blog.atwork.at

news and know-how about microsoft, technology, cloud and more.

How to associate an Azure subscription owned by a MSA to your organization's AAD

If you created new Azure subscriptions with a Microsoft Account (MSA), the subscription is managed with an own Azure Active Directory (AAD). This article shows how to integrate such an "external" Azure subscription into your organization's AAD.

Having Azure subscriptions owned by a MSA can have various reasons: Historically with older Azure subscriptions or if you are a member of the Microsoft Partner Network (MPN) which still works for MSDN subscriptions only for MSAs... (this is a different story and worth grey hair...). Anyway, if you have such a situation, see how this process works here.

So, in my case, I had a MSA named dev18@myorg.at holding a MSDN license for Visual Studio Enterprise from the MPN. This MSA has been created at a time when it was possible to use custom domains for outlook.com accounts while also using the same domain for Office 365, somewhen before 2016.

Open the Azure portal with the subscription owner and navigate to Subscriptions, Overview and click the Change directory (well, that's easy, or?).

SNAGHTML337101de

Unfortunately, you need an extra step for accomplishing that mission...

image

Technically, that's clear: you need to have access to the target AAD. We need a user in the "new" AAD that has the permissions to add an Azure subscription. Usually that's a Global Admin in the new AAD. So, let's invite the new user into the subscription from another AAD as owner. In this sample, the Admin is NestorW (a demo tenant).

image

The new user (owner) receives an email from invites@microsoft.com. Click on the "Get started" button. Behind that button is a link similar as here: https://invitations.microsoft.com/redeem/?tenant=24eab914... This link leads to the Azure portal.

image

With the new owner, we see the new subscription in the "old" AAD and can retry our operation Change directory.

SNAGHTML347729ee

Now that we see the source AAD and the target AAD, we can switch the subscription to the new one. In this sample the new AAD is named "Contoso".

SNAGHTML3478a051

As result (and after a minute and a CTRL+F5 reload - or logoff and logon), your should see the subscription assigned to the new AAD. You can switch between the AADs (and the subscriptions) with the Filter icon in the Azure portal menu.

image

Done! The existing Azure subscription can be managed and accessed by members of the target AAD (our organization).

Just to mention: The Azure subscription stays with all it's properties and it's subscription type. It's just living in the new AAD.

image


Now it's a good idea to add permissions for the subscription or Resource Groups to allow developers and Admins to use the new subscription.

I hope this article helps Admins to organize and merge multiple Azure subscription into one organization tenant.

Comments (2) -

  • Brett

    9/29/2019 4:23:01 PM |

    How do you associate user@aad1.com with aad2.com so user@aad1.com can sign in to local machines joined to aad2.com and have administrative priveledges on the machine and the aad2.com domain if appropriate?

  • Toni Pohl

    9/29/2019 8:27:00 PM |

    Hi Brett,
    well, AFAIS, this is a Windows management story and I am not an IT Admin for such scenarios. I hope, the following article can help:
    docs.microsoft.com/.../assign-local-admin
    br, Toni

Loading