How to Manage an Office365 Windows Azure Active Directory When Logged in as a Microsoft Account in Azure Management Portal

If you have an Office365 subscription, but login to Windows Azure with a Microsoft Account, this post will show you how to add your existing Windows Azure Active Directory from Office365 to your Windows Azure Subscription.

Overview

I have several Azure and Office365 subscriptions for demos, POCs, and production work. When I log into the Azure Management Portal, I like to see all my subscriptions available, and be able to see and manage all of the Windows Azure Active Directory (WAAD) accounts for my Office365 subscriptions as well. This post will show you how you can have one Microsoft Account to rule them all. To begin, I’ll explain how WAAD accounts get created in the first place. If you want to just see the steps, you can skip ahead as well.

How Windows Azure Active Directory Accounts Get Created

While you can create a new WAAD account directly from the Windows Azure Management Portal, the most common way that directories are created is through the Office365 Sign Up process. When you setup an Office365 subscription for the first time, you have to pick a tenant name (the part that goes before *.onmicrosoft.com). When you pick this tenant name, a Windows Azure Active Directory (WAAD) account is created behind-the-scenes to store your users and groups, using the domain “your-tenant-name.onmicrosoft.com” (you can add custom domain names to this WAAD account later, but it will always have the original .onmicrosoft.com domain associated with it).

This WAAD account is not the same as a Windows Azure Subscription. A Windows Azure Subscription does not get automatically created or associated to your Office365 subscription or to your WAAD account when signing up for Office365 services (this is a common misconception). In fact, if you’ve just created an Office365 tenant, you can try to login to the Windows Azure Management Portal (https://manage.windowsazure.com) using your new Organizational Account, and you’ll see the message that there are no associated Azure Subscriptions:

No Azure Subscription

No Azure subscription is associated with an Organizational Account by default.

There is also not a strict one-to-one association between an Azure subscription and a WAAD account. They are independent entities that can be linked together. One Azure subscription can display multiple WAAD accounts in the Management Portal, and one WAAD account can be administered from multiple Azure Subscriptions. Below is a screen shot from the Management Portal showing that I have multiple (3) Active Directory accounts associated with my Windows Azure subscription (I am logged in with a Microsoft Account to Windows Azure):

Multiple WAADs in Azure

This screen shot shows the list of those 3 accounts in detail:

List of WAADs

What’s confusing with this screen is the names of the Directories: you can see “Toth”, “Adam Toth”, and “Default Directory”. These aren’t very helpful. They don’t tell me anything about the domains for my WAAD accounts, and so I have no idea by looking at this screen which Office365 tenants these relate to. That’s because these WAAD accounts were created through the Office365 Sign Up process. Office365 created the WAAD accounts for me, but didn’t setup a friendly name, or give me any UI to manage the settings for the WAAD account. So this is an important set of points to note:

  1. Office365 creates WAAD accounts, but doesn’t let you manage their settings effectively. You can only configure users, groups, custom domains, and global administrators from Office365.
  2. Windows Azure lets you manage all the advanced settings of WAAD accounts, including names, premium features, Apps, SSO access, multi-factor authentication, etc.
  3. To properly manage your WAAD accounts, you need to link them to Windows Azure Subscriptions.

I’ll talk about how to change those names to make them more friendly in a moment, but first I want to show you how to get those multiple accounts to show up in Windows Azure in the first place.

Adding Existing Windows Azure Active Directories to your Windows Azure Subscription

The process to add a WAAD account to your Windows Azure subscription used to be pretty painful. You actually had to login to Windows Azure with an Organizational Account, create a dummy Windows Azure Subscription (Free Trial or Pay as you go), and then add your Microsoft Account as a Global Administrator of the directory. Then you could sign in with your Microsoft Account, and see the Directory.

Now (much kudos to the teams at Microsoft that built this), you can easily do this by adding an Existing WAAD account. The process is as follows:

  1. Login to Windows Azure Management Portal with your Microsoft Account.
  2. Click on the Active Directory category on the left, and then click the New button.
  3. Choose New > App Services > Active Directory > Directory > Custom Create.New WAAD Menu
  4. On the Add Directory dialog, click the Directory dropdown, and choose Use Existing Directory.Add New or Existing WAAD
  5. The dialog will switch, and inform you that you will be signed out, and need to sign in with a Global Administrator for the existing WAAD account. Check the box and click Sign Out.Add Existing WAAD
  6. Login with a Global Administrator for the WAAD account. You don’t ever need to have created a Windows Azure subscription for this account!
  7. Once you login, you’ll be asked to confirm the link. Linking will make the Microsoft Account a Global Administrator in the WAAD account. Proceed through this, and you will be asked to Sign Out.Confirming your selection
  8. After Signing Out, and signing back in with your Microsoft Account, you’ll now see the WAAD account in the list of Active Directory accounts in the Windows Azure Management Portal!

Changing the Names of your WAAD Accounts

Changing the names of your WAAD accounts is easy enough to accomplish. Once you have the WAAD accounts showing up in your Windows Azure Management Portal, you can click on the account, and then click the Configure tab:

Changing the Name

The first option is the WAAD Name. I normally change the names to reflect the .onmicrosoft.com domain that is used by the WAAD account. After changing the names, the list looks much more helpful:

After changing the WAAD Names

FAQs?

