such as reader , contributor , owner to Azure resources and hence perform role assignment.
Azure AD is identity management solution for Azure. It is a live directory or a database that stores the user accounts and their password.