How Azure subscriptions are associated with Azure AD
Published: March 10, 2014
Updated: January 28, 2015
Applies To: Azure
This topic covers information about signing in to Microsoft Azure and related issues, such as the relationship between an Azure subscription and Azure Active Directory (AD).
Accounts that you can use for sign in
Accounts that you can use for sign in
How an Azure subscription is related to Azure AD
How to manage a subscription and directory
Signing in when you used your work email for your Microsoft account
Let’s start with the accounts that you can use to sign in. There are two types: a Microsoft account (formerly known as Microsoft Live ID) and a work or school account, which is an account stored in Azure AD.
Azure AD account
Although Azure originally allowed access only by Microsoft account users, it now allows access by users from both systems. This was done by having all the Azure properties trust Azure AD for authentication, having Azure AD authenticate organizational users, and by creating a federation relationship where Azure AD trusts the Microsoft account consumer identity system to authenticate consumer users. As a result, Azure AD is able to authenticate “guest” Microsoft accounts as well as “native” Azure AD accounts.
For example, here a user with a Microsoft account signs in to the Azure Management Portal.
|To sign in to the Azure Management Portal, firstname.lastname@example.org must have a subscription to Azure. The account must be either a Service administrator or a co-administrator of the subscription.|
Because this Hotmail address is a consumer account, the sign in is authenticated by the Microsoft account consumer identity system. The Azure AD identity system trusts the authentication done by the Microsoft account system and will issue a token to access Azure services.
Every Azure subscription has a trust relationship with an Azure AD instance. This means that it trusts that directory to authenticate users, services, and devices. Multiple subscriptions can trust the same directory, but a subscription trusts only one directory. You can see which directory is trusted by your subscription under the Settings tab. You can edit the subscription settings to change which directory it trusts.
This trust relationship that a subscription has with a directory is unlike the relationship that a subscription has with all other resources in Azure (websites, databases, and so on), which are more like child resources of a subscription. If a subscription expires, then access to those other resources associated with the subscription also stops. But the directory remains in Azure, and you can associate another subscription with that directory and continue to manage the directory users.
Similarly, the Azure AD extension you see in your subscription doesn’t work like the other extensions in the Azure Management Portal. Other extensions in the Management Portal are scoped to the Azure subscription. What you see in the AD extension does not vary based on subscription – it shows only directories based on the signed-in user.
All users have a single home directory which authenticates them, but they can also be guests in other directories. In the AD extension, you will see every directory your user account is a member of. Any directory that your account is not a member of will not appear. A directory can issue tokens for work or school accounts in Azure AD or for Microsoft account users (because Azure AD is federated with the Microsoft account system).
This diagram shows a subscription for Michael Smith after he signed up by using a work account for Contoso.
The administrative roles for an Azure subscription manage resources tied to the Azure subscription. These roles and the best practices for managing your subscription are covered at Manage Accounts, Subscriptions, and Administrative Roles.
By default, you are assigned the Service Administrator role when you sign up. If others need to sign in and access services using the same subscription, you can add them as co-administrators. The Service Administrator and co-administrators can be either Microsoft accounts or work or school accounts from within the Azure AD organization that the Azure subscription trusts.
|In the future, it will be possible to allow users from other Azure AD organizations as co-administrators of a subscription.|
Azure AD has a different set of administrative roles to manage the directory and identity-related features. For example, the global administrator of a directory can add users and groups to the directory, or require multifactor authentication for users. A user who creates a directory is assigned to the global administrator role and they can assign administrator roles to other users.
As with subscription administrators, the Azure AD administrative roles can be either Microsoft accounts or work or school accounts. Azure AD administrative roles are also consumed by other services such as Office 365 and Microsoft Intune. For more information about them, see Assigning administrator roles.
|Azure subscription admins and Azure AD directory admins are two separate concepts. Azure subscription admins can manage resources in Azure and can view the Active Directory extension in the Management Portal (because the Management Portal is an Azure resource). Directory admins can manage properties in the directory. A person can be in both roles but this isn’t required. A user can be assigned to the directory global administrator role but not be assigned as Service administrator or co-administrator of an Azure subscription. Without being an administrator of the subscription, this user cannot sign in to the Azure Management Portal. But the user could perform directory administration tasks using other tools such as Azure AD PowerShell or Office 365 Admin Center.|
Sometimes a user from an organization may try to sign in to the Azure Management Portal using a work or school account prior to signing up for an Azure subscription. In this case, the user will receive a message that there is no subscription for that account. The message will include a link to start a free trial subscription.
After signing up for the free trial, the user will see the directory for the organization in the Management Portal but be unable to manage it (that is, be unable to add users, or edit any existing user properties) because the user is not a directory global administrator. The subscription allows the user to use the Azure Management Portal and see the Active Directory extension, but the additional permissions of a global administrator are needed to manage the directory.
As a best practice, you should sign up for Azure as an organization and use a work or school account to manage resources in Azure. Work or school accounts are preferred because they can be centrally managed by the organization that issued them, they have more features than Microsoft accounts, and they are directly authenticated by Azure AD. The same account provides access to other Microsoft online services that are offered to businesses and organizations, such as Office 365 or Microsoft Intune. If you already have an account that you use with those other properties, you likely want to use that same account with Azure. You will also already have an Active Directory instance backing those properties that you will want your Azure subscription to trust.
Work or school accounts can also be managed in more ways than a Microsoft account. For example, an administrator can reset the password of an a work or school account, or require multifactor authentication for it.
In some cases, you may want a user from your organization to be able to manage resources that are associated with an Azure subscription for a consumer Microsoft account. For more information about how to transition to have different accounts manage subscriptions or directories, see Manage the directory for your Office 365 subscription in Azure.
If at some point of time in the past you created a consumer Microsoft account using your work email as a user identifier, you may see a page asking you to select from either the Microsoft Azure Account system or the Microsoft Account system.
You have user accounts with the same name, one in Azure AD and the other in the consumer Microsoft account system. You should pick the account that is associated with the Azure subscription you want to use. If you get an error saying a subscription does not exist for this user, you likely just chose the wrong option. Sign out and try again. For more information about errors that can prevent sign in, see Troubleshooting "We were unable to find any subscriptions associated with your account" errors in Management Portal.
Other ResourcesHow to manage the directory for an Office 365 subscription