During the past year I’ve worked a lot with Cloud Solution Providers (CSP). A lot of them understand the concepts, but 1 thing seems to confuse people a lot: Azure AD Tenants
What is a tenant? And why is it important for me as a CSP? Well, to understand things, let’s start from the beginning: A customer signs up to an Azure subscription. At that moment, they also get an Azure Active Directory (Azure AD) tenant, named <tenantname>.onmicrosoft.com. If the customer already has Office 365, they will also have an Azure AD tenant. The same goes for other Microsoft bloud services, so be aware of this.
After creating their tenant, the customer will most likely start synchronizing users from their on-premises Active Directory to Azure AD. That way they get a single username, and they can login to Microsoft cloud services with their email address.
Take me for example. I have cloudpuzzles.onmicrosoft.com as my Azure AD tenant. In this tenant, I have added cloudpuzzles.net as my domain, and synced user accounts from my Active Directory. That way I can login to Azure, Office 365 etc. using firstname.lastname@example.org, which is my on-premises login too. I’ve also configured password hash synchronization, so I can use the same password. To get single sign-on, I could also configure ADFS, but that’s another topic.
I have my tenant configured, with users and groups:
Many people think, that an Azure subscription is the top-level of Azure resources. That’s not the case though. If I sign up for a subscription, this is linked to my Azure AD, thus making my Azure AD tenant the top-level. The same goes for Office 365 etc. Let’s have a look:
I’ve now added Office 365 and Azure susbcriptions – both using my credit card on a Pay-As-You-Go model. The subscriptions are managed by the users I have in my Azure AD tenant. I can control access to those subscriptions on a user or group level, but only from the users & groups within my tenant.
When we use CSP, it’s very similar, but still different. Let’s say I wanted an Azure subscription from a CSP. This CSP needs to add me as a customer in their system. If I do not have any Azure AD tenant yet, it’s straight forward for them to do:
Notice the “Primary domain name” field, with .onmicrosoft.com after it. That’s where CSPs create a new tenant. But in this case I already have a tenant, so what if I enter that:
Nope, no cookie. And this is where some CSPs just enter “cloudpuzzles2” or something like that, because they don’t understand the importance of this. If they create a new tenant for my subscription, I as the customer, will not be able to manage this subscription, using my existing tenant. That’s a mess! Instead, the CSP needs to go and get a link, to establish a reseller relationship with you as the tenant. Unfortunately I can’t show this, as my demo CSP environment don’t have that option. Anyways, when you get the link, you sign in as an admin, and accept the relationship with this particular CSP. Now they can create subscriptions for you, and sell you whatever service you need.
What happens after you have approved the reseller relationship, is the CSP get Admin-on-Behalf-of (AOBO) access to the subscriptions they provision in your tenant. This means only they have access, you can’t even access the resources, until given permission to do so. And how would you do that, if the CSP created a new tenant for you? Correct, a management nightmare. What AOBO does not give the CSP, is access to you existing resources. Nor will they have access to resources provisioned from other CSPs.
The way AOBO in an Azure subscription is: In the CSP’s environment, they have a role, Admin Agent. That role, or group of users, is assigned ownership permissions on the subscriptions they provision. From the CSP portal, they can then access the subscription, using their own credential – not credentials from your tenant. This is because of our reseller relationship we just created:
In the same way, when CSPs sell O365, Intune etc., they’re added to your Azure AD Tenant Admin Role, and can manage the licenses for you. You can of course manage those licenses too, but by default, only the CSP has access. If you were to buy Azure from multiple CSPs – which is a very likely scenario, given the change in the market where a lot of companies just offer a service built on Azure – this is supported too. In this case, each CSP will request a reseller relationship with you, and they will provision their own subscriptions for you too:
TL;DR: Make sure you don’t have multiple Azure AD tenants within your organization (unless you have very good reason to do so, for example regional control etc). And make sure your CSP partner knows what they’re doing – if they don’t send them this link ;-)