Q. After you make a Microsoft Account a Global Administrator in WAAD, can you access Office365 Portal Administration features with the Microsoft Account?

A. No. You can only sign into the Office365 Management Portal with an Organizational Account. When you make a Microsoft Account a Global Administrator for WAAD, you will see your Microsoft Account in the list of users in the Office365 Management Portal:

Office365 Admin Screen

The Microsoft account shows in the Office365 portal admin screen.

Notice the format of the Microsoft account: escaped_microsoft_account_email_address#EXT#@tenant-name.onmicrosoft.com

If you enter this funny looking username into the Office365 Sign In screen, it won’t recognize the user. If you enter your Microsoft Account email address, it will let you sign in, but it won’t let you proceed to the management pages. External users cannot administer functions of Office365:

Microsoft accounts fail to access O365 dashboard

Q. If my Microsoft Account is now a Global Admin in WAAD, do Organizational Accounts in WAAD automatically have access to manage my Windows Azure Subscription?

A. No. The link you established by making the Microsoft Account a Global Administrator in WAAD was only one direction. It did not grant administrative access to the Windows Azure Subscription to any of the Organizational Accounts, not even to other Global Admins of the WAAD account. If an Organizational Account tried to login to the Azure Management Portal, they’ll get the same message that no Azure Subscriptions are associated with their account.

To enable an Organizational Account to have access to the Windows Azure Subscription, you can then add the Organizational Account as a Co-Administrator of the Azure Subscription. You add Co-Administrators on the Settings page, under the Administrators tab.

Once you add the co-admin, you can now login to the Azure Management Portal with the Organizational Account, and will have access to the Azure Subscription.

Note that in order to specify an Organizational Account as a Co-Administrator, you have to designate your linked WAAD as the Default Directory. If you try to add an Organizational Account from a non-default directory as a co-admin, you will get an error:

Co-admin error

Q. How do I change the Default Directory associated with my Azure Subscription?

A. To change the Default Directory, login to Windows Azure with your Microsoft Account. Under Settings, on the Subscriptions tab, select the Azure Subscription that you want to change the Default Directory for (click one of the rows), and then click the Edit Directory button.

Edit Directory

In the Edit Directory dialog, change the default directory. If you have co-admins in your subscription from the currently assigned Default Directory, they will all be removed prior to the switch. You’ll receive a warning about this prior to proceeding, along with a list of affected co-admin accounts.

Affected Co-admins

Summary

In this post, I’ve shown you how to can use a Microsoft Account to login to Windows Azure, and add/manage existing Windows Azure Active Directory instances within your Azure Subscription. If you have other questions about this process, please leave a comment and I’ll attempt to answer them and add them to the FAQ.

 

 

 

 

14 comments on “How to Manage an Office365 Windows Azure Active Directory When Logged in as a Microsoft Account in Azure Management Portal
  1. Pingback: Office 365 Developer Podcast: Episode 009 with Vesa Juvonen and Steve Walker | Office 365 Deployment Autoblog

  2. Hi Adam,
    I don’t have the “Use existing domain” in the dialog so I can’t add my active Office365 tenant id. Is there a reason why I dont see the option of adding existing?

  3. Waiting for an answer to Jacques question. I don’t see “choose existing either”. In fact, that drop down is missing altogether.

  4. “Adding Existing Windows Azure Active Directories to your Windows Azure Subscription”
    I get through all the steps fine everything seems to work.
    Then when i sign back into azure i don’t see the Active Directory?
    Have tried multiple times… Any ideas?
    Thanks

  5. Wonderful, works like a charm! Wenn you Change your Default Directory, this will kick out any existing co admins, but this way you can easily manage Office365 and Azure subsription with one set of credentials. Thanks a lot!

  6. @M:

    We where finally able to resolve the issue. The MS account for managing Azure (ab@domain.com) may not exist (login = ab@domain.com) in O365, even if its an organization account there.
    After that, add AD worked fine.

    Hope that helps someone,
    Thomas

  7. Hi Thomas/M

    We encounter the same issue. Do you mean that the MS account you use to log in to the Azure portal have to exist in Office 365? If yes, does it needs to be an Office 365 Admin user?

    Thanks in advance!

  8. In order to add an existing Directory, do you log into Azure with your Office 365 user or with your Microsoft account that you used to create the Azure subscription with? Before reading your post, I successfully added my target Office 365 AD. I then successfully added a user as a Co-administrator to several subscriptions, but when I logon as my Office 365 user, I don’t see the subscriptions. I can click on the down arrow and see some directories I have access to. When I change to either directory, that doesn’t work either. Any suggestions. The only thing I can figure out is that I need to add the target Azure subscription default directory while logged on as my Office 365 users. Thoughts?

  9. I just followed the steps above exactly again for a new AAD, and it worked, I was able to an existing AAD to my Azure subscription. For those having problems, ensure that you login first to your Azure subscription with your Microsoft account. Then you will see the option to add an existing directory.

    You will be logged out, then logged in as a Global Admin of the AAD account, then logged back out and in again as the Microsoft account, at which point you should see the AAD in your management portal.

    Once you have added the existing AAD, you can then set it as the default directory for your subscription, and add your AAD users as co-administrators on your Azure subscription (not necessary, just optional if you want to manage AAD while logged in with an organization account).

Comments are closed.