Who is the owner of an Azure active directory?

5
votes

Let's say I have two Microsoft accounts:

And I log into the Azure Account Center and create two subscriptions for each account:

Each account has an account administrator and a service administrator, and the account administrator can change the service administrator. So I could, for example, give control of all subscriptions to one service administrator, and in the Management Portal, it would LOOK like that account owns all the subscriptions:

But the account administrator didn't change, so really, each account still owns its original two subscriptions. The account administrator can always take back control of a subscription by changing its service administrator back to himself.

Then I log into the Azure Management Portal and create some storage accounts, web apps, SQL databases, and other Azure resources. Each resource belongs to one subscription, and each subscription is owned by one account:

  • [email protected]
    • Subscription1a
      • storage accounts
      • web apps
      • SQL databases
    • Subscription1b
      • storage accounts
      • web apps
      • SQL databases
  • [email protected]
    • Subscription2a
      • storage accounts
      • web apps
      • SQL databases
    • Subscription2b
      • storage accounts
      • web apps
      • SQL databases

So I could say that, ultimately, each Azure resource is owned by its subscription's account administrator.

Azure also created an active directory for each account, which is shared by both subscriptions. When I look at the management portal, the active directory LOOKS like it's just another Azure resource, except that it belongs to both subscriptions:

  • [email protected]
    • Subscription1a
      • storage accounts
      • web apps
      • SQL databases
      • MicrosoftAccount1outlook.onmicrosoft.com (shared)
    • Subscription1b
      • storage accounts
      • web apps
      • SQL databases
      • MicrosoftAccount1outlook.onmicrosoft.com (shared)
  • [email protected]
    • Subscription2a
      • storage accounts
      • web apps
      • SQL databases
      • MicrosoftAccount2outlook.onmicrosoft.com (shared)
    • Subscription2b
      • storage accounts
      • web apps
      • SQL databases
      • MicrosoftAccount2outlook.onmicrosoft.com (shared)

I can even create more active directories in the management portal, which is where I created the storage accounts, web apps, and SQL databases, so it REALLY looks like an active directory is just another Azure resource that can belong to multiple subscriptions:

  • [email protected]
    • Subscription1a
      • storage accounts
      • web apps
      • SQL databases
      • MicrosoftAccount1outlook.onmicrosoft.com (shared)
      • MicrosoftAccount1outlook2.onmicrosoft.com (shared)
    • Subscription1b
      • storage accounts
      • web apps
      • SQL databases
      • MicrosoftAccount1outlook.onmicrosoft.com (shared)
      • MicrosoftAccount1outlook2.onmicrosoft.com (shared)
  • [email protected]
    • Subscription2a
      • storage accounts
      • web apps
      • SQL databases
      • MicrosoftAccount2outlook.onmicrosoft.com (shared)
      • MicrosoftAccount2outlook2.onmicrosoft.com (shared)
    • Subscription2b
      • storage accounts
      • web apps
      • SQL databases
      • MicrosoftAccount2outlook.onmicrosoft.com (shared)
      • MicrosoftAccount2outlook2.onmicrosoft.com (shared)

However, I play with it some more, and I realize that I've got it backwards. The active directories don't belong to the subscriptions; the subscriptions belong to the active directories. I can change which subscriptions are assigned to which directories. Then, in the Management Portal, I select a directory, and it shows me that directory's subscriptions and their resources:

  • [email protected]
    • MicrosoftAccount1outlook.onmicrosoft.com
      • Subscription1a
        • storage accounts
        • web apps
        • SQL databases
    • MicrosoftAccount1outlook2.onmicrosoft.com
      • Subscription1b
        • storage accounts
        • web apps
        • SQL databases
  • [email protected]
    • MicrosoftAccount2outlook.onmicrosoft.com
    • MicrosoftAccount2outlook2.onmicrosoft.com
      • Subscription2a
        • storage accounts
        • web apps
        • SQL databases
      • Subscription2b
        • storage accounts
        • web apps
        • SQL databases

So now it looks like the account administrator owns the active directories, and the active directories own the subscriptions. However, I play with it some more, and I don't think that's right, either. I can make the first account the service administrator for all four subscriptions. The second account can add the first account as a user in each directory and make him a Global Admin. Then the first account can remove the second account from each directory. So now, the first account can manage the subscriptions for all four directories and is the one and only user and global admin in all four directories, and the second account can't even log into the management portal anymore, so it looks like the first account owns everything:

