Tag Archives: Azure AD

Understanding Tenants, Subscriptions, Regions and Geographies in Azure

If you are getting started working with Azure you might come across a few key terms that it’s important to have a good understanding of. In this post I’m going to cover what I think are four of the key ones.

Tenant

A Tenant, as it relates to Azure, refers to a single instance of Azure Active Directory, or, as it is often called “Azure AD”. Azure AD is a key piece of Microsoft’s cloud platform as it provides a single place to manage users, groups and the permissions they hold in relation to applications published in Azure AD.

Key Microsoft applications that Azure AD provides access to include Office 365, Dynamics 365 and Azure. Yes, you read that right, Azure is treated as an ‘application’. You can also use Azure AD to control access to many other third-party applications such as Salesforce and even the AWS admin console. As an application developer you can register your own applications in Azure AD for the purpose of allowing users access.

Azure AD Tenants are globally unique and are scoped using a domain that ends with ‘onmicrosoft.com’ (i.e. myazuread.onmicrosoft.com) and each has a ‘Tenant ID’ in the form of an UUID/GUID. Some customers choose to connect their internal Active Directory environment to Azure AD to allow single or same sign-on for their staff and will also use a custom domain instead of the default ‘onmicrosoft.com’.

When you access the Azure Portal, or leverage one of the command-line tools to manage Azure resources in a Subscription, you will always be authenticated at some point via the Azure AD Tenant associated with the Subscription you want to access. The actions you can take will depend on the Role you have been assigned in the target Subscription.

Finally, Azure AD Tenants can be associated with multiple Subscriptions (typically in larger organisations), but a Subscription can only ever be associated with a single Azure AD Tenant at any time.

Dev Tip: if you want to develop an application that uses Azure AD but don’t have permissions to register applications in your company’s Azure AD Tenant (or you want a ‘developer’ Azure AD Tenant) you can choose to create a new Azure AD Tenant in the Azure Portal. Make sure in your application that you can easily change Azure AD Tenant details to allow you to redeploy as required. Azure AD has a free tier that should be suitable for most development purposes.

IT Pro Tip: you can change the display name for your Tenant – something I strongly recommend, particularly as Azure AD B2B will mean others will see your Directory name if they are invited and may be confused if the display name is something unclear. Note that you are *not* able to change the default onmicrosoft.com domain.

Subscription

A Subscription in Azure is a logical container into which any number of resources (Virtual Machines, Web Apps, Storage Accounts, etc) can be deployed. It can also be used for coarse-grained access control to these resources, though the correct approach these days is to leverage Role Based Access Control (RBAC) or Management Groups. All incurred costs of the resources contained in the Subscription will also roll-up at this level (see a sample below).

Subscription costs view

As noted above, a Subscription is only ever associated with a single Azure AD Tenant at any time, though it is possible to grant users outside of this Tenant access. You can also choose to change the Azure AD Tenant for a Subscription. This feature is useful if you wish to transfer, say, a Pay-As-You-Go (PAYG) Subscription into an existing Enterprise Enrolment. Subscriptions have both a display name (which you can change) and a Subscription ID (UUID/GUID) which you can’t change.

Subscriptions are not tied to an Azure Region and as a result can contain resources from any number of Regions. This doesn’t mean that you will have access to all Regions, as some Geographies and Regions are restricted from use – we’ll talk more about this next.

Resources contained in a Subscription, but deployed to different Regions will still incur cross-Region costs (where applicable) for the resource.

People sometimes use the word ‘Tenant’ instead of ‘Subscription’ or vice-versa. Hopefully you can now see what the difference is between the two.

Regions and Geographies

Azure differs from the other major cloud providers in its approach to providing services close to the customer. As a result, and at time of writing (August 2018), Azure offers 42 operational Regions with 12 more announced or under development.

A Region is a grouping of data centres that together form a deployment location for workloads. Apart from geo-deployed services like Azure AD or Azure Traffic Manager you will always be asked what Region you wish to deploy a workload to.

Regions are named based on a general geography rather than after exactly where the data centres are. So, for example, in Australia we have four Regions – Australia East, Australia Southeast, Australia Central 1 and Australia Central 2.

A Geography, as it relates to Azure, can be used to describe a specific market – typically a country (Australia), though sometimes a geographic region (Asia, Europe). Normally within a Geography you will find two Regions which will be paired to provide customers with high availability options. Can anyone spot the one Region that doesn’t have its pair in the same Geography?

There are a few special Regions that aren’t open to everyone – US Government Regions, the entire German Geography and China. In Australia, in order to access Australia Central 1 and 2 you must undergo a white listing process to gain access.

When you replicate data or services between Regions you will pay an increased charge for either data transfer between Regions and / or duplicated hosting costs in the secondary Region. Some services such as Azure Storage and Azure SQL Database provide geo-redundant options where you pay an incremental cost to have your data replicated to the secondary Region. In other cases you will need to design your own replication approach based on your application and its hosting infrastructure.

Once you have deployed a service to a Region you are unable to move it – you have to re-provision it if you need the primary location to be somewhere else.

