One of the big requests we've had from developers and administrator is to have an option to create multiple Windows Azure Active Directories that they can use for development and test purposes, or because they want to have separate directories to synchronize with their local Windows Server AD forests.
I'm happy to let you know that we heard this feedback, and with we've recently added features to simplify the experience for creating and managing additional directories. To start you on the right path using these features, Jeff Staiman, a Senior Program Manager in the AD team has written a blog post to show you how these features work.
To try out the new features, sign in to the Windows Azure Management Portal, and click on Active Directory in the left navigation bar.
Alex Simons (twitter: @Alex_A_Simons)
Director of Program Management
Active Directory Team.
Hi there –
I'm Jeff Staiman, Senior PM on the AD team, writing to introduce you to features we've added recently to improve the directory management experience from within the Windows Azure Management Portal.
With our recent release, you can:
Adding a new directory
To add a directory, sign in to the management portal, and select New
Fig 1: Adding a new directory
In the Add directory dialog, configure the basic properties for your new directory: its name, default domain name, and the country or region.
Fig 2: Configuring the basic properties for a new directory
Then, click the checkbox in the lower right of the dialog, and in a few seconds you'll see that your new directory has been created and is available for use.
Fig 3: A new directory has been successfully created
Right now, once you create a directory, it cannot be deleted. We're working to add the ability to delete directories, and we are being careful to get it exactly right to make sure we are protecting against accidental deletion of a directory that users are relying on for business critical services such as Office 365.
Using an existing directory
If you access Windows Azure with a Microsoft account, and you also administer a Windows Azure AD that's used for Office 365 or another service, we've added a feature to streamline your directory management experience. Now, even if your Microsoft account already manages a Windows Azure AD, you can configure your Microsoft account to manage an existing Windows Azure AD that you manage for your organization.
Fig 4: Microsoft account user with one directory
To configure a Microsoft account to manage an existing directory, you'll add your Microsoft account as a global administrator of that directory. The first steps are the same as adding a new directory: in the management portal, select New
Then, in the Add Directory dialog, change the Directory dropdown from the default Create new directory to Use existing directory.
Fig 5: Using an existing directory
From there, you'll see instructions in the dialog to sign out of your Microsoft account, which you will do by ticking the box, and then clicking the checkmark in the lower right of the dialog.
Fig 6: Preparing to sign out of the Microsoft account
Upon signing out, you'll see the sign in screen for Windows Azure Active Directory. Enter your user name and password for the global administrator account in the directory that you want to manage using your Microsoft account.
Fig 7: Signing in as the global administrator of the existing directory
Once signed in, you'll see the dialog below. Click the green continue button to add your Microsoft account as a global administrator of the existing directory.
Fig 8: Adding the Microsoft account as a global administrator of the existing directory.
Once that's completed, click the link to sign out of your organizational account. Then, you can sign in to the Windows Azure Management Portal
as your Microsoft account user, and can manage the directory to which you added the Microsoft account.
Fig 9: List of directories with red box to indicate the directory which was just added
You can now manage this directory like other directories for which you're a global administrator. For example, you can open the directory by clicking on the name in the list of directories, click on the USERS tab, and see your Microsoft account as a user in this directory.
Managing multiple directories
You can manage each Windows Azure AD as a fully independent resource: each directory is a peer, fully-featured, and logically independent of other directories that you manage; there is no parent-child relationship between directories. This independence between directories includes resource independence, administrative independence, and synchronization independence.
Resource independence. If you create or delete a resource in one directory, it has no impact on any resource in another directory, with the partial exception of external users, described below. If you use a custom domain 'contoso.com' with one directory, it cannot be used with any other directory.
Administrative independence. If a non-administrative user of directory 'Foo', creates a test directory 'Bar' then:
And if you add or remove an administrator role from one directory, this has no impact on any administration privileges in any other directory.
Synchronization independence. You can configure each Windows Azure AD independently to get data synchronized from a single instance of either:
Also note that unlike other Windows Azure resources, your directories are not child resources of a Windows Azure subscription. So if you cancel or allow your Windows Azure subscription to expire, you can still access your directory data using PowerShell, the Windows Azure Graph API, or other interfaces such as the Office 365 administration console.
Adding a user from another directory
You'll notice that when you create a directory, your user account is included in that new directory, and you're assigned to the global administrator role. This enables you to manage the directory you created without signing in as a different user of that directory.
