Day: January 4, 2020

This post aims to add some sense to the whole Azure account, subscription, tenant, directory layout as well as Azure AD (Azure Active Directory) across both ASM (Classic) and ARM. I will discuss the different administrator roles from an ASM (Azure Service Management) perspective and then take a look at the new changed/updated administrator roles with ARM (Azure Resource Manager).

Access control in Azure starts from a billing perspective. The actual owner of an Azure account – accessed by visiting the Azure Accounts Center – is the Account Administrator (AA). Subscriptions are a container for billing, but they also act as a security boundary. No matter ASM or ARM, every Azure subscription has a trust relationship with at least one Azure AD instance. This means that a subscription trusts that directory to authenticate users, services, and devices. Multiple Azure subscriptions can trust the same directory, but a subscription trusts only one directory.

As for the directory, the directory that Azure uses is Azure AD. Azure AD is a separate service on its own which sits by itself and is used by all of Azure (ASM & ARM) and also Office 365. Even though there is one Azure AD, there are two subscription/authentication modes of Azure.

If you signed up to Azure using a Microsoft account, then you will get Azure with a Default Directory which you can see in the classic portal.

This Default Directory is just like normal Azure AD, however you can’t add anyone to any ASM/ARM Azure administrator role picked from this Default Directory itself, you can only add people to ASM/ARM Azure administrator roles using their Microsoft Accounts.

The opposite to this, if you signed up to Azure using the alternative methods then you can add people to ASM/ARM Azure administrator roles using both their Microsoft Accounts and/or Organisational Accounts. Until recently, you could only sign up for a new Microsoft Azure subscription using your Microsoft account (Windows Live ID). Azure now supports using either of the following two account methods to sign up: Microsoft Accounts or Work or school accounts, see https://azure.microsoft.com/en-us/documentation/articles/sign-up-organization/

However if you do have the limited Default Directory, you can create a new Azure AD directory under the subscription, then you can change the default directory in which the Azure subscription uses. This will then allow you to add both Work/School and Microsoft Accounts. How? See https://support.microsoft.com/en-au/kb/2969548

There are separate roles for Azure AD as follows, remember these have nothing to do with Azure itself. The following are the different Directory Administrator roles.

• Global Administrator
• Billing Administrator
• Service Administrator
• User Administrator
• Password Administrator

Then there’s Azure itself. With Azure there’s the subscription to Azure itself which is more of a billing thing, this is where Azure based roles come in.

The Azure based roles are slightly different considering what Azure platform you are using, whether ASM(Azure Service Management (Classic)) or ARM (Azure Resource Management).

ASM (Azure Service Management (Classic))

Remember, depending on how you signed up with Azure, you can add both Organisational Accounts to these roles as well as Microsoft Accounts, or just Microsoft Accounts.

• Account Administrator
• Service Administrator
• Co-Administrator

Each subscription has a Service Administrator (SA) who can add, remove, and modify Azure resources in that subscription. The default SA of a new subscription is the AA, but the AA can change the SA in the Azure Accounts Center.

Subscriptions have an association with a directory. The directory defines a set of users. These can be users from the work or school that created the directory or they can be external users e.g. Microsoft Accounts. Subscriptions are accessible by a subset of those directory users who have been assigned as either Service Administrator (SA) or Co-Administrator (CA); the only exception is that, for legacy reasons, Microsoft Accounts (formerly Windows Live ID) can be assigned as SA or CA without being present in the directory.

This diagram takes a step above the Azure Account / Tenant level into the Enterprise EA level just so you can see the overall perspective from the entire hierarchy. However, many of you would be setup with Azure in the middle (account) level by possibly using a credit card or other type of licensing. Or some might be setup with the bottom level only in the case of CSP licensing.

Here’s the reference URLs I got the information from:

How Azure subscriptions are associated with Azure Active Directory
Understanding resource access in Azure

ARM (Azure Resource Management)

How does the above ASM based Classic roles tie in with Azure Resource Manager roles? Remember, Azure AD remains the same with the same Directory Administrator roles, the difference being the different administrator roles on the Azure ARM platform.

