Strategy for Windows Azure Accounts Management - azure

From web search it appears that to be able to manage Windows Azure services, you need an account with one of the admin roles (service administrator, co-administrator etc).
From project management point-of-view, what is a good strategy to manage accounts for your company if you have several developers working on Azure?
Examples
A simple strategy could be to have a few designated administrators (e.g. team leaders) who upload the code while other developers use Azure Emulator on their machines.
Another example would be to have a shared Azure account used by many developers (not sure about licence implications for this one!).
These are just off the top of my head and have their drawbacks. What strategies do you use?

2 Places I've worked we've done the following.
Single Common A/C
Create a common email-distribution group (myteamonazure#mycompany.com)
Register this mail address as an MSN Passport
Use it to sign up with Azure.
Pro's: Everyone on the team gets mails regarding the account.
Con's: If someone leaves the team, we need to change the account password.
Individual accounts
Let each person signup with their own account. (Mandate it must be their company email... not personal msdn passport)
Make one person the super-admin, and the rest co-admins
Pro's: If someone leaves, it's far easier to just revoke their credentials/privs
Con's: Lots more accounts to keep track of depending on the size of your team, particularly if you're company has a single Azure Account, with lots of different apps/projects hosted on it.
Personally, I prefer the second option as it's more secure/easier to revoke access to individuals.

Related

Per Company Sign-in Providers / Options with Azure B2C

I’m currently working on a POC to use Azure AD B2C in a multi-tenant architecture where we have a single database of users tied to companies. Presently we have around 1000 different companies. The question I couldn’t determine from documentation and Azure support is whether I can do the following:
Allow company admins to choose the sign in providers they want for their users.
Provide per company branding to the user flows.
Of course, my main consideration is doing this in a configurable and scalable way. Right now we only have a single B2C tenant setup and unclear if we need one per company vs managing it all together well.
Finally, is this even the right product for these outcomes?

How to create new Microsoft organization?

I'm completely new to ms world and trying to access API under my personal account
https://learn.microsoft.com/en-us/graph/api/group-list?view=graph-rest-beta&tabs=http
However this API says that it can only be accessed using Delegated (work or school account).
Can anyone explain how to setup new organization account (taking into account that we have no organization yet), which ms service to use and which plan to subscribe for, if needed. They have so many services and it looks so confusing to assemble all this together, so please help.
As I said in the comments, first you need to have a tenant. If you have not buy an Azure subscription yet, you can also use a free account.
Then you can create a new work account or invite guest users in the tenant.

Can I use Azure Active Directory (AAD) as IAM for a multi-tenant SAAS product?

We are building a enterprise product, and expect a lot of customers, to not have active directory of their own.
We plan to use AAD as our IAM provider.
We plan to create a master AAD for the product, and then invite users of each customer (tenant) as external users to the master AAD, using their business email id. Each set of users for a given customer, will be added to an external group for manageability.
Would this be the right approach, for supporting multi-tenanted IAM for a product hosted in Azure?
It's a pretty hard question. AAD's multi-tenancy basically requires the org to have an AAD to have proper separation etc.
But in the case of an org not having an AAD, this is one option.
One crucial thing you must not forget with this path is to turn on the option in the AAD tenant to restrict Guest user permissions. This makes it so that the invited users can't just go to portal.azure.com and get a full list of all users in the tenant. At least usually this is a desired thing when multiple clients are in the same tenant.
Other options could be:
Setting up an AAD tenant for each customer
Good separation for customers
There might be a limit how many you can create
I'm not aware of an API you could use for this (but hey Selenium works :D)
Set up your own identity provider with e.g. IdentityServer
Maximum customizability
Lot of work for you to develop and maintain
Everything would of course be easier if they just had an AAD :)
It would depend on some details of the approach you want to follow. If you are expecting for them to use their business email, then you may consider having Single Sign-On (many organizations expect not needing to duplicate accounts and you may want to delegate your customers the hassle of resetting passwords).
Also, you need to determine what kind of isolation need(do you want to have a single set of users or have a clear separation by tenant?) and the budget (AAD cost is measured on a per-user basis) you have for this? Azure AD B2C could be also an option, or as #juunas mentioned, implementing your own solution with something like IdentityServer.

Software development start-up: Signing into Microsoft services

We are a start-up software company with around 15 developers. We are almost entirely using Microsoft's technology stack.
A problem that we have at this point is the confusion between signing into Microsoft's online services.
Each developer has two accounts: an Office 365 account and a Windows Live account. The Live account is created from the Office 365 account's email address. So, essentially, we have one email address but two accounts (and thus two passwords).
When logging into an online service, we are often greeted with the following:
For many, this becomes a hit and miss with their various passwords until access is granted. From what I understand:
Work or school account: An Office 365 account OR an account set up in Active Directory?
Microsoft account: A Windows Live account?
Next, can Azure Active Directory help us in any way here?
Are we able to somehow unify our accounts so to have a "single sign-in" for Microsoft's online services?
EDIT:
Further comments on Dushyant Gill answer below.
If we don't need to register our Office365 accounts as Live accounts, then how would I typically add a user to the Azure Active Directory?
When creating a new user, I only have three options:
I guess the last option would be the correct approach if we wanted to move away from Live accounts. I want to add a user to my Azure AD from my Office365 AD?
When I try to do this, I get the following error:
Do I have to link the directories somehow?
davenewza, yes you can take action to improve the experience here (it won't be simple - but given the number of users in you company - it shouldn't be that difficult)
First, your company already has an Azure Active Directory - it is the directory behind your Office 365 subscription. Azure AD authenticates your company's users when they sign in to Office 365 services.
Second, you should use your Azure AD accounts (work or school account) to signup and access other Microsoft services that are meant for businesses: Microsoft Azure, Visual Studio Online, Microsoft Dynamics etc. The disambiguation screen that you see (pasted in your question) only shows up when you're signing in to a service that supports both Azure AD as well as Live accounts. So, move your Azure and other business services subscriptions to use Azure AD accounts and as a thumb rule - your companies users will always select the 'work or school account' option (if ever they see that screen).
Finally, let's get rid of that screen altogether: do you really need the live accounts to run your business? (what Microsoft services are you using that need live accounts?) If none, great - once you've moved your subscriptions to Azure AD accounts - get rid of the live accounts. If you indeed need them - change their emails (add an _live suffix to them) - you as it is have two password - different user names will reduce confusion.
Note that the second step will require you to call Microsoft support (or file online tickets) to move subscriptions for some services - however the risk of downtime is low because you already have Azure AD accounts - you might need to reconfigure permissions once the subscriptions are migrated.
I am with the Azure AD team - get in touch with me if you're stuck - contact me on http://www.dushyantgill.com
Best of luck.
ps: we are working to improve this experience - such that folks like you don't end up in this position in the first place. Stay tuned.

Adding developers to Nest account

Can I add other developers to my Nest account? I would like each member of my team to have their own Nest user account but share the same client and test devices.
Unfortunately not at this time.
The best practice with the current setup would be to create a group Nest Account for development (using a group email address, most IT departments have self-service for this) and a separate account for production (which you should do anyways)
If you would like to suggest better account management features, the best place to do so is on the Product Suggestions board in the Nest Community.

Resources