Overview of Azure Active Directory, Subscriptions, Accounts & Role based access control

So in the beginning there was nothing!

Venturing in Azure these days, you might lose the overview you once had and now with the introduction of Azure RBAC  and having multiple subscriptions, probably many Azure Active Directories, mixing Microsoft and Work accounts it might be confusing how it all blends together. So therefore I decided to write this post to perhaps enlighten any confusion that people might have.

Before I go ahead and describe the different scenarioes there are some key roles and names you should be aware of

Microsoft Account : An account assosiated with Microsoft, this can for instance be a Outlook, Hotmail, Xbox Live, MSDN  or any other  purpose created account with Microsoft.

Work Account: An user account assosiated with Azure Active Directory object, this can for instance be accounts sourced from Office365, Intune or syncronized user accounts from an on-premises Active Directory. User which sign it with an work account will be authenticated either directly to Azure Active Directory on with federated access to an on-premises Active Directory.

Azure subscription: An active agreement with Microsoft which is needed to provision resources in Microsoft Azure. Every subscriptions also has a trust relationship with an Azure AD instance. This means that it trusts that directory to authenticate users, services and devices. An subscription will only trust one directory, but we can have multiple subscriptions trust the same directory.

Every resource provisioned in Azure is a child-resource to an Azure subscription. If the subscription is expired or stops, then those child-resources also stops.

Account Owner : Account Owner is the Microsoft Account or Azure Active Directory (AAD) Account that is responsible financially for the Microsoft Azure subscription.  There can be only one account owner for an subscription.

Service Administrator: The Service Administrator is a property of each Azure subscription, and it represents a user account who can login to the Portal and can deploy to it or create new resources.
Typically, an Account Administrator purchases an Azure subscription, makes his or her developer the Service Administrator and now the developer can login to the Developer Portal. The Service Administrator can only be changed in the Billing Portal.

Azure Active Directory: Is an web-based identity service running on Azure. It is automatically created when you setup an subscription using a default domain like company.onmicrosoft.com where the user which is used to create the subscription is automatically added as a Global Administrator of that new directory.

Azure Active Directory Domain Services: Is an web based implementation of Active Directory which allows for services such as domain join, group policy, LDAP, Kerberos/NTLM authentication etc. that are fully compatible with Windows Server Active Directory.

AAD Connect: Is a tool which is used to syncronize from an on-premises Active Directory to an Azure Active Directory Catalog. 

Resource Group:
Is a logical grouping of a set of resources, which can for instance be virtual machines, virtual networks, sql databases, and so on. All resource groups are attached to a subscription.

Diagram overview: This diagram shows an overview of a example user with a Microsoft Account [email protected] when he logs into the Azure portal we has access to two Azure Active Directories.

Where one Active Directory is used with Office365 (Where it has an active subscription) and also has another subscription used for different IaaS resources in Azure. This Azure AD catalog is also setup with federated access with an on-premises Active Directory where user objects are syncronized across using AAD Connnect, authentication with happen on the local active directory because it is configured the federated access.

The other Azure Active directory catalog is setup with two linked accounts sourced from another Azure AD catalog and a Microsoft Account.

image

Leave a Reply

Scroll to Top