Check user permissions across all your Azure subscriptions

Letís be honest.. Even though we have excellent tools to manage permissions for our Azure resources, sometimes we donít know exactly what a given user or group has access to. There is however an easy way of checking this:

Go to Azure Active Directory Ė> Users & Groups Ė> Users Ė> Find the user (in this case an external consultant):

image

Select Azure Resources:

image

As you can see, this user has Owner access to one of my subscriptions. Better get that fixed! Smile 

If you click the role assignment, you get the option to delete it:

image

Quick and easy! And the same thing can be done for groups of users.

0  

What is Azure Active Directory?

Back to basics! This is the first post in a series of posts, where I will dive into Azure Active Directory, and all the features around it. Not because Azure Active Directory (Azure AD or just AAD) is new, but because I think there is a gap in understanding exactly what role AAD plays when it comes to Azure, Office 365, Enterprise Mobility Suite, Dynamics Online etc.

If I was asked to describe Azure AD, with 1 sentence it would be:

Azure AD is an online service, to provide identity management for Microsoftís own services, and 3rd party services.

So Itís an online version of Active Directory?

I hear this all the time. And well, to some point, yes. While itís a very good way to understand Azure AD, itís also a very good way to not understand it. Letís rule out some of the common mistakes I hear:

I can deprovision my domain controllers and just use Azure Active Directory for all my clients and servers!
Nope, Azure AD is not here to replace your domain controllers. There might be some companies who can do this, but the vast majority is not anywhere near that point.

I donít need Azure AD, because I donít want to use Azure!
Well, then donít. Just understand that Azure AD is not only for Azure, despite the name. Itís also used for other Microsoft services, and if you use services that are not Microsoft based, there is a good chance youíll be able to use Azure AD for authentication to these services. More on that later.

I already have Office 365, and now I need another identity service for Azure?

Nope, itís the same identity service, behind both offerings. Actually, you should make sure you donít create a new Azure AD for Azure, if you already have Office 365, and vice versa.

I donít get it, how does Azure Active Directory compare to Active Directory then?

Think about it this was. Your on-premises Active Directory, is made up from a couple of Domain Controllers. But why did you install those to begin with? Because you wanted to introduce a centralized identity solution, for the services you run on your servers.

For example, your email might be based on Microsoft Exchange Server, which uses Active Directory as itís identity service. In the same way, Azure Active Directory is used for Exchange Online.

Do you use Skype for Business (Lync/OCS)? Active Directory provides identities for this service too. And again, the online equivalent of this service, Skype for Business Online, uses Azure Active Directory in the same way.

image

And just like you can install all kinds of other services, and use Active Directory for identity, you can do the same with Azure AD. A good example is ServiceNow, which exists in an on-premises version, and a cloud-based version. The on-premises version can use Active Directory for idenity management, while the cloud-based version can authenticate through Azure AD.

I could keep going, but I think you get the point by now.

Do I have users and groups?

Yes! Just like your on-premises AD, Azure AD has users and groups. Depending on the service you use with Azure AD, you can assign permissions on a group level. There are also all kinds of cool features, like self-service password reset, self-service group membership, multi-factor authentication etc. But Iíll get back to all of that.

Do I Need a subscription for a Microsoft service to get Azure AD?

Nope! You can go ahead right now, and create a new Azure Active Directory tenant.

WAIT! Tenant? Whatís that?

Glad you asked! In the world of Azure AD, a tenant is just a customer. Again, think back to your on-premises AD. You have an Active Directory in your company (you might have multiple, but Iíll keep it simple). Itís the IT departmentís responsibility to keep this service running, while the company is consuming the service. Keeping this service up and running cost some money, which the company has to pay for. So you might say that the company is a customer, to itís very own IT department Ė in fact thatís how many companies run their IT.

Ugh, I canít justify a cost to get an online version of my Active Directory!

No problem, there is a free version of Azure AD for you to consume. Itís of course limited in functionality, but you will get very far with this version.

