The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Active Directory!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
why have multiple directories bound to an azure subscription? RRS feed

Answers


  • Hello Peter,

    Good question.  Here is a good MSDN article on this topic - http://msdn.microsoft.com/en-us/library/azure/dn629581.aspx. I am pasting an excerpt from it to your question about mental model on subscriptions and directories.

    "Azure subscription admins and Azure AD directory admins are two separate concepts. Azure subscription admins can manage resources in Azure and can view the Active Directory extension in the Management Portal (because the Management Portal is an Azure resource). Directory admins can manage properties in the directory. A person can be in both roles but this isn’t required. A user can be assigned to the directory global administrator role but not be assigned as Service administrator or co-administrator of an Azure subscription. Without being an administrator of the subscription, this user cannot sign in to the Azure Management Portal. But the user could perform directory administration tasks using other tools such as Azure AD PowerShell or Office 365 Admin Center."

    Your example can have a couple of variations where your user ID is a Microsoft account or user ID is a Organizational account in Directory#1 (contoso.onmicrosoft.com).
    1. If the user ID is a Microsoft account (bob@hotmail.com) which has the Azure subscription and listed as a Global Administrator in Directory#1 (contoso.onmicrosoft.com) and in Directory#2 (fabrikam.onmicrosoft.com), you will be able to view/manage both directories. If the Administrator of Directory#2 decides to revoke your GA role in that directory, you will be only view Directory#1. If another Global Administrator removes your ID as an administrator, you will lose Directory#1 as well.

    2. If your User ID is a organizational account in Directory#1 (bob@contoso.onmicrosoft.com) which has a Azure Subscription that is now tied to Directory#1, then you won't be able to add Directory#2. However it can be added to Directory#2 by someone who is a Global Administrator in both directories( microsoft account). Bob's ID will show up as a Guest account in Azure interface. Office 365 portal will show it as External User with naming format similar to Bob_contoso_com#EXT#@fabrikam.com

    Regarding the ability to remove Directory#1, previously Azure interface did not allow you to delete it. However we released this capability last month where a user (bob@hotmail.com or bob@fabrikam.com) who is a Global Administrator in Contoso.onmicrosoft.com can delete the tenant "contoso.onmicrosoft.com" after clearing the objects in the directory and the subscriptions associated with the directory. You can read more about this here - http://msdn.microsoft.com/en-us/library/azure/jj573650.aspx.

    Hope this response helps.

    Regards,
    Shravan

    Saturday, June 14, 2014 6:25 PM