IT:AD:O365:HowTo:Link Your O365 Directory With Your Subscription
Summary
The primary reasons why you should adopt Organizational Accounts (as opposed to Personal Microsoft Accounts for access to your organisation's IT:AD:Azure Services are: * being able to control and remove access when users leave. * provide to administrators a seamless IT:AD:SSO experience when accessing the azure management portal * provide end users a seamless IT:AD:SSO experience when accessing both IT:AD:Office 365 (O365) and 3rd party services provisioned in your IT:AD:Azure:Subscription.
To do the above, you effectively need to link you Office 365 directory that was created when you adopted Office 365 to your Microsoft Azure Subscription.
Process
Preparation
To minimize downtime and unexpected outcomes, some preparation is needed:
- The IT:AD:Azure:Subscription's IT:AD:Azure:Security:Role:Administration:Account Administrator (AA) and IT:AD:Azure:Security:Role:Administration:Service Administrator (SA) will have to be set to a IT:AD:Microsoft Account
- certainly has to be any other account than one that belongs to the IT:AD:Azure:Subscription's Default Domain that is about to be broken trust with (or you could brick the whole Subscription).
- Any service accounts running using a Domain Account the Azure Subscription's Default Domain will have to be transferred over to Organisation accounts that have been invited in (they will continue to work without down time…I think…)
Changing the Subscription's Default Domain
In order to change the Subscription's Default Domain to an Office 365 one, you need to go through the following steps:
- Using the IT:AD:Microsoft Account (not an Organisational Account, as it's not yet set up, and the “Use existing account” will not show up if you don't):
- Sign-in to the IT:AD:Azure:Portal:Classic Portal with your IT:AD:Azure:Security:Role:Administration:Service Administrator (SA) account:
- In your Subscription, create a New AD Directory that is linked to your Office 365 Directory:
- Action New → App Services → Active Directory → Directory → Custom Create
- …but don't create a new one – instead:
- Action “use existing directory”, then
- Action “I am ready to be signed out now.”
- You will signed out, then be re-directed to sign in to IT:AD:Office 365 (O365):
* Sign-in to the IT:AD:Office 365 (O365) site with an (Organisational?) Account that is a IT:AD:Azure AD:Roles:Administration:Global Administrator in the Office 365's AD Directory Service.
- As you signed in with an Organisation Account it can infer what Organisation you are connecting to.
- You will be prompted with “Use <companyname> directory with Windows Azure”
- Action Continue.
- This will add the original IT:AD:Microsoft Account (the one you used to sign in to Azure in the first place) as a IT:AD:Azure AD:Roles:Administration:Global Administrator in the IT:AD:Office 365 (O365) AD Directory.
- When this has been completed,
- Action “Sign out now”
- You will be re-direct back to the IT:AD:Azure:Portal:Classic Portal
* Sign in with your original IT:AD:Microsoft Account account to the IT:AD:Azure:Portal:Classic Portal.
- You will now see the newly linked Office 365 AD Directory listed under the Active Directory.
- It's listed. But it's not your default…So make this directory your Default Directory for the IT:AD:Azure:Subscription:
- Action Settings → Subscriptions → Select Subscription → Select Edit Directory
- Follow the wizard, and this will warn you of any administrative account changes
- i.e if you added a co-administrator from your default directory which azure built when you created the subscription, this account will be removed as a co-administrator.
- When completed, the portal will re-load and the URL will have changed:
- Cleanup:
- Assign to the newly available Organisation Accounts (from O365's Directory) to
- Suggest you continue to keep the IT:AD:Azure:Security:Role:Administration:Account Administrator (AA) a IT:AD:Microsoft Account in order to not brick your whole organisation.
- As your subscription has just changed Directory, all the Users who were members of the old one no longer have access.
- They all have to be invited back in, and assigned.
- This could be disruptive with Service Accounts, so don't wait too long…