Using organizational AD for multiple Azure subscriptions - azure

We have two Azure subscriptions and an Office 365 subscription for our company.
In "Subscription #1", we have a VNET and a bunch of VMs. We have our "organizational AD" in this VNET. We also set our Office 365 subscription to use our organizational AD that is in this Subscription #1.
We then have a second Azure subscription (Subscription #2) in which we have WebApp's, databases and Visual Studio Team Services (VSTS - formerly Visual Studio Online) repositories. We set up our VSTS to use the directory service -- WAAD -- associated with this second subscription.
My question is: can we set it so that this second Azure subscription uses our organizational AD to manage user access? Our primary goal here is to have "single sign-on" in this second Azure subscription. For example, we want our developers to be able to use their organization AD accounts to access the VSTS repositories.
P.S. We do prefer keeping these two Azure subscriptions separate but still have single sign-on.

In short, yes you can. The easiest way to do this is by putting in a support ticket with Azure and asking them to perform this task for you. You should be able to put a ticket in with billing support to avoid costs.
The other way to do this involves having the Service Administrator of the 2nd Azure subscription be a Global Admin on the Azure Active Directory in question. You can then follow the steps found in this link.

Related

Is't possible to merge two DevOps accounts?

I wish move from Microsoft personal DevOps Account to my O365 Account Tenant where I run Azure, too.
Is't possible to mantein the benefits, too?
What you can do is that transfer Transfer Azure DevOps to New Azure Account
Add a AAD member which is a Microsoft account to your Azure DevOps organization.
Add this AAD member to Project collection Administrators group.
Log into the Azure portal and connect the organization to AAD.
Then you could login to your Azure DevOps organization with AAD member
To merge two Azure DevOps account, there is no such kind of feature at the moment.
A related user voice here:
make it possible to move a Team Project between Team Project Collections
https://developercommunity.visualstudio.com/content/idea/365365/make-it-possible-to-move-a-team-project-between-te-1.html
Any other 3rd party extension or tool will not keep history info. Suggest you use two organization separately to keep history. Or manually merge it without history.

Associate Office 365 AD Tenant with AZURE AD

I have an office 365 Subscription that was created when i created my Dynamics 365 (CRM) trial version.
I also have a MSDN Enterprise Azure Subscription.
I'm trying to associate the office AZURE AD with my MSDN AZURE Subscription.
I'm trying to proceed as described in the below link
https://github.com/uglide/azure-content/blob/master/articles/billing-add-office-365-tenant-to-azure-subscription.md
But the link for the old azure management portal and I'm not able to find a way to add "New Directory" with the option to choose "Existing Directory"
Awaiting your valuable inputs.
Regards,
Clement
You can refer
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
https://learn.microsoft.com/en-us/azure/billing/billing-use-existing-office-365-account-azure-subscription
to know How to Associate or add Azure Subscription to Azure Active Directory. This should do the trick if you do not have any resources in the Azure Subscription that are dependent on the current tenant for the subscription.
So, what happens is that if you have anything on the current tenant for the Azure Subscription, that would be replicated to the tenant for the O365. All of the same would need to be re-created manually.
Only the Subscription Admin of the Azure Subscription would retain the access to the subscription.
If you should have resources and the access levels might be a question for you by the re-association of the Subscription to the O365 tenant, we would suggest you create a Billing & Subscription Ticket so that Microsoft support team could personally assist you in the entire process effectively.

What is the relationship between Azure and Visual Studio Team Services

We have a Visual Studio Team Services instance that is used by the company I work for.
The company has an Azure instance. As far as I am aware there is no connection to VSTS.
When I was added to VSTS as a Visual Studio Pro level user some months ago we had to use my Microsoft Account as we couldn't use my work identity because my MSDN subscription is linked to my Microsoft Account as we could not link it to my work identity; apparently this was because we use Office365 in the office.
We now have problems adding Basic Users to VSTS. I enter the users Microsoft Account identity and I am told "No Identities Found".
I looked at VSTS Settings where I can see "This account is backed by the Default Directory Azure Active Directory."
I can also see an "Azure Subscription ID". When I follow the Subscription ID link I end up at my Microsoft Account Azure instance.
I had other users log in to VSTS and they too are seeing my Azure Subscription ID in VSTS Settings.
Why is this happening?
How do Azure instances/accounts relate to VSTS instances/accounts
Can I break the link between Azure and VSTS
You can link your VSTS account to the azure from your azure portal:
Azure - VSTS service
Then, what we do is to add the users to the Azure active directories. As far as I know, these users must be registered in Microsoft.
Once it's done, you can add the users to the VSTS.
Hope it helps you.
The Team Services uses an Azure subscription to bill purchases and can control access with Azure AD.
You can unlink your VSTS account from Azure portal. More information, you can refer to this article: Delete or recover Visual Studio Team Services account
I am an idiot.
Turns out the company VSTS was linking to the company Azure.
I became confused when clicking the Manage button in VSTS | Azure Subscription ID.
That took me to the Sign in to Azure page and displayed my login, which takes me my Azure.
It was only when we checked the Azure Subscription ID in VSTS against my Azure Subscription ID that it became apparent I was following a red herring. The ID matched the companies Azure ID. So I can use that to add users and subsequently add them to VSTS.

