Creating and Managing Multiple Windows Azure Active Directories

Creating and Managing Multiple Windows Azure Active Directories

  • Comments 5
  • Likes

Howdy folks,

One of the big requests we've had from developers and administrator is to have an option to create multiple Windows Azure Active Directories that they can use for development and test purposes, or because they want to have separate directories to synchronize with their local Windows Server AD forests.

I'm happy to let you know that we heard this feedback, and with we've recently added features to simplify the experience for creating and managing additional directories. To start you on the right path using these features, Jeff Staiman, a Senior Program Manager in the AD team has written a blog post to show you how these features work.

To try out the new features, sign in to the Windows Azure Management Portal, and click on Active Directory in the left navigation bar.

Regards,

Alex Simons (twitter: @Alex_A_Simons)

Director of Program Management

Active Directory Team.

 

Hi there –

I'm Jeff Staiman, Senior PM on the AD team, writing to introduce you to features we've added recently to improve the directory management experience from within the Windows Azure Management Portal.

With our recent release, you can:

  • Add a new directory from within the management portal. Now you can have another directory that you can use for testing or other non-production usage, or for managing data synced from another AD forest. Even better, you can manage all your directories from the management portal while signed into your existing user account.
  • Manage an existing Windows Azure AD using your Microsoft account. If you use a Microsoft account to access Windows Azure, and you also manage another Windows Azure AD such as one you created when you signed up for Office 365, now there's an easy way for you to manage that directory from the management portal using your Microsoft account.
  • Change the name of a directory. Now you can change the name of your directory to be descriptive of your organization, such as 'Litware Corp.' or to be descriptive of the non-production environment which the directory serves, such as 'Litware PreProduction.'
  • Add users to a new Windows Azure AD from an existing directory. This helps you collaborate in another directory with users who already exist in your production directory. This is useful for collaborating in a test environment with users who need to manage directory resources such as applications, without requiring those users to sign in with new accounts and credentials.

Adding a new directory

To add a directory, sign in to the management portal, and select New à Application Services à Active Directory à Directory à Custom Create.

Fig 1: Adding a new directory

In the Add directory dialog, configure the basic properties for your new directory: its name, default domain name, and the country or region.

  • Name. Choose a name for the directory that will help distinguish it from your other directories. If the directory you're creating is to be used in production, choose a name for the directory which your users will recognize as the name of your organization. You can change the name later if you want.
  • Domain name. Choose a default domain name (e.g., "contosostage1.onmicrosoft.com') which you can use to bootstrap usage of this directory. While the default domain cannot be changed, later you can add a custom domain owned by your organization (e.g., 'contosostage.com') to enable better user experiences for sign on to that directory, or for working with AD-integrated applications.
  • Country or region. Choose a country or region for your directory. This setting is used by Active Directory to determine the datacenter region(s) for your directory. It cannot be changed later.

Fig 2: Configuring the basic properties for a new directory

Then, click the checkbox in the lower right of the dialog, and in a few seconds you'll see that your new directory has been created and is available for use.

Fig 3: A new directory has been successfully created

Right now, once you create a directory, it cannot be deleted. We're working to add the ability to delete directories, and we are being careful to get it exactly right to make sure we are protecting against accidental deletion of a directory that users are relying on for business critical services such as Office 365.

Using an existing directory

If you access Windows Azure with a Microsoft account, and you also administer a Windows Azure AD that's used for Office 365 or another service, we've added a feature to streamline your directory management experience. Now, even if your Microsoft account already manages a Windows Azure AD, you can configure your Microsoft account to manage an existing Windows Azure AD that you manage for your organization.

Fig 4: Microsoft account user with one directory

To configure a Microsoft account to manage an existing directory, you'll add your Microsoft account as a global administrator of that directory. The first steps are the same as adding a new directory: in the management portal, select New à Application Services à Active Directory à Directory à Custom Create.

Then, in the Add Directory dialog, change the Directory dropdown from the default Create new directory to Use existing directory.

Fig 5: Using an existing directory

From there, you'll see instructions in the dialog to sign out of your Microsoft account, which you will do by ticking the box, and then clicking the checkmark in the lower right of the dialog.

Fig 6: Preparing to sign out of the Microsoft account

Upon signing out, you'll see the sign in screen for Windows Azure Active Directory. Enter your user name and password for the global administrator account in the directory that you want to manage using your Microsoft account.

Fig 7: Signing in as the global administrator of the existing directory

Once signed in, you'll see the dialog below. Click the green continue button to add your Microsoft account as a global administrator of the existing directory.

Fig 8: Adding the Microsoft account as a global administrator of the existing directory.

Once that's completed, click the link to sign out of your organizational account. Then, you can sign in to the Windows Azure Management Portal as your Microsoft account user, and can manage the directory to which you added the Microsoft account.

Fig 9: List of directories with red box to indicate the directory which was just added

You can now manage this directory like other directories for which you're a global administrator. For example, you can open the directory by clicking on the name in the list of directories, click on the USERS tab, and see your Microsoft account as a user in this directory.

Managing multiple directories

You can manage each Windows Azure AD as a fully independent resource: each directory is a peer, fully-featured, and logically independent of other directories that you manage; there is no parent-child relationship between directories. This independence between directories includes resource independence, administrative independence, and synchronization independence.

Resource independence. If you create or delete a resource in one directory, it has no impact on any resource in another directory, with the partial exception of external users, described below. If you use a custom domain 'contoso.com' with one directory, it cannot be used with any other directory.