Letís try to sign up for an Azure Active Directory tenant.. Go to: https://account.azure.com/organization

Here you will see the following page. Before you fill out everything and sign up, read the next paragraph below the picture.

image

See the ďDOMAIN NAMEĒ field? This is important. Very important! Iíve had a few customer who signed up, started consuming services, and then wanted to change that specific part. You canít. Itís a ďstart-from-scratch” operation, and you do not want to do this if you started using SharePoint Online or something like that, trust me.
Usually I recommend my customers to use their company name (or Organization Name, as Microsoft says). For my own purpose, I got cloudpuzzles.onmicrosoft.com for all my personal stuff.

What if my company name is taken?
Well, if itís a generic name and lotís of companies around the world use it, you should probably just add your country code or something like that. If you have a special name, and you are pretty sure no one else would be using it, it might mean someone in your company already signed up for an Azure AD. This could be part of an Office 365 trial for example. Thatís not unusual.. What makes it worse it, itís also not unusual that no one knows about this trial, so no one has access to the tenant. You *might* be able to talk to Microsoft folks, and have them check the owner of the tenant, but there is no official process of doing this. If you donít know who to ask, try reaching out to your favorite Microsoft partner, they might be able to push some buttons.

Besides the domain name, you also need to create a new user ID. This is the first account in the Azure AD (just like the administrator account in on-premises Active Directory). Personally I prefer to not make this personal, like ďjesper@awesomecloud.onmicrosoft.comĒ. This is because the account will exist, even if I quit the company. No one wantís that. Instead, I treat this account as a ďbreak glassĒ user, for emergencies only, and name it something like ďcloudadminĒ. Iíll talk more about securing this account, in a later post.

You fooled me! Iíve signed up, and now it wantís me to create an Azure susbcription!!!

After signing up, you are forwarded to a login page. If you login with the account you just created, you will see this:

image

Donít worry. This is just a cheap trick from Microsoft Smile Instead, go to https://portal.azure.com or https://aad.portal.azure.com. From there you are able to play with your Azure AD, with no requirements to sign up and enter a credit card.

Okay, Iím ready to learn this!

As mentioned above, you now have access to two portals:

https://portal.azure.com Ė this is everything Azure related; Azure AD, Virtual Machines, web apps, databases, automation.. you name it!

https://aad.portal.azure.com Ė this is the things that are related to Azure AD. Same UI as above but without all the extra things, you might not be tempted by.. Yet Winking smile

Besides the portals, you can also use PowerShell to interact with your directory. More info on that here: https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0

Where does the users come from?

When working with Azure AD, users can be sourced from multiple locations.

First of is the ďAzure Active DirectoryĒ sourced users. These are users that you create in your Azure AD. Everything on these users, are controlled through your Azure AD; Username, properties, password, email address Ė anything you can imagine.

Second source is Windows Server AD. This is where things gets interesting, in my opinion Ė at least if you have a Windows Server AD (or on-premises AD, if you will). By using Azure AD Connect (a tool from Microsoft), you can synchronize user accounts from on-premises AD to Azure AD. This way your users will have the same username, and password, to use with online services, as they use on-premises through Windows Server AD.

If you are using ADFS, you can also integrate this with Azure AD, to provide Single Sign-On. But again, this post is the basics, so Iíll cover that later on.

Another source of users, is guest users from other Azure Active Directories. If for example you need to give an external user access to an application in your organization, you can invite them to your Azure AD and assign permissions. For me as a consultant, this makes it very easy to help customers, as I can use my own company account to access their environments. And often we (my workplace) has better security on our accounts, so itís a win for us too.

Can I get rid of the *.onmicrosoft.com domain?

Yes. As long as itís a public domain, like cloudpuzzles.net, you can add it to your Azure Active Directory. You will need to validate ownership through DNS records though, so make sure you have access to this. If you synchronize users from your on-premises AD, you will need to add the domain as a UPN suffix there too. I will go into much more details about this in a later post too.

 

Whatís Next?

In the next post, I will guide you through the portal, and the different versions of Azure Active Directory.

0