The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Active Directory!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
Azure Active Directory - (Multiple Azure AD Resources) for seperation of concerns RRS feed

  • Question

  • Can any Azure Active Directory gurus suggest the best answer to the following...  

    Currently a very large enterprise already is using Azure AD syncing onsight ADDS with Azure AD (Enterprise Azure AD/ADDS).  

    Is the best solution to create a new Azure AD Resource to keep seperation of concerns and to ensure that users from 1 Azure AD resource has no way of of accessing the other Azure AD resource (Enterprise Azure AD/ADDS) and is there any extra cost with create 1 to n...

    Does 1 subscription cover 1 to n....  Azure Active Directory Resources?

    We want the new Azure AD to only contain out side guests aka @gmail, @yahoo, but this is all B2B. 

    Moojjoo MCP, MCTS



    Wednesday, June 27, 2018 5:47 PM

Answers

  • we will be requiring the Azure AD Premium Licenses for MFA, can we still just create another Auzre AD Resource?   My initial thought would be yes, because it is seperated, but can you confirm this for me.

    Yes - You can create a separate Azure AD Tenant and enable the required licenses for that tenant only.

    We have premium licensing for the 1st already and would be willing to pay for the 2nd, but would it need a second Azure Tenant Subscription?

    That would depend entirely on your requirements.
    If you only wish to use the Azure AD resources and not any Azure Services (Virtual Machines, VNet, Storage, etc.) - No, you can only have the separate Tenant with the 2nd License and not require a Azure Subscription to go with it.
    However, say suppose you need to maybe implement Azure AD Domain Services, which also require certain Azure Services to go with - in this case you have to have a Subscription as well associated with the second tenant.

     

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here

    Thursday, June 28, 2018 9:23 PM

All replies

  • Yes, you can always create a new Azure AD Tenant without extra cost being involved as long as you do not require the Basic/Premium Licenses to go with the new tenant.

    You can create a new Azure AD Tenant using the directory creation experience in the Azure portal. The process will take about a minute, and in the end you'll be prompted to navigate to your newly created tenant.

     

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here

    Wednesday, June 27, 2018 7:55 PM
  • Neelesh, ty for the quick reply, we will be requiring the Azure AD Premium Licenses for MFA, can we still just create another Auzre AD Resource?   My initial thought would be yes, because it is seperated, but can you confirm this for me.

    Moojjoo


    Moojjoo MCP, MCTS



    Wednesday, June 27, 2018 8:11 PM
  • More Details...

    The cloud architectural design I imagine is two Azure Active Directories Resources in 1 Azure Tenant. So, there is "NO" way a user from 2nd Azure AD (Contains Enterprise Sync with internal ADDS) and hosts Applications and other resources can in any way access anything in the 2nd Azure AD and vice versa. We are wanting only outside contractors to reside in the 2nd Azure AD (w/ Premium Licensing for MFA), and this could also allow our team Global Admin rights as we are not touching the enterprise 1st Azure AD.

    We have premium licensing for the 1st already and would be willing to pay for the 2nd, but would it need a second Azure Tenant Subscription?  <---  This is the real question.

    ---1 Overall Azure Tenant

    |

    |

    ----+ (1) Azure AD Enterprise Synce with on premise ADDS (Office 365 and a lot more) (Currently Exists)

    |

    |

    ----+ (2) Azure AD Contractors with access to specific applications that are configured



    Moojjoo MCP, MCTS


    Thursday, June 28, 2018 2:58 PM
  • we will be requiring the Azure AD Premium Licenses for MFA, can we still just create another Auzre AD Resource?   My initial thought would be yes, because it is seperated, but can you confirm this for me.

    Yes - You can create a separate Azure AD Tenant and enable the required licenses for that tenant only.

    We have premium licensing for the 1st already and would be willing to pay for the 2nd, but would it need a second Azure Tenant Subscription?

    That would depend entirely on your requirements.
    If you only wish to use the Azure AD resources and not any Azure Services (Virtual Machines, VNet, Storage, etc.) - No, you can only have the separate Tenant with the 2nd License and not require a Azure Subscription to go with it.
    However, say suppose you need to maybe implement Azure AD Domain Services, which also require certain Azure Services to go with - in this case you have to have a Subscription as well associated with the second tenant.

     

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here

    Thursday, June 28, 2018 9:23 PM