This was a question from an education customer in the southwest. They had been using Azure for about two years in production and now were standing up Office 365 and Azure AD with AAD Connect associated to an existing EOP Azure AD tenant. The customer question became how can you join an existing Azure subscription to another parallel Azure AD instance (EOP, Office 365)?
Azure AD and Azure
Every Azure subscription comes with a default Azure Active Directory (AAD with a .onmicrosoft.com address). It is recommended to use Azure AD credentials over your Microsoft Account/LiveID for managing Azure subscriptions since you have more control and flexibility. In my customer’s case, they had an Azure AD they had been using with their Azure subscription but now they wanted to integrate with their on premises AD which was integrated in another Azure AD instance.
The problem they ran into is they were not able to validate production domains, such as contoso.edu, from their local AD because the domains were already in use in another Office 365/EOP default Azure AD instance.
How then do you associate an existing Azure subscription with another existing Office 365 Azure AD instance rather than the default Azure AD instance?
I put together steps to change your default Azure AD in your Azure subscription to another existing Azure AD:
Associating existing Azure ADs to your Azure subscriptions
1. Log into the Azure classic portal using an Azure subscription owner role for a Microsoft Account/LiveID See here (note: it cannot be an Azure AD login since ‘Use existing directory’ option below will not appear)
2. Click New > Active Directory > Directory > Custom Create
3. Click Use existing directory
4. Click I am ready to be signed out now. note: if this option isn’t visible see step 1 note
5. Sign in with your Office 365 Global Admin credentials which tied to the target Azure AD instance
6. Click the Identity in the upper right corner of the Azure portal and verify it is associated:
You see the new Office 365 Azure AD directory associated under the login like ‘Contoso School District’ below:
7. In the classic Azure portal go to ‘Settings’ > ‘Subscriptions’ tab and then click ‘Edit Directory’ and change the directory to the Office 365 Azure AD:
8. From the main Azure portal, elevate new Azure AD users (e.g. firstname.lastname@example.org) from the newly associated Office 365 Azure AD to be co-administrator in the existing Azure subscription under ‘Subscriptions’ > Access Control (IAM) > Add and add in any co-admins from the new Azure AD:
See more on adding elevated permissions here.
9. Log into the Azure portal with your Office 365 Azure AD credentials to validate all worked:
One important piece to understand is you should now log in to the Azure subscription using the newly associated Azure AD credentials and avoid using the Microsoft Account/LiveID. This keeps the identity context within the Azure subscription using the new Azure AD association.
See more on Azure AD and Subscriptions here.