This is part 1 of a 2 part series on the synergy between O365 Organizational IDs, Microsoft Accounts, and Azure Active Directory. In this first post we lay the groundwork with terms and key points. In the second part we show how to use and leverage these concepts in unison with each other.
A Microsoft account is the new name for what was previously called a “Windows Live ID.” Your Microsoft account is the combination of an email address and a password that you use to sign in to services like Hotmail, Messenger, SkyDrive, Windows Phone, Xbox LIVE, or Outlook.com. If you use an email address and password to sign in to these or other Microsoft services, you already have a Microsoft account. Examples of a Microsoft account may be firstname.lastname@example.org or email@example.com and can be managed here: https://account.live.com/. Once you log in you can manage your personal account information including security, billing, notifications, etc.
An Organizational Identity (aka OrgID) is a user’s identity stored in Azure Active Directory (AAD). O365 users automatically have an OrgID as AAD is the underlying directory service for O365. An example of an organizational account might be
Why Two Different Identities?
A person’s Microsoft account is used by services generally considered consumer oriented. The user of a Microsoft account is responsible of the management (i.e. password resets) of the account.
A person’s Organizational Identity is managed by their organization in that organization’s AAD tenant. The identities in the AAD tenant be synchronized with the identities maintained in the organization’s on-premise identity store (i.e. on-premise Active Directory). If an organization subscribes to Office 365, CRM Online, or Intune, user organizational accounts for these services are maintained in AAD.
Tenants and Subscriptions
AAD tenants are cloud-based directory service instances and are only indirectly related to Azure subscriptions through identities. That is identities can belong to an AAD tenant and identities can be co-administrator(s) of Azure subscription. There is no direct relationship between the Azure subscription and the AAD tenant except the fact that they might share user identities. An example of an AAD tenant may be contoso.onmicrosoft.com. An identity in this AAD tenant the same as a user’s OrgID.
Azure subscriptions are different than AAD tenants. Azure subscriptions have co-administrator(s) whose permissions are not related to permissions in an AAD tenant. An Azure subscription can include a number of Azure services and are managed using the Azure Portal. An AAD tenant can be one of those services managed using the Azure Portal.
Many Types of Administrators
Once you understand the types of accounts, tenants, and subscriptions, it makes sense to discuss the many types of administrators within AAD and Azure.
Admins in AAD
An AAD Global Administrator is an administrator role for an AAD tenant.
- If integration of duties across Azure and AAD is desired an AAD Global Administrator will require assignment as a co-administrator to an Azure subscription to manage. This allows that Global Admin to manage their Azure subscription as well as the AAD tenant.
- If the desire is separation of duties those that manage the organization’s production Azure subscription are separate from those that manage the AAD tenant. Create a new Azure subscription and only add AAD Global Administrators as Azure co-administrators. This will provide an AAD management portal while separating the two different administration functions – Azure production versus AAD production. In the near future the Azure Portal will provide more granular management capabilities eliminating the need for an additional Azure subscription for separation of duties.
Admins in Azure
Depending upon the subscription model there are many types of Admins in Azure.
Azure co-administrator is an administrator role for an Azure subscription(s). An Azure co-administrator will require Global Administrator privileges (granted in their AAD’s organizational account) to manage the AAD tenant as well as the Azure subscription.
Azure Service administrator is a special administrator role for an Azure subscription(s) who is assigned the subscription. This user cannot be removed as an Azure administrator until they are unassigned from the Azure subscription.
Azure account administrator/owner monitors usage and manages billings through the Windows Azure Account Center. A Windows Azure subscription has two aspects:
- The Windows Azure account, through which resource usage is reported and services are billed. Each account is identified by a Windows Live ID or corporate email account, and is associated with at least one subscription.
- The subscription itself, which governs access to and use of Windows Azure subscribed service. The subscription holder uses the Management Portal to manage services.
The account and the subscription can be managed by the same individual or by different individuals or groups. In a corporate enrollment, an account owner might create multiple subscriptions to give members of the technical staff access to services. Because resource usage within an account billing is reported for each subscription, an organization can use subscriptions to track expenses for projects, departments, regional offices, and so forth. In this scenario, the account owner uses the Windows Live ID associated with the account to log into the Windows Azure Account Center, but does not have access to the Management Portal unless they create a subscription for themselves.
Further information about Azure administrator roles can be found here:
In Part 2 of this post (upcoming) we will examine the different use cases for AAD and Azure with respect to administrative access and the ability to authenticate and provide permissions to your directory and Cloud resources.