Can O365 and Azure AD use the same domain

Assume there exists and O365 instance where user identities are managed in the cloud - see the Cloud Identity section here: https://support.office.com/en-us/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9
Assume there also exists a separate Azure subscription that maintains it's own Active Directory, as well as an assortment of other resources such as SQL Databases, VMs, Virtual Networks, etc...
Can the two (the O365 instance and the Azure AD) use the same domain? Given it seems like Office 365 uses an Azure AD under the covers, my question is really just asking if two Azure Active Directories can use the same domain. Unfortunately, I can't find much online with regards to answers for this and I can't yet test it.
If you had two Active Directory tenants using the same example.com domain, and you logged into the portal with bob#example.com How would the portal know which tenant was responsible for bob?
An Azure Active Directory tenant much be authorative over the domains that are associated with it.
What you can do is associate the Office 365 Active Directory with an Azure subscription (or as many Azure Subscriptions as you have) and then you will have SSO across all of your subscriptions and Office 365.
This is probably the simplest guide on how to achieve that - it is for RemoteApp, but the underlying concept is the same.
Two Azure Active Directories cannot have same domain.
Technically O365 instance with a tenant name (.onmicrosoft.com) is an Azure AD. Office 365 is just a SaaS application attached to every Azure AD. Basically for Office 365, Identity Management backend is Azure AD. Basically if we have a domain abc.com added/verified in tenant A , it means that we can create users in tenant A with user#abc.com. If we were able to add the same domain in tenant B, which is not possible practically but if we consider theoretically, there would be a user user#abc.com in tenant B too! Hence its impossible to have same domain with two Azure AD.
If you have a domain abc.com under a tenant - contoso.onmicrosoft.com (does not matter whether its in Office 365). If we want to view this directory in azure portal (classic) and if you know the global administrator of this directory, we can add it to the Azure Classic portal (use custom directory) option (comes up for live account service admin).
https://azure.microsoft.com/en-us/documentation/articles/active-directory-how-subscriptions-associated-directory/#manage-the-directory-for-your-office-365-subscription-in-azure
Also, Office 365 subscription gives you benefit of free "Access to Azure Active
Directory" subscription to all office 365 Global administrators. This is given to effectively manage the users in office 365 via Azure AD as well (SSPR, MFA settings- which is not available via O365 portal).
https://support.office.com/en-us/article/Register-your-free-Azure-Active-Directory-subscription-d104fb44-1c42-4541-89a6-1f67be22e4ad

Enable Azure Active Directory Access Control with Office 365 Azure Active Directory tenant

I currently have an Office 365 tenant with around 1,400 users all licensed. We have enabled the Azure AD tenant with the same account and are now using Azure AD Dirsync to have same sign-on to Office 365.
We are now having an external Sharepoint site developed and have been offered either ADFS or Azure AD ACS as an authentication method. As we've already got an Azure AD subscription (through Office 365) I thought this would be the easiest method. However, when in my tenant on https://manage.windowsazure.com, I have access to Active Directory, can add a new directory but cannot add a new Access Control service. It's greyed out and says "not available" underneath.
I've tried talking to Office 365 support, who referred me to Azure support, who then said we don't have support so can't help. I've spoken to Azure sales and they've referred me to Azure support, who then guess what, said we don't have support.
Has anyone else managed to implement an Azure Access Control service from an Office 365 tenancy using the free Azure Active Directory subscription? I get the feeling I just need to buy a cheap Azure subscription and the option would become available, but without knowing for sure I'm a bit hesitant about taking the plunge.
Thanks.
I can imagine that you cannot use the free Azure subscription for this purpose because using the Access Control Service brings costs. The free subscription is not tied to any creditcard. When you have e.g. a pay-as-you-go subscription you should be able to create a ACS namespace. I just tried in one of my pay-as-you-go subscriptions.
You are (still) able to create a namespace but I suggest you to also take a look into the identity possibilities Azure AD itself has. Azure AD has currently only support for SAML 2.0 (and a lot of other protocols but they are not directly relevant for SharePoint). I know SharePoint (on-premises) only talks SAML 1.1 so that's where ACS comes in. You can read more about this topic here. Azure AD itself is going to support SAML 1.1. The only question is when. (see one of the comments from the source mentioned below this answer)
I also would make one remark about Azure AD ACS because this is going to be replaced by Azure AD. The only question left is when.
ACS Capabilities in Azure AD
As we've mentioned previously, we are adding ACS-like capabilities into Azure AD. In the coming months, as part of a feature preview Azure AD administrators will be able to add federation with social identity providers, and later custom identity providers to Azure AD. This will allow app developers to use Azure AD to simplify the identity implementation in their apps, similar to how developers use ACS today. We look forward to getting your feedback on the preview to improve these experiences.
Migrating ACS Customers to Azure AD
Once these new ACS capabilities of Azure AD are out of preview and generally available, we will start migrating ACS namespaces to use the new Azure AD capabilities.
Source: The future of Azure ACS is Azure Active Directory
Quick solution:
Create an Azure paid account. Add the administrator user of the paid account in the Office 365 directory, and set it as global administrator of this later directory (you can add users from other directories).
Then switch back to the paid account. The new global administrator will be able to manage the Office 365 directory and add a namespace.

Resources