  • [email protected]
    • MicrosoftAccount1outlook.onmicrosoft.com
      • Subscription1a
        • storage accounts
        • web apps
        • SQL databases
    • MicrosoftAccount1outlook2.onmicrosoft.com
      • Subscription1b
        • storage accounts
        • web apps
        • SQL databases
    • MicrosoftAccount2outlook.onmicrosoft.com
    • MicrosoftAccount2outlook2.onmicrosoft.com
      • Subscription2a
        • storage accounts
        • web apps
        • SQL databases
      • Subscription2b
        • storage accounts
        • web apps
        • SQL databases
  • [email protected]

The second account still really owns two of the subscriptions because he's the account administrator, but there's nothing anymore that says that he owns two of the directories. The second account administrator can take back control of his two subscriptions, but I don't see how he can take back control of his two directories. Furthermore, as long as he's not a member of any active directory, he can't even create any more subscriptions; Azure won't create another directory like it created the first one. So, at this point, who owns the active directories MicrosoftAccount2outlook.onmicrosoft.com and MicrosoftAccount2outlook2.onmicrosoft.com?

I can even make one directory own subscriptions that belong to different account administrators:

  • [email protected]
    • MicrosoftAccount1outlook.onmicrosoft.com
      • Subscription1a
        • storage accounts
        • web apps
        • SQL databases
      • Subscription1b
        • storage accounts
        • web apps
        • SQL databases
      • Subscription2a
        • storage accounts
        • web apps
        • SQL databases
      • Subscription2b
        • storage accounts
        • web apps
        • SQL databases
    • MicrosoftAccount1outlook2.onmicrosoft.com
    • MicrosoftAccount2outlook.onmicrosoft.com
    • MicrosoftAccount2outlook2.onmicrosoft.com
  • [email protected]

To make things even more fun, I can create a user in a directory that is not a Microsoft account; it's just a directory account. Then I can log into the Management Portal as the directory account AND CREATE ANOTHER DIRECTORY. The only user and global admin in the new directory is the directory account that created it; it doesn't have a Microsoft account owner. Who owns THAT directory?

It could even be argued that the active directories own the original Microsoft accounts, because the Microsoft accounts are users in the active directories. So if the active directory owns the Microsoft account, and the Microsoft account owns the subscription, then who owns the active directory? (EDIT: On second thought, it doesn't make sense for the directory to own the Microsoft account, because one Microsoft account can be a user in multiple directories, and that would mean the account has multiple owners. Scratch that. A HUMAN owns the Microsoft account. Either the Microsoft account owns the subscription, or the active directory owns the subscription. Who owns the active directory?)

1
azure-active-directory
This video does a good job explaining how Azure subscriptions belong to both management and billing hierarchies. As for tenants: Subscriptions have a trust relationship (not ownership) with tenants - who do they trust for identity purposes?.Ian W

1 Answers

2
votes

I don't think that the concept of "owner" for an Azure AD tenant (synonym of directory, but a more common moniker in literature) makes sense. When you sign in the Azure portal, you'll see all the tenants in which the user you are currently signed in is a member. That is true regardless of whether the user is an MSA (microsoft account) or an organizational account (@.onmicrosoft.com or @). That is also true regardless of how the tenants came to be. Somebody might have created a new Office 365 subscription, which comes with its onw Azure AD tenant, then added to that tenant as a new user the MSA that you use for your Azure subscription. The next time you'll sign in the Azure portal, among your directories you will see that new tenant as well - just in virtue of the fact that you are a user in that tenant and that entitles you to do stuff with it (like creating new apps). Bottom line: Azure AD tenants exist independently of Azure subscriptions. Azure AD tenants are automatically provisioned when you sign up for Azure, and your subscription admin (or any portal user) will automatically be added to any new Azure AD tenant created while operating the portal, but I hope that the O365 example showed how that is just one of the ways in which Azure AD tenants are created. The only thing that does not fit neatly in the above is the fact that you do have a default directory in your subscription, which has special properties - but still, I don't think I'd talk of ownership. HTH