The built-in core roles are as follows and have no affiliation or access to ASM:

Owner: Let’s you manage everything, including access to resources

• Closest ASM match: Service Administrator

Contributor: Let’s you manage everything except access to resources

• Closest ASM match: Co-Administrator

Reader: Let’s you view everything, but not make any changes

The Enrolment

Managed using http://ea.azure.com

At the very top-level from a licensing perspective, you can have multiple Azure Enrolments, here you can select the enrolment you want to work with. You need to be an Enterprise Administrator to access this. There can be an unlimited number of Enterprise Administrators.

The other thing you need to do is change the Enrollment Authentication Level to ‘Mixed Account‘ so that you have the ability to add both Microsoft Accounts and/or Work or School accounts as Account Administrators.

The Department

Also managed using http://ea.azure.com

Once you select the Enrolment you are working with, you then select ‘Department‘ at the top. This is where you can see all the departments in which you are the Department Administrator for and you can setup more departments which can be setup as a logical segmentation of a company or application.

The Account

To save some confusion, this part is not a generic account (like what a department and subscription is), but more so an individual account for a person, who will ultimately become the Azure Account Administrator. The AA can manage and setup Azure subscriptions, at which point will also become – by default – the Service Administrator for the subscription as well at the time of subscription creation.

Notice, this part is managed using two portals.

You will use http://ea.azure.com only to first setup the Account Administrator under the relevant department, whether it be a Microsoft Account or a Work/School (Organisational) account, this is where you do it.

At this stage, once you add in the account, it can take up to 24 hours for it to actually add itself in and will sit at ‘pending‘ for a while.

Once it goes through and gets setup, the email you used when adding the Azure account administrator, that person will get an email to acknowledge being added as an Azure account administrator with a link to logon to the Azure Account portal.

You can speed up the process, if you get the new Azure account administrator to logon to http://ea.azure.com with their account, it will ask them to confirm – with a warning. If the new Azure account administrator has other subscriptions anywhere else e.g. Pay-As-You-Go, then these will all get transferred to under the EA at this time including all billing for the Azure subscription, so be careful!!! If the new Azure account administrator doesn’t manage any Azure subscriptions, then you don’t really need to worry about the warning.

Please note: at this point, even through that adding a work/school account from an Azure AD directory is an option, the ‘directory‘ doesn’t have to have any affiliation with the EA, nor does the Microsoft Account. In saying this, you can use an account from a new Azure AD directory, or an existing Azure AD directory, e.g. if you are using Office 365 and AD Connect to sync on-prem accounts to Azure AD, you can use any of these accounts.

Once the account has been completed being setup, the Account Administrator will get an email.

The Subscription

All Azure subscriptions can then be created and managed by the Account Administrator and this is all done by using the Azure Account portal  http://account.windowsazure.com  then by clicking on ‘Account‘ at the top.

From here you will notice you have the option of adding a new subscription.

Or, you can edit an existing subscription. If you click on an existing subscription, by default all Azure Enterprise based subscriptions are named ‘Microsoft Azure Enterprise‘. You have the option to ‘Edit Subscription Details‘.

Here you can rename the Azure subscription or rename the Azure subscription in the Azure portal. Also under ‘Edit Subscription Details‘ you change the Service Administrator to someone else. Remember that with all new Azure subscriptions which are created by the Account Administrator, Azure stamps the Account Administrator as the Service Administrator by default, this is where you change that.

The Azure Hierarchy

And this is the whole thing visually.

A few pointers:

As long as you remember that an Azure directory (also referred to as AAD/Tenant) is totally separate to the Azure subscription.

Imagine you wanted to transfer an Azure Subscription from PAYG to an EA while keeping the existing directory.

• You would follow this article, tick Retain this subscription within my Azure AD – however the account owner you are transferring it to, this person would need to exist in the current tenant attached to the incoming subscription otherwise they would get another error The requester has specified that the subscription be retained within their organization. Please contact the requester and ask them to either update their request or add you to their organisation….

Imagine you had your EA set to Microsoft Account mode and you wanted to add a new Accountwhich was a Work or School account.

• You would get an error like this: The login information provided is not a valid user. If you believe you have received this message in error, please contact customer support. Simply change the EA to be set for Work or School Account Cross Tenant authentication. If you have Microsoft accounts already setup as other account owners, this won’t break these accounts.