If you have an Office365 subscription, but login to Windows Azure with a Microsoft Account, this post will show you how to add your existing Windows Azure Active Directory from Office365 to your Windows Azure Subscription.
I have several Azure and Office365 subscriptions for demos, POCs, and production work. When I log into the Azure Management Portal, I like to see all my subscriptions available, and be able to see and manage all of the Windows Azure Active Directory (WAAD) accounts for my Office365 subscriptions as well. This post will show you how you can have one Microsoft Account to rule them all. To begin, I’ll explain how WAAD accounts get created in the first place. If you want to just see the steps, you can skip ahead as well.
How Windows Azure Active Directory Accounts Get Created
While you can create a new WAAD account directly from the Windows Azure Management Portal, the most common way that directories are created is through the Office365 Sign Up process. When you setup an Office365 subscription for the first time, you have to pick a tenant name (the part that goes before *.onmicrosoft.com). When you pick this tenant name, a Windows Azure Active Directory (WAAD) account is created behind-the-scenes to store your users and groups, using the domain “your-tenant-name.onmicrosoft.com” (you can add custom domain names to this WAAD account later, but it will always have the original .onmicrosoft.com domain associated with it).
This WAAD account is not the same as a Windows Azure Subscription. A Windows Azure Subscription does not get automatically created or associated to your Office365 subscription or to your WAAD account when signing up for Office365 services (this is a common misconception). In fact, if you’ve just created an Office365 tenant, you can try to login to the Windows Azure Management Portal (https://manage.windowsazure.com) using your new Organizational Account, and you’ll see the message that there are no associated Azure Subscriptions:
There is also not a strict one-to-one association between an Azure subscription and a WAAD account. They are independent entities that can be linked together. One Azure subscription can display multiple WAAD accounts in the Management Portal, and one WAAD account can be administered from multiple Azure Subscriptions. Below is a screen shot from the Management Portal showing that I have multiple (3) Active Directory accounts associated with my Windows Azure subscription (I am logged in with a Microsoft Account to Windows Azure):
This screen shot shows the list of those 3 accounts in detail:
What’s confusing with this screen is the names of the Directories: you can see “Toth”, “Adam Toth”, and “Default Directory”. These aren’t very helpful. They don’t tell me anything about the domains for my WAAD accounts, and so I have no idea by looking at this screen which Office365 tenants these relate to. That’s because these WAAD accounts were created through the Office365 Sign Up process. Office365 created the WAAD accounts for me, but didn’t setup a friendly name, or give me any UI to manage the settings for the WAAD account. So this is an important set of points to note:
- Office365 creates WAAD accounts, but doesn’t let you manage their settings effectively. You can only configure users, groups, custom domains, and global administrators from Office365.
- Windows Azure lets you manage all the advanced settings of WAAD accounts, including names, premium features, Apps, SSO access, multi-factor authentication, etc.
- To properly manage your WAAD accounts, you need to link them to Windows Azure Subscriptions.
I’ll talk about how to change those names to make them more friendly in a moment, but first I want to show you how to get those multiple accounts to show up in Windows Azure in the first place.
Adding Existing Windows Azure Active Directories to your Windows Azure Subscription
The process to add a WAAD account to your Windows Azure subscription used to be pretty painful. You actually had to login to Windows Azure with an Organizational Account, create a dummy Windows Azure Subscription (Free Trial or Pay as you go), and then add your Microsoft Account as a Global Administrator of the directory. Then you could sign in with your Microsoft Account, and see the Directory.
Now (much kudos to the teams at Microsoft that built this), you can easily do this by adding an Existing WAAD account. The process is as follows:
- Login to Windows Azure Management Portal with your Microsoft Account.
- Click on the Active Directory category on the left, and then click the New button.
- Choose New > App Services > Active Directory > Directory > Custom Create.
- On the Add Directory dialog, click the Directory dropdown, and choose Use Existing Directory.
- The dialog will switch, and inform you that you will be signed out, and need to sign in with a Global Administrator for the existing WAAD account. Check the box and click Sign Out.
- Login with a Global Administrator for the WAAD account. You don’t ever need to have created a Windows Azure subscription for this account!
- Once you login, you’ll be asked to confirm the link. Linking will make the Microsoft Account a Global Administrator in the WAAD account. Proceed through this, and you will be asked to Sign Out.
- After Signing Out, and signing back in with your Microsoft Account, you’ll now see the WAAD account in the list of Active Directory accounts in the Windows Azure Management Portal!
Changing the Names of your WAAD Accounts
Changing the names of your WAAD accounts is easy enough to accomplish. Once you have the WAAD accounts showing up in your Windows Azure Management Portal, you can click on the account, and then click the Configure tab:
The first option is the WAAD Name. I normally change the names to reflect the .onmicrosoft.com domain that is used by the WAAD account. After changing the names, the list looks much more helpful:
Q. After you make a Microsoft Account a Global Administrator in WAAD, can you access Office365 Portal Administration features with the Microsoft Account?
A. No. You can only sign into the Office365 Management Portal with an Organizational Account. When you make a Microsoft Account a Global Administrator for WAAD, you will see your Microsoft Account in the list of users in the Office365 Management Portal:
Notice the format of the Microsoft account: escaped_microsoft_account_email_address#EXTfirstname.lastname@example.org
If you enter this funny looking username into the Office365 Sign In screen, it won’t recognize the user. If you enter your Microsoft Account email address, it will let you sign in, but it won’t let you proceed to the management pages. External users cannot administer functions of Office365:
Q. If my Microsoft Account is now a Global Admin in WAAD, do Organizational Accounts in WAAD automatically have access to manage my Windows Azure Subscription?
A. No. The link you established by making the Microsoft Account a Global Administrator in WAAD was only one direction. It did not grant administrative access to the Windows Azure Subscription to any of the Organizational Accounts, not even to other Global Admins of the WAAD account. If an Organizational Account tried to login to the Azure Management Portal, they’ll get the same message that no Azure Subscriptions are associated with their account.
To enable an Organizational Account to have access to the Windows Azure Subscription, you can then add the Organizational Account as a Co-Administrator of the Azure Subscription. You add Co-Administrators on the Settings page, under the Administrators tab.
Once you add the co-admin, you can now login to the Azure Management Portal with the Organizational Account, and will have access to the Azure Subscription.
Note that in order to specify an Organizational Account as a Co-Administrator, you have to designate your linked WAAD as the Default Directory. If you try to add an Organizational Account from a non-default directory as a co-admin, you will get an error:
Q. How do I change the Default Directory associated with my Azure Subscription?
A. To change the Default Directory, login to Windows Azure with your Microsoft Account. Under Settings, on the Subscriptions tab, select the Azure Subscription that you want to change the Default Directory for (click one of the rows), and then click the Edit Directory button.
In the Edit Directory dialog, change the default directory. If you have co-admins in your subscription from the currently assigned Default Directory, they will all be removed prior to the switch. You’ll receive a warning about this prior to proceeding, along with a list of affected co-admin accounts.
In this post, I’ve shown you how to can use a Microsoft Account to login to Windows Azure, and add/manage existing Windows Azure Active Directory instances within your Azure Subscription. If you have other questions about this process, please leave a comment and I’ll attempt to answer them and add them to the FAQ.