Administrative independence. If a non-administrative user of directory 'Foo', creates a test directory 'Bar' then:

  • By default, the user who creates a directory is added as an external user in that new directory (more on that below), and assigned the global administrator role in that directory.
  • The administrators of directory 'Foo' have no direct administrative privileges to directory 'Bar,' unless an administrator of 'Bar' specifically grants them these privileges. Administrators of 'Foo' can control access to directory 'Bar' by virtue of their control of the user account which created 'Bar.'

And if you add or remove an administrator role from one directory, this has no impact on any administration privileges in any other directory.

Synchronization independence. You can configure each Windows Azure AD independently to get data synchronized from a single instance of either:

  • The directory sync tool, to synchronize data with a single AD forest
  • The Windows Azure Active Directory Connector for Forefront Identity Manager, to synchronize data with one or more AD forests, and/or non-AD data sources

Also note that unlike other Windows Azure resources, your directories are not child resources of a Windows Azure subscription. So if you cancel or allow your Windows Azure subscription to expire, you can still access your directory data using PowerShell, the Windows Azure Graph API, or other interfaces such as the Office 365 administration console.

Adding a user from another directory

You'll notice that when you create a directory, your user account is included in that new directory, and you're assigned to the global administrator role. This enables you to manage the directory you created without signing in as a different user of that directory.

As an administrator of a directory, now you can also add users from another directory of which you're a member. This is useful, for example, where there are users in your production directory who will need to collaborate on an application that is under development or testing in a non-production environment. A user can be a member of up to 20 directories.

To add a member of another directory, first find the user name of the user you want to add. You can the find the user name for a particular user by opening the source directory the user's account is in ('Contoso Corp' in the example below). Click on the USERS tab, and find the value in the user name column.

Fig 10: Finding the user name for a user in a directory

Then, open the directory in which you want to add the user ('Contoso Staging' in the example below) by clicking the name of the directory in the list.

Fig 11: Users in the target directory before adding another user

Click ADD USER in the command bar, and in the TYPE OF USER dropdown, choose User in another Windows Azure AD directory.

Fig 12: Adding a user from another Windows Azure AD directory

Then, enter the user name of the user that you want to add to this target directory. Once you've entered the name, a green check mark to the right of the name indicates the user was found in the source directory, which can be from any directory to which you have access. Using the ROLE dropdown, assign the role that the user needs in the target directory. If the user needs to manage directory data, such as when collaborating on an application that integrates with Windows Azure AD, you must assign the user to the Global Administrator role in the target directory.

Fig 13: Adding a user from another directory as a global administrator in the target directory

To add the user into the target directory, click the checkmark on the lower right of the dialog, and you'll see the user has been successfully added to the target directory.

Fig 14: User successfully added to the target directory

Fig 15: A Microsoft account user in the directory

Using and managing external users

When you add a user from one directory into a new directory, that user is an "external user" in the new directory. Initially, the display name and user name are copied from the user's "home directory" and stamped onto the "external user" resource in the other directory. From then on, those and other properties of the external user object are entirely independent: if you make a change to the user in the home directory, such as changing the user's name, adding a job title, etc. those changes are not propagated to the external user account in the other directory.

The only linkage between the two objects is that the user always authenticates against the home directory. That's why you don't see an option to reset the password or enable multi factor authentication for an external user account: currently the authentication policy of the home directory is the only one that's evaluated when the user signs in.

If a user is deleted in their home directory, the user resource still exists in the other directory. However, the user can't access resources in the other directory since the user can't authenticate to that directory.

A user who is an administrator of multiple directories can manage each of those directories in the management portal. However, other applications such as Office 365 do not currently provide experiences to assign and access services as an external user in another directory. Going forward, we'll provide guidance to developers how their apps can work with users who are members of multiple directories.

There are currently limitations in that an administrator can only grant consent to a multi-tenant application in their home directory, and can only be provisioned for SaaS apps and SSO via the Access Panel in their home directory. Microsoft account users have the same limitations in that they cannot currently grant consent to a multi-tenant application, or use the Access Panel.

Renaming a directory

We have also added the ability to change the name of a directory. It's useful to have the name of the production directory be meaningful to users in the directory. For non-production directories, it's often useful to have the name of the directory identify the environment to which the directory corresponds, such as 'development', 'test' or 'staging.'

Fig 16: User with two directories, one of which is not descriptively named

To change the name of a directory, open the management portal, click on Active Directory in the left navigation bar, and click on the name of the directory that you want to rename.

Then, click on the CONFIGURE tab, and enter the new name for the directory in the directory properties section, and click the SAVE button in the command bar at the bottom of the screen.

Fig 17: Changing the name of a directory

Then, return to the list of directories, refresh the page in the browser, and you'll see the directory with its new name.

Fig 18: User with two directories after renaming 'Default directory' to 'Proseware Staging'

It is not currently possible to change the default domain of a directory, i.e., the domain with the suffix '.onmicrosoft.com'. If the default domain for your directory doesn't meet your requirements, the best approach is often to add and verify a domain such as 'contoso.com' that your organization already owns and uses. You can add a domain that your organization owns by clicking on the DOMAINS tab of the directory, and clicking 'add'. Alternatively, you can create another directory and choose a default domain name for the new directory which meets your organization's requirements.

Next steps

We hope you like these enhancements to the experience for managing Windows Azure Active Directories. And by all means, tell us what you think! If there are aspects of these experiences that you think are great, or things that drive you crazy – let us know by posting in our forum on TechNet.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment