My name is Kanna Ramasubramanian and I am a Program Manager in Azure Active Directory on the Customer Success Team like Ryen, Mark, Sean and Chad. This is another post in our mailbag series that we’ve been trying to do each Friday and we have one we think you’ll really enjoy.
One area that causes significant confusion is the link between Azure subscriptions and Azure AD. In this post, I will try to address some of your top concerns and hopefully, smooth the adoption and integration of Azure AD within your own environment.
If you find these answers helpful please feel free to share this post on social media. If you have additional questions, please let us know in the comments section below or Tweet @AzureAD, @MarkMorow and @Alex_A_Simons. Now let’s get to this mega mailbag.
Question 1: Aarrgghhh! I’m a Global Administrator for my Azure AD, so why am I getting this error and how can I make it go away?
Answer: I have to say that this is one of the most frequently asked questions about Microsoft Azure. Let me guess – you’ve tried logging in to the Azure admin portal (http://manage.windowsazure.com) with your Azure AD account and you’re wondering why it won’t let you.
It’s because you need to be an administrator (or co-administrator) of an Azure subscription to enter the Azure admin portal at http://manage.windowsazure.com. The Azure AD account you logged in with, does not have admin rights to any Azure subscriptions, which is why you’re seeing this screen. If you already are a paying (not trial) user of any of the Microsoft online services (e.g. Office 365, Intune or Azure AD), you can get yourself an Azure subscription by navigating to http://aka.ms/AccessAAD, as described further down below (Question 7). If not, you can also sign up to get a trial subscription to Azure by clicking on the link to the left.
Once you’ve got an Azure subscription, you can manage your Azure AD directory through the admin portal without any further annoying prompts. Job done.
Note: An Azure subscription itself is free; however, when you sign up for a trial, you are asked to provide details of a valid credit card. A trial subscription is good for a month and gives you $200 credit towards Azure services during that period. You only pay for any Azure services that you consume in excess of that initial amount and you can cancel any time you like.
Question 2: Tenant, directory, subscription, account… lots of new terms here. Can you explain Microsoft Azure more simply for me?
Answer: Ok, do not attempt this at home. We’re highly trained professionals in the art of analogies, and even we shudder, but since you asked, here goes…
Imagine this. You run a company called Adatum Corp. and your organization has just leased a floor of a commercial high-rise building called “Contoso Towers”, a building in downtown Bellevue owned by soup-to-nuts conglomerate Contoso Inc. Everyone is looking forward to working in this brand-new shiny building, as it has a health club with an on-site pool and fully-equipped gym.
You and your employees have all been issued identity cards that give you all access to the main door of the building and then let you onto the floor where your company works. Within your floor, each employee’s access card provides entry to different rooms and enables them to use resources that you determine (well, they are your resources). You maintain a list of all your resources along with the names of the employees who can access them in a ledger that the Contoso Towers management provides. If an employee quits your company, all you need to do is to strike them off the ledger, and their access rights to the building, your floor and any of your resources are immediately revoked.
At the top of the tower is the “Contoso Towers Club House”, which is where the pool and gym are located.
Contoso Inc runs a promotion so that you get to use the facilities for free during your first month, as long as you don’t exceed 10 hours in the pool and the same in the gym. Afterwards, whenever you use these services, Contoso Towers bills you at the end of each month for the time that you have used.
What you need to remember is that your company access card doesn’t automatically include access to the Club House. If you want access to the facilities on that floor, you need to go to the reception desk of the tower lobby and present your company access card for registration. The receptionist then records your credit card information for monthly billing purposes and enables access to the club house floor.
Assuming you don’t go over your time limit in the gym or the pool, your first month sampling the delights of the gym and pool is entirely free. After that, when you use the facilities, you get a bill at the end of the month for the services you used. There’s no subscription charge for the right to access the Club House though – you can go in there any time you like and not pay a penny as long as you don’t actually use the facilities.
Contoso Inc even allows the general public to use the Club House. To gain access, individuals have to register themselves at the “Contoso Towers Registration Center” which is located in a separate building in the central courtyard. This Registration Center is responsible for handling registrations from the general public for other Contoso Inc facilities in the Bellevue, Redmond and Seattle areas.
Having registered, these individuals are given an access card that lets them inside Contoso Towers. To get to the Club House, they also go to the reception desk, where they present valid credit card details just as an employee does. The external user can now access their free month in the gym and pool, and then pays for any usage in excess of that month. Contoso also maintains a ledger of these outside users but this register is separate from the ones that Contoso uses for its tenants.
Let’s explain this analogy and I hope you will then understand what is going on with Microsoft Azure and Azure AD. You’ve probably guessed that Contoso Corp represents Microsoft Corp. Contoso Towers is the suite of Microsoft online services. Your company, Adatum Inc., is a tenant in Microsoft online services and the leased floor represents Microsoft online licensable services such as Azure AD, Office 365 etc.
Each of your employees has an access card, also known as a “Work or school account” for when you log on. The ledger that you control is your company’s directory in Azure AD, which holds details on your employees and the resources they can access on your floor.
The Contoso Tower Club House is the Microsoft Azure management portal and the pool and gym are Azure services, such as virtual machines, storage, cloud services and so on. The reception desk that controls access to those facilities is the Azure subscription sign-up process, where you present your credit card details. When someone from the general public (as in, outside the context of a Contoso tenant) registers to use the clubhouse, that individual relies on a Microsoft account (aka MSA, LiveID, Hotmail etc.) to identify themselves. As a part of signing up to the clubhouse they are given a tenant, named “default directory”. Their personal account and clubhouse registration are recorded in this “default directory”. They can invite others to use their registration by adding them to their “default directory” and giving them permissions on the subscription. They can also decide to move their clubhouse registration to another Contoso tenant context, but more about this later.
Note: If you revisit the reception desk and register with another Microsoft account you will end up with an additional “default directory”.
What happened when you hit the frustrating error at the start of this answer is as follows: you tried accessing the Club House (Azure management portal) with your company-provided access card (Azure AD account) without first registering with reception at the bottom on the building. It is irrelevant that your tenant account might be an admin on your floor – that status still doesn’t give you access to the Club House.
Of course, you could go and sign up at the Registration Center for a new MSA, then come to the reception, present your credit card details and get access to the Club House that way (along with your free month in the gym and pool), but you wouldn’t then be able to use that card to gain access to the floor on which you work and neither would you be able to use any Adatum resources. In addition, you’d be needlessly carrying around two cards – your company (tenant) card and your MSA (private) one.
I hope that the reasons for the error are now more clear. Let’s move on to review other aspects of this relationship.
Question 3: What is the relationship between Azure services and Azure AD?
Answer: In simple terms, Azure AD controls access to Azure services.
In general, when logging into the Azure management portal, your view of available resources results from your list of subscriptions, except for the list of directories. As suggested above the relationship here is actually reversed. An azure subscription is created within an Azure AD directory, as opposed to Azure resources which are created within the context of an Azure subscription. In other words, Azure AD directories (with the exception of Azure AD B2C) are NOT Azure resources; rather they are the containers where Azure subscriptions are recorded and in which you can manage permissions to those subscriptions and their related resources. As a result, the directories you will see are those that your current logged-in account is a member of, and this directory list is therefore independent from the list of subscriptions you have. Your permissions within each directory are recorded and evaluated separately for different resources represented in the directory. Permissions to manage the directory (e.g., create users, view reports, manage access to applications etc.) are defined by the user directory role assigned to you in each directory. These are separate from permissions you may have on your Azure subscriptions. The following diagram depicts a typical scenario with relationships across Azure AD directories and Azure subscriptions:
Creating a new Azure subscription requires an account in an Azure AD directory. As indicated above, this could be an Azure AD account (aka “Work or School” account) or an MSA account. If you already have an Azure AD account, you can log in and create the subscription in the same directory. Otherwise when you create a new Azure subscription, a new directory is created in the process. If you do this with an MSA, the resulting directory will be “default directory” whereas with an Azure AD account you can create a directory with a name of your choice. If you want to administer your Azure subscription, then the account that you use to authenticate needs to be present in the Azure AD directory where that subscription was created and have permissions to that subscription.
Question 4: How do MSA and Office 365 subscriptions figure in that explanation?
Answer: The following diagram shows the interrelation between Office 365, Azure, and CRM subscriptions, and how they link to MSA and Azure Active Directory instances.
In this example, there are two separate Azure AD directories (Azure AD 1 and Azure AD 2) and one consumer directory (MSA). Each Azure AD directory instance contains a list of users and a number of different types of subscriptions associated with it. Notice that subscriptions can only be accessed by users in the same directory.
Authentication can occur through any of the user accounts in each respective directory instance. In the above picture, Users 1, 2, 3 or MSA 2 can authenticate to Azure AD 1, or through Azure AD 1 to subscriptions and resources within it, and Users 4, 5, 6 or MSA 1 can do the same with Azure AD 2.
The blue dashed lines indicate the relationships between subscriptions – in these cases representing licensable products – and user accounts connected to those subscriptions. In other words, the blue dashed lines represent assigned licenses. Hence, User 1 and User 2 can access O365 1, User 2 and User 3 can access CRM 1, whereas Users 4, 5, and 6 can access O365 2.
The red dashed lines indicate which accounts have permissions to the corresponding subscriptions. Supported permissions for Azure subscriptions include admin or co-admin roles in the http://manage.windowsazure.com portal or any permissions as defined in RBAC using new access methods. Both admin and co-admin roles result in full read/write permissions on all resources included in a subscription, as well as the ability to create new resources through the subscription. So User 1 is admin/co-admin for Azure 1, both User 3 and MSA 2 are admins/co-admins for Azure 2, and both User 4 and MSA 1 are admins/co-admins for Azure 3.
You should note that “owner” relationship is only applicable to Azure subscriptions and not to any other subscription type (hence the special orange color for the Azure subscription box) and maps to the admin role on the subscription. An owner can also change the subscription directory and modify owner permissions. For all other subscription types, the “owner” (or to use the more common term, “admin”) is an attribute of the user account. In the above example, User 1 could be an admin user of O365 1, whereas User 2 could be a standard user.
To be an admin of an Azure subscription, the account must be present in the Azure AD directory associated with that subscription (you might notice that if you add an MSA as an admin to an Azure subscription without first adding the account to the directory, you will be able to, because the account gets automatically added to the directory). Taking the previous diagram, you should be able to work out the following results:
|Rights||Assigned to Accounts||Reasons|
|Can log onto the admin portal http://manage.windowsazure.com||User 1User 3User 4
|They are Azure subscription owners (admins)|
|May be allowed to become admins of Azure 1 and Azure 2||User 1User 2User 3
Any MSA account
|Azure AD accounts must be present in the same Azure AD directory instance. MSA accounts will be added automatically if not already present.|
|May be allowed to become admins of Azure 3||User 4User 5User 6
Any MSA account
|Azure AD accounts must be present in the same Azure AD directory instance. MSA accounts will be added automatically if not already present.|
|Can use O365 1 services||User 1User 2||These accounts have user rights on those subscriptions.|
|Can use O365 2 services||User 4User 5User 6||These accounts have user rights on those subscriptions.|
|Can use CRM 1 services||User 2User 3||These accounts have user rights on those subscriptions.|
In consequence, when User 1 logs in to the admin portal, they will see Azure 1 in their list of subscriptions and Azure AD 1 in their list of directories. However, they can manage Azure AD 1 only if they are assigned admin rights for that directory, e.g. global or user admin roles.
However, when User 2, User 5, User 6 or MSA 3 tries to login to the admin portal… yes, you guessed right – they see the frustrating grey box that says “No subscriptions found”!
Question 5: Can I view or edit the list of Azure subscriptions to which I have administrative access, along with the corresponding Azure AD directories that each of those subscriptions is associated?
Answer: Yes, you can. Click on the “Settings” tab of the Azure admin portal – you can see all the Azure subscriptions for which you are either a service administrator (where you used that account to create the Azure subscription) or a co-administrator (any subsequent accounts where you were granted permissions).
In cases where you are the service administrator (as opposed to co-administrator), selecting a subscription and clicking on the “Edit directory” button enables you to choose a different Azure AD directory (that you have an account in) to associate the subscription with. Taking the previous diagram, this action is the equivalent of moving an orange Azure subscription box to a different Azure AD instance, for example, moving Azure 1 from Azure AD 1 to Azure AD2. If other people in the current directory had co-administrator permissions on this subscription, their permissions may be revoked as a part of the move. The UI will tell you exactly which users will be affected.
