Tuesday, 5 June 2018

Azure AD - Relationships between Azure EA Accounts and Subscriptions

When it comes to relationship between Azure Portal, Azure AD and Azure EA Portal it can get very confusing and frustrating. It can be hard to understand what you have to do to enable authentication in to the Azure Portal and why you have so many Azure ADs flying around. This brief blog post will try and explain relationship between Azure EA Portal account, Azure AD that gets created automatically and Azure subscriptions that can be accessed in the Azure Portal.

When you login to the Azure Enterprise Agreement Portal (Azure EA Portal) you can create "accounts" and under accounts you can create "subscriptions". Subscriptions is where you place your services (this is done in Azure Portal). Accounts is where you place your subscriptions (this is done in Azure EA Portal). When you create "account" Azure AD is automatically created for that account, and all subscriptions under that account link to that Azure AD. Here is the diagram that shows this relationship:

Azure AD, Subscription and Account Relationship Diagram

Let's say you have created ECorpFraud account in the Azure EA Portal and it belongs to ECorp Fraud department. That account will automatically get ECorpFraud Azure AD. This AD will be used to authenticate your users in to Azure Portal and let them see relevant Azure Subscriptions.

Imagine that Alice works in ECorp Fraud department, someone will need to add her to the ECorpFraud AD, once she is in there you will be able to give her permissions to see resources in Subscription A or B. Azure Portal itself uses Azure AD to enable authentication.

Now, if I create ECorp Finance account, same thing will happen. Azure AD for ECorp Finance will be created. I will then be able to add relevant users to that AD and then give them access in to the relevant subscriptions, in this case Alice and John.