As an administrator of a directory, now you can also add users from another directory of which you're a member. This is useful, for example, where there are users in your production directory who will need to collaborate on an application that is under development or testing in a non-production environment. A user can be a member of up to 20 directories.
To add a member of another directory, first find the user name of the user you want to add. You can the find the user name for a particular user by opening the source directory the user's account is in ('Contoso Corp' in the example below). Click on the USERS tab, and find the value in the user name column.
Fig 10: Finding the user name for a user in a directory
Then, open the directory in which you want to add the user ('Contoso Staging' in the example below) by clicking the name of the directory in the list.
Fig 11: Users in the target directory before adding another user
Click ADD USER in the command bar, and in the TYPE OF USER dropdown, choose User in another Windows Azure AD directory.
Fig 12: Adding a user from another Windows Azure AD directory
Then, enter the user name of the user that you want to add to this target directory. Once you've entered the name, a green check mark to the right of the name indicates the user was found in the source directory, which can be from any directory to which you have access. Using the ROLE dropdown, assign the role that the user needs in the target directory. If the user needs to manage directory data, such as when collaborating on an application that integrates with Windows Azure AD, you must assign the user to the Global Administrator role in the target directory.
Fig 13: Adding a user from another directory as a global administrator in the target directory
To add the user into the target directory, click the checkmark on the lower right of the dialog, and you'll see the user has been successfully added to the target directory.
Fig 14: User successfully added to the target directory
Fig 15: A Microsoft account user in the directory
Using and managing external users
When you add a user from one directory into a new directory, that user is an "external user" in the new directory. Initially, the display name and user name are copied from the user's "home directory" and stamped onto the "external user" resource in the other directory. From then on, those and other properties of the external user object are entirely independent: if you make a change to the user in the home directory, such as changing the user's name, adding a job title, etc. those changes are not propagated to the external user account in the other directory.
The only linkage between the two objects is that the user always authenticates against the home directory. That's why you don't see an option to reset the password or enable multi factor authentication for an external user account: currently the authentication policy of the home directory is the only one that's evaluated when the user signs in.
If a user is deleted in their home directory, the user resource still exists in the other directory. However, the user can't access resources in the other directory since the user can't authenticate to that directory.
A user who is an administrator of multiple directories can manage each of those directories in the management portal. However, other applications such as Office 365 do not currently provide experiences to assign and access services as an external user in another directory. Going forward, we'll provide guidance to developers how their apps can work with users who are members of multiple directories.
There are currently limitations in that an administrator can only grant consent to a multi-tenant application in their home directory, and can only be provisioned for SaaS apps and SSO via the Access Panel in their home directory. Microsoft account users have the same limitations in that they cannot currently grant consent to a multi-tenant application, or use the Access Panel.
Renaming a directory
We have also added the ability to change the name of a directory. It's useful to have the name of the production directory be meaningful to users in the directory. For non-production directories, it's often useful to have the name of the directory identify the environment to which the directory corresponds, such as 'development', 'test' or 'staging.'
Fig 16: User with two directories, one of which is not descriptively named
To change the name of a directory, open the management portal, click on Active Directory in the left navigation bar, and click on the name of the directory that you want to rename.
Then, click on the CONFIGURE tab, and enter the new name for the directory in the directory properties section, and click the SAVE button in the command bar at the bottom of the screen.
Fig 17: Changing the name of a directory
Then, return to the list of directories, refresh the page in the browser, and you'll see the directory with its new name.
Fig 18: User with two directories after renaming 'Default directory' to 'Proseware Staging'
It is not currently possible to change the default domain of a directory, i.e., the domain with the suffix '.onmicrosoft.com'. If the default domain for your directory doesn't meet your requirements, the best approach is often to add and verify a domain such as 'contoso.com' that your organization already owns and uses. You can add a domain that your organization owns by clicking on the DOMAINS tab of the directory, and clicking 'add'. Alternatively, you can create another directory and choose a default domain name for the new directory which meets your organization's requirements.
We hope you like these enhancements to the experience for managing Windows Azure Active Directories. And by all means, tell us what you think! If there are aspects of these experiences that you think are great, or things that drive you crazy – let us know by posting in our forum on TechNet.
Thanks a lot for this information!
Can I ask as for help?
Maby you would like write an article(s) about "How can I use Azure AD for authentication in ASP.NET app?"
It'll be very useful.
Hi Tommy - To get started, check out Vitorrio's blog here:
Hope that helps!
Can we new Directory ( Azure AD ) via API ?.. Any automation?