Microsoft Azure How Subscription Administrators & Directory Administrators Differ
I have found that some people get confused when they are working with Microsoft Azure Account Administrator Account, Subscription Administrator Account & Directory Administrator Accounts and these individual areas are fully documented by Microsoft and I will link to these for more in-depth explanations but I just wanted to cover this off in what i hope to be a more simple approach for those of you whom are maybe having issues with missing directories, inability to login to your azure subscription with certain accounts etc.
What is the difference between Azure Account and a Subscription.
An Azure account determines how Azure usage is reported and who the Account Administrator is.
Subscriptions help you organize access to cloud service resources. They also help you control how resource usage is reported, billed, and paid for. Each subscription can have a different billing and payment setup, so you can have different subscriptions and different plans by department, project, regional office, and so on. Every cloud service belongs to a subscription, and the subscription ID may be required for programmatic operations.
Accounts and subscriptions are created at the Azure Account Center. The person who creates the account is the Account Administrator for all subscriptions created in that account. That person is also the default Service Administrator for the subscription.
The following graphic depicts the primary role that the Account Administrator plays in creating and managing Azure subscriptions.
You can find out more information about this here: https://msdn.microsoft.com/en-us/library/azure/hh531793.aspx
What is the difference between Subscription Administrators and Directory Administrators.
Type |
Role |
| Subscription Administrators: | |
| Service Administrator | |
| Co-Administrator | |
| Directory Administrators | |
| Global Administrator | |
| Billing Administrator | |
| Service Administrator | |
| User Administrator | |
| Password Administrator |
You can find out more information on what each role gives the user in terms of administrative rights by viewing the following article: https://technet.microsoft.com/en-us/library/hh852528.aspx (*note this says Office 365 but it’s the same for any windows azure active directory also*)
- Subscription Administrators are users accounts that will be either Microsoft Accounts (Live ID) or Organization Accounts that exist in the default directory for the subscription.
- if these subscription administrators are NOT a administrator of the directory they will not see this when they login to Microsoft Azure under Active Directory node.
- if a Microsoft Account is a co-administrator and you want him to be able to see the directory for example, you need to add him to the directory as an administrator
- you can do this by logging into the directory within azure as a subscription administrator that does have access to the directory, selecting add user and then select “user with existing Microsoft Account”
- Directory Administrators are user accounts that will be homed in the directory, and be an administrator for that particular directory but may not have administrative access to the subscription.
- if these administrators are NOT added to the co-administrators group within the subscription, when they attempt to login to Microsoft Azure Management Portal they will receive an error as below.
- if these administrators need to administer the directory itself, they should browse to portal.microsoftonline.com
- this is great if you want someone in your team to be able to administer the directory but not actually have access to the subscription services.
- if these administrators need to administer the directory itself, they should browse to portal.microsoftonline.com
- if these administrators are NOT added to the co-administrators group within the subscription, when they attempt to login to Microsoft Azure Management Portal they will receive an error as below.
note: it is important to be aware that you should acknowledge, even if a user account is a global administrator of a directory this does not give them access to your azure subscription and so ensure they are given the appropriate access at the subscription administrative side if they require it.
This is how it all fits together, but to place this into some real-life scenario
Scenario
I find that many of you maybe adopted Microsoft Azure for the first time and signed up with your Microsoft Account (Live ID) and so you normally find that this account ends up being the Account Administrator & Service Administrator. You then find that you want to add an Organizational Account to your subscription to be a Co-Administrator or Even Replace the Service Administrator and in order to do this you create a Windows Azure Active Directory or you use the DEFAULT directory that is created when you sign-up for Azure for the first time. You then go ahead and add your vanity domain, because you don’t want your organization accounts to use the onmicrosoft.com domain space and then you find you have issues verifying this because it’s potentially in-use by another directory for example Office 365.
Resolution
In order to move forward with this, you effectively need to link you Office 365 directory that was created when you adopted Office 365 to your Microsoft Azure Subscription. In order to do this you need to go through the following steps:
- Sign-In to Microsoft Azure Administration Portal with your Service Administrator account. https://manage.windowsazure.com
- Once you are signed in you then need to go New > App Services > Active Directory > Directory > Custom Create
- on the wizard you need to select “use existing directory” and then select the check box saying ‘I am ready to be signed out now.’
- when you are signed out, you will then be re-directed to the login.microsoftonline.com at this point you then need to sign in with a Global Administrator account for the Directory/Office 365 service.
- once signed in, you will then get a prompt saying “Use <insert company> directory with Windows Azure” and you would then click continue.
- This will then create a Global Administrator Account for your Microsoft Account (Live ID) in the alternative Directory/Office 365
- When this has been completed, you will then click ‘sign out now’ which will then re-direct you you the Azure Management portal, Login with your Microsoft Account (Live ID)
- You will now find that your alternative directory/Office 365 appears in the Microsoft Azure Management Portal under the Active Directory node.
- Now need to make this directory your Default Directory for the Microsoft Azure Subscription.
- in the Microsoft Azure Management Portal, Go to Settings > Subscriptions > Select Subscription > Select Edit Directory
- Follow the wizard, and this will warn you of any administrative account changes i.e if you added a co-administrator from your default directory which azure built when you created the subscription, this account will be removed as a co-administrator.
- When this has been completed, the portal will then re-load and you will find the URL at the top will change to manage.windowsazure.com/alternatedirectory.onmicrosoft.com
- in the Microsoft Azure Management Portal, Go to Settings > Subscriptions > Select Subscription > Select Edit Directory
- You will now be able to go ahead and ADD your alternate directory/office 365 organizational accounts as Co-Administrators or Replace the Service Administrator for the subscription.
notes:
- It is important especially from a business perspective for you to have control of your administrative accounts so that if anyone should leave you able to remove access to company services with ease, this is the main reason why you should adopt organizational accounts for access to Microsoft Azure Services.
- It might also be a requirement for you have the single sign on experience just like you do for Microsoft Office 365. doing this allows your administrators to seamlessly access azure management portal and also allows your users to seamlessly access 3rd party services that you may then decide to setup to use azure active directory as the identity store.
- If you signed up for Microsoft Azure using your existing Organizational Account for Office 365 you will find that the Default Directory will be your existing directory that you may have created when you signed up for Microsoft Office 365 for example in which case none of the above will be required, but we shall cover some of the things you may want to do later in the article.
Providing you more for your money!
If you have Office 365 currently running in your organization, the thing that you probably do not realise is that you get more than just Office 365 with that service you also get a bunch of great features within Microsoft Azure as well if you check out the following table in this URL: https://azure.microsoft.com/en-us/pricing/details/active-directory/ ALL of the ‘Free’ features apply to Office 365 directories you just need to sign-up for a Microsoft Azure Subscription or/ link your Office 365 directory to an existing subscription to benefit.
I think this is a great image that shows how all the enterprise cloud services such as Office 365, InTune, Dynamics CRM all user Windows Azure Active Directory as it’s directory service and this is just the same directory you would get within azure itself, and so you have a lot available to you and that directory itself is more powerful then you think! and can provide you more for your money.
You should check out the following information on windows azure active directory to see how powerful it really is! https://azure.microsoft.com/en-us/services/active-directory/ be sure to check out the Cloud Applications this allows you to use Windows Azure Active Directory as the Identity provider for the some of the best known products to market for organizations such as salesforce, office 365, box and many more!
and don’t forget about Azure AD Premium! which you can find out about here: https://msdn.microsoft.com/library/azure/dn532272.aspx
Appendix:
- If you already have directory sync setup with what you foresee as your Office 365 Directory and you then add this to your Windows Azure Subscription, you will not need to make any changes to the way this works.
- If you already have federated identity setup with what you foresee as your Office 365 Directory and then you add this to your Windows Azure Subscription, you will not need to make any additional changes to the way this works.
- if you changed the default directory for your Microsoft azure subscription, you may wish to delete the directory that was created when you signed up with your Microsoft account you can do this by following these instructions: https://www.edutech.me.uk/active-directory/how-to-delete-windows-azure-active-directory-waad/
In general, the more administrators you have, the more you need to be concerned about guidelines and best practices. Even if your services today are small and have few administrators, as your services grow, by following best practices in subscription and account management will help you to maintain order during that growth.
- Use organizational accounts for all administrative roles. This enables you to harness the power of Azure Active Directory for governance. You can use directories to manage users and delegate assignment as appropriate for your business. See Azure Active Directory for more information.
- Any time you add or change an administrative role assignment, use the same domain name you are logged in with. For example, if you’re an Account Administrator in the contoso.onmicrosoft.com domain, and you re-assign the Service Administrator for a subscription, add them with a User ID in the contoso.onmicrosoft.com domain. Do the same if you’re adding co-administrators in the Azure Management Portal.
I hope that you found this of use, if you have any further questions please be sure to let me know.
Thanks,
James.