As a final note, while there is a Regional availability model (replication of services between Regions), Microsoft has also introduced the concept of Availability Zones. Availability Zones are still being rolled out globally, and are more than just a logical overlay over Regions. Interesting times!

So there we have it, a quick overview of some of the key terms you should be familiar with when getting started with Azure. As always, if anything’s unclear or you have any questions feel free to drop a comment below.

😎

Tagged , , ,

Inviting Microsoft Account users to your Azure AD-secured VSTS tenant

I’ve done a lot of external invite management for VSTS after the last few years, and generally without fail we’ll have issues getting everyone on-boarded easily. This blog post is a reference for me (and I guess you too) to understand the invite process and document the experience the invited user has.

There are two sections to this blog post:

1. Admin instructions to invite users.

2. Invited user instructions.

Select whichever one applies to you.

The starting point for this post is that external user hasn’t yet been invited to your Azure AD tenant. The user doing in the inviting is also not an Azure AD Global Admin, but I has rights in an Azure tenant.

The Invite to Azure AD

These steps assume your Azure AD user has the “Guest Inviter” role and that your Azure AD administrators have enabled guest invites for your Directory.

The Short Way

Log into an Azure subscription using your Azure AD account and then browse to the Directory that is tied to your VSTS subscription. At the top of the screen click on the “New guest user” link and enter the email address of the user you are inviting.

quick-invite

The Long Way

Log into an Azure subscription using your Azure AD account and select Subscriptions. Ideally this shouldn’t be a production tenant!

Select Subscription

I am going to start by inviting this user to my Azure tenant as a Reader-level user which means they will receive an Azure AD invite. I will later revoke this access once they have accepted my invite.

Click “Add” on the IAM blade for the Subscription.

Select Add

Ensure you set the role to “Reader” which provides no ability to execute changes.

Set Role

Now enter the user’s email address. Note you can add multiple email addresses if you want. Click “Save” button to apply the change.

Enter Email

Once I click “Save” the portal will say it is inviting the user. A short while later the invitee will receive an invite email in their inbox. See later in the blog post for their experience.

Add Invited User to VSTS

Now the invited user is in your Azure AD tenant they will show up in the User Search Dialog in VSTS. You must be a VSTS Admin to manage users.

Log into your VSTS tenant and navigate to Users and then search for the newly added user and assign them the license you want them to use.

VSTS invite

Click “Send Invitation” which will be enabled once you select the invitee’s account from the drop-down. Note that VSTS won’t actually send this user an invite.

At this stage the user now has access to your VSTS tenant, but not any projects it contains – make sure you add them to some!

Let’s take a look and see what the invited user sees.

Invited User Experience

If I log in to the invited user’s Outlook.com mailbox I will see an Azure AD invite awaiting.

The invited user should click the “Get Started” button to accept the invite. Unless they complete this process they won’t have access to VSTS.

Invite email

This will open a web browser on the invited tenant’s redemption page that will be branded with any extended branding the Azure AD tenant has.

The user must click ‘Next’ on this screen to accept the invite.

Invite web experience

It will take a few moments to setup the Microsoft Account in the Azure AD tenant.

Adding user to tenant

Once done the user will end up at the default “My Apps” screen but will see nothing at this point as they have not be granted access to anything.

Empty My Apps screen

Invited User Accesses VSTS

The invited user can now navigate to your VSTS tenant in a browser – https://tenantname.visualstudio.com/

If they aren’t already logged into their Microsoft Account they will be prompted to login and then directed to VSTS.

As this is their first time logging in they will be asked to enter some information which will auto-populated, but editable.

VSTS Invite

They then get dropped to the home page for VSTS and are ready to work. If you didn’t add them to any existing projects and haven’t granted them additional privileges they might see the screen below.

VSTS Invite

Make sure they bookmark your VSTS tenant and that they use their invited Microsoft Account each time they want to access it.

Login Experience for User

If the user logs out or their session times out they will be directed to your Azure AD tenant login page firstly, as this is what VSTS is configured to use when you attach an Azure AD tenant to it.

sign-in-01

The invited user should enter their Microsoft Account into the email address box and when the username box loses focus they will be redirected to the Microsoft Account login screen.

sign-in-02

This step quite often catches people out as they aren’t expecting the redirect, particularly if they haven’t used Office 365 or similar systems.

sign-in-03

At the Microsoft Account login page (shown below) they enter their password and they will be directed back to VSTS.

MSA login page

Don’t forget!

If you’re the inviting Admin you can now remove the invited user as a reader from your Azure tenant.

If you want extra security, get the Microsoft Account user’s to turn on two-step verification which will require them to enter a code to login.

Happy coding!

Post credit-roll Admin bonus!

If you find out that some of the users you invited didn’t have a mailbox attached to their Microsoft Account and therefore didn’t get the original invite you can resend the invite. Log into your Azure tenant, open Azure Active Directory and then find the invited user.

Open their profile and click on the ‘Resend invitation’ button – it is greyed out but will work just fine :).

Re-invite a user

Tagged , ,