Note: You can change subscription ownership by going to https://account.windowsazure.com/Subscriptions or via Azure billing support.
Question 6: Why can I not see the “Edit directory” button on some or all of the subscriptions on this list?
Answer: The “Edit directory” button will not be available if you are logged into the portal with an Azure AD account. Taking the previous example again, if you are logged in to the admin portal as User 1, you will not be able to move the Azure 1 subscription to Azure AD 2, even though you are an owner of Azure 1.
If you sign in to the portal with a Microsoft Account (MSA), then you will see the “Edit directory” button appear on any subscriptions for which you are an administrator. You can also move that subscription to any other Azure AD directory where your MSA account exists.
Question 7: I have an active paid O365 subscription. However, when I log into the Azure management portal, I get the frustrating gray box error (“No subscriptions found”). How is that fair?
Answer: Your user account does not have access to the Azure Management portal since that account does not have admin rights on an existing Azure subscription. To access the Azure management portal, you need to get an Azure subscription. But fear not – there is no cost involved, neither will you need to provide any credit card information. Every paid customer of Office 365 can get an “Access to Azure Active Directory” Azure subscription by following these steps.
Log in to the Office admin portal at (https://portal.office.com).
On the admin page, click Azure AD.
You should now see the sign-up page, as shown below.
Fill out the “About you” section, verify your mobile number and click on “sign up” to prepare your new Azure subscription.
After you have completed these steps, you will be signed into the management portal.
Question 8: I don’t have a paid O365 subscription, but I have paid for EMS, Azure AD Premium, Intune or some other Microsoft online service. However, when I log into the Azure Management Portal, I get the dreaded gray box error (“No subscriptions found”). How is that fair?
Answer: You can still use the Office admin portal or go to http://aka.ms/accessaad and log in with your Azure AD account that has global admin rights. You can then create the Azure subscription called “Access to Azure Active Directory” exactly as described in the steps in Question 7 above, with no credit card required.
Question 9: I have an Azure AD directory that I manage using an Azure AD account that is a global admin of that directory. I later created an Azure subscription with my MSA. Is there any way I can manage both my Azure AD directory and the subscription’s default directory using the same MSA login?
Answer: It is highly recommended that you only use Azure AD accounts and not MSA to manage Azure AD directories. That said, if you absolutely must, then yes, you can manage multiple Azure AD directories using a single MSA login. You can do this either by adding your MSA identity as a global admin in your Azure AD directory, or alternatively, while logged in to the Azure management portal with your MSA credentials, click the +New button at the bottom left and click App Services, then Active Directory, then Directory, then click Custom Create and select Use existing directory. Log out, and when you log back in as a global admin, you should answer Yes to the question on whether to use the directory with Azure.
Question 10: I have multiple Azure subscriptions. How do I move them under a single Enterprise Agreement (EA)?
Answer: You can perform migration of non-EA subscriptions by requesting a “Concierge Session” at http://aka.ms/AzureEntSupport. Select “Support Top Portal” followed by the sub-topic “Scheduling and an onboarding or concierge session”. You can also get support on other topics, such as creating new subscriptions in your EA or obtaining guidance on billing and reporting questions with your EA.
NOTE: In addition to using the Azure management portal, you can also perform all the administrative functions using PowerShell.
NOTE: Access to the Azure management portal at http://manage.windowsAzure.com is restricted by a user’s access to an Azure subscription as noted in this post. However, this gating does NOT apply to the new Azure portal at http://portal.azure.com, as subscription sign-up happens automatically when you attempt to use an Azure resource in the new portal.
NOTE: While Azure subscription uses a “pay as you go” model as described above, other subscriptions, such as Azure AD Basic/Premium and EMS (Enterprise Mobility Suite) implement a user-based subscription model. In this model, licenses must be purchased for and assigned to each user. So if you want to offer the functionality that those licenses include (for example, Self-Service Password Reset functionality in Azure AD Basic and Azure AD Premium), then you need to purchase licenses for those services.
-Kanna Ramasubramanian, Eran Dvir, Tarek Dawoud and Mark Morowczynski