locked
User access from Azure AD to Azure AD RRS feed

  • Question

  • I am trying to give access to a user from one Azure AD to another Azure AD. I think I am just missing a small step here, because I have read in a dozen places that this is really simple. I just keep getting an error that the account is not in active directory.

    I have two different Azure instances, neither have AD synced to an on-premisis AD. Each only has a handful of users (say 5 years each).

    Org 1) I have an organizational Azure instance with Azure AD set up, and a new user set up; call this User1@ABC.com.
    Org 2) 
    I have an organizational Azure instance with Azure AD set up, call it XYZ-Client.com. I have a Global Admin account that was created in XYC.com

    I want to add User1@ABC.com to the domain XYC-Client.com. Azure AD support documents say that Azure AD has a trust with Azure AD, you can do this by adding them as an external user. Going to Azure AD > Domain > Users > Add User > User in another Windows Azure AD directory. When I add User1@ABC.com, I get the error that no user exists in a directory I have access to. That error makes sense to me, because I would assume ABC.com has to allow an AD query request. I just cannot figure out how grant that access. The support documents don't seem to cover that step, or if they do, I completely missed it.

    Other posts from 2013/2014 indicate that you can't do it, but that doesn't fit with the documentation on Azure's website right now.

    Reason for use:
    VSO is linked to Azure AD at XYZ-client.com. If User1@ABC.com is not listed in Azure AD, they cannot access VSO. The only option is to create a new account, or use a MSA/Live account...which sucks because the third option to add a current Azure AD account is right there, it just won't work.

    Any help would be appreciated. Thanks!



    • Edited by jmsilles Wednesday, May 13, 2015 5:32 AM clarity
    Wednesday, May 13, 2015 5:17 AM

Answers

  • Hi,

    In order for this to work as of now, you need to add the other directory to the Azure Subscription so you see both in the management portal.

    You can do this by following the link as below:

    https://msdn.microsoft.com/en-us/library/azure/dn629580.aspx?f=255&MSPPError=-2147217396

    Basically, you create a "new" AAD - but instead of creating a new you add an existing and then log in with an Account that have proper access to the other directory. With that done, you should be able to add the user to the other directory. This should of course only if the organizations are trusted, but I guess that is the case.

    Hope this helps!

    Johan Dahlbom


    Microsoft Certified Trainer
    MCSE: Desktop, Server, Private Cloud, Messaging
    Blog: http://365lab.net

    Wednesday, May 13, 2015 5:23 AM

All replies

  • Hi,

    In order for this to work as of now, you need to add the other directory to the Azure Subscription so you see both in the management portal.

    You can do this by following the link as below:

    https://msdn.microsoft.com/en-us/library/azure/dn629580.aspx?f=255&MSPPError=-2147217396

    Basically, you create a "new" AAD - but instead of creating a new you add an existing and then log in with an Account that have proper access to the other directory. With that done, you should be able to add the user to the other directory. This should of course only if the organizations are trusted, but I guess that is the case.

    Hope this helps!

    Johan Dahlbom


    Microsoft Certified Trainer
    MCSE: Desktop, Server, Private Cloud, Messaging
    Blog: http://365lab.net

    Wednesday, May 13, 2015 5:23 AM
  • Nice! I'll try that right now...I knew there had to be something silly/small I was missing.
    Wednesday, May 13, 2015 5:33 AM
  • Didn't work, but the reason is in the post:

    These steps can only be completed while a user is signed in with a Microsoft account. If the user is signed in with a work or school account, the option to Use existing directory is not available because a work or school account can be authenticated only by its home directory (that is, the directory where the work or school account is stored, and which is owned by the work or school).

    Both of these are "work" accounts. According to MS...

    Although Azure originally allowed access only by Microsoft account users, it now allows access by users from both systems. This was done by having all the Azure properties trust Azure AD for authentication, having Azure AD authenticate organizational users, and by creating a federation relationship where Azure AD trusts the Microsoft account consumer identity system to authenticate consumer users. As a result, Azure AD is able to authenticate “guest” Microsoft accounts as well as “native” Azure AD accounts.

    ...more...

    All users have a single home directory which authenticates them, but they can also be guests in other directories. In the AD extension, you will see every directory your user account is a member of. Any directory that your account is not a member of will not appear. A directory can issue tokens for work or school accounts in Azure AD or for Microsoft account users (because Azure AD is federated with the Microsoft account system).

    That part about issuing tokens and having one home directory is what led me to the idea that it was possible now.

    Wednesday, May 13, 2015 5:45 AM
  • Oh - sorry. I might have read to fast this early morning :) We might just have to wait for Azure AD Business to Business for that.

    Microsoft Certified Trainer
    MCSE: Desktop, Server, Private Cloud, Messaging
    Blog: http://365lab.net

    Wednesday, May 13, 2015 5:55 AM
  • No apologies necessary :) I think it's just still too soon for Azure AD. From the link you sent I did try something different that almost worked...

    I have an old MSA/Live account. I added it as a service admin, so it could read AD on one side, and as a Global Admin on the other side. I then logged in as the MSA/Live account and I could see BOTH Directories in Azure. I went to XYZ-client.com and added User1@ABC.com and it makes it past the first part, gives a green checkbox too; but it errors out in the process with a blank error in the system tray/notification tray.

    Based on what I saw in the documentation, if you added an account that could at least read the directory in both directories, you can authenticate. But since I couldn't add a work account from one directory to the other, there was no way I could get the first read. A MSA/Live account can be a member of up to 20 domains...so I thought that might be worth a shot to treat that account as the "trust" between the domains.

    I think I'm stuck creating additional accounts at XYZ-Client.com until Azure AD supports trusts.

    Thanks again for the help, I appreciate it!

    Wednesday, May 13, 2015 6:21 AM