|Setting up Azure – Blog No 3|
|Time to Read|
|Who should read this blog?|
|To understand different cloud offerings from Microsoft and How they can be assigned to a single tenant for common identity use cases.|
An organization may use different types of cloud services from Microsoft which would have their own subscription plans. These different cloud offering subscriptions can be managed from a single Azure AD tenant which can work as a common identity provider.
Microsoft Cloud offerings
Microsoft provides three types of cloud offerings :
- Microsoft 365 and Microsoft Office 365 (SAAS Offering)
- Microsoft Azure (PAAS and IAAS Offering)
- Microsoft Dynamics 365 (SAAS Offering)
An organization may approach Microsoft for any of its cloud offerings as per its business needs.
An organization on the internet is identified with its Public DNS name. Like if I approach Microsoft to subscribe to any of its cloud offerings, I would be known to Microsoft as thecloudblogger.com organization name and its Email Address.
As you now understood all the 3 cloud offerings are different and hence would have different subscription types and different tenants.
Microsoft Office 365 and Dynamics 365 are the SAAS offerings that follow a user license-based subscription model.
Microsoft Azure offers PAAS and IAAS resources and follows cloud resource consumption-based charges for each subscription.
If a company has 50 users they would order-
- A Microsoft Office 365 subscription of 50 E3 or E5 user licenses.
- A Microsft Dynamics 365 subscription of 50 user licenses.
- One or many Azure subscriptions.
Now each of these subscription types also includes a Free Azure AD Account known as a tenant, This tenant is automatically created to manage the user permissions for that subscription.
Note:The tenant created with Microsoft Office 365 or Microsoft Dynamics 365 free or paid subscription is not the same as tenant created while creating the Azure free or paid Subscription. All three tenants are different. The tenant with Microsoft Office 365 or Microsoft Dynamics 365 does not include the services created under Azure free/paid tenant.
However, for an organization, the best use case would be to use a common AD tenant which might have different users or groups with different administrative roles for each subscription type. Multiple Microsoft cloud offering subscriptions can use the same Azure AD tenant that acts as a common identity provider.
What is Tenant in Microsoft cloud?
Azure AD tenant providing IDaaS
A central Azure AD tenant then can be also connected to your On-Prem Active directory domain service through the AD Connect service and can provide a cloud-based Identity as a Service (IDaaS) for your whole organization.
Combining tenants for O365, Dynamics, and Azure AD tenants
It is possible to manage Azure AD tenant, Office 365 tenant, and Dynamics 365 tenant under a common tenant. This can provide several benefits, such as streamlined management, centralized billing, and easier access to resources across multiple tenants.
Steps for configuring a common tenant for managing Azure AD tenant, Office 365 tenant, and Dynamics 365 tenant:
- Sign up for a Microsoft 365 subscription:
Go to https://www.microsoft.com/microsoft-365/business and sign up for a Microsoft 365 Business subscription. This will create an Office 365 tenant and an Azure AD tenant for you. Follow the steps to create your account, and select the subscription that best suits your needs.
- Add Dynamics 365 to the Microsoft 365 subscription:
To add Dynamics 365 to your Microsoft 365 subscription, go to the Microsoft 365 admin center and click on the “Billing” tab. Select “Purchase services” and choose the Dynamics 365 plan that you want to add. Follow the steps to complete the purchase and add Dynamics 365 to your subscription. This will create a Dynamics 365 tenant and associate it with the same Azure AD tenant as your Office 365 tenant.
- Configure the tenants to use a common domain name:
By default, each tenant will have its own domain name, such as “yourcompany.onmicrosoft.com”. To use a common domain name, you can add a custom domain name to each tenant and then configure them to use the same domain name.
a. Add a custom domain to your Office 365 tenant: Go to the Microsoft 365 admin center and click on “Settings” > “Domains”. Click on “Add domain” and follow the prompts to add your custom domain. Verify your domain ownership by adding the provided TXT record to your domain’s DNS settings. After verification is complete, set your custom domain as the default domain.
b. Add the same custom domain to your Azure AD tenant: In the Azure portal, go to “Azure Active Directory” > “Custom domain names”. Click on “Add a custom domain” and follow the prompts to add your custom domain. Verify your domain ownership by adding the provided TXT record to your domain’s DNS settings. After verification is complete, set your custom domain as the primary domain.
c. Add the same custom domain to your Dynamics 365 tenant: In the Dynamics 365 admin center, go to “Settings” > “Domains”. Click on “Add domain” and follow the prompts to add your custom domain. Verify your domain ownership by adding the provided TXT record to your domain’s DNS settings. After verification is complete, set your custom domain as the default domain.
- Set up cross-tenant collaboration:
To set up cross-tenant collaboration, you need to configure each tenant to trust the other tenants.
a. Configure your Office 365 tenant to trust your Azure AD tenant: In the Microsoft 365 admin center, go to “Settings” > “Services & add-ins” > “Microsoft Azure AD”. Click on “Set up” and follow the prompts to establish the trust relationship. You will need to provide the credentials for a global administrator account in your Azure AD tenant.
b. Configure your Azure AD tenant to trust your Office 365 tenant: In the Azure portal, go to “Azure Active Directory” > “External identities” > “Azure AD trusts”. Click on “New trust” and follow the prompts to establish the trust relationship. You will need to provide the credentials for a global administrator account in your Office 365 tenant.
c. Configure your Dynamics 365 tenant to trust your Office 365 and Azure AD tenants: In the Dynamics 365 admin center, go to “Settings” > “Security” > “External authentication providers”. Click on “Add” and follow the prompts to establish trust relationships with your Office 365 and Azure AD tenants. You will need to provide the credentials for a global administrator account in each tenant.
Configure access and permissions for a common tenant
- Define user roles and permissions: Decide which users will have access to which services and what permissions they will have. Consider creating role-based access control (RBAC) roles to help you manage access and permissions more efficiently.
- Assign licenses: Make sure that users have the appropriate licenses assigned to them to access the services they need. For example, to access Dynamics 365, users need to be assigned Dynamics 365 licenses.
- Configure group membership: Create security groups or distribution groups to manage access to resources in each tenant. Assign users to these groups based on their roles and permissions.
- Set up conditional access: Conditional access policies help you control access to your organization’s resources based on certain conditions, such as user location, device type, and application used. Configure conditional access policies to enforce security policies across all tenants.
- Configure single sign-on (SSO): SSO allows users to sign in once and access multiple applications without having to enter their credentials multiple times. Set up SSO for your tenants using Azure AD, and configure authentication policies to allow access to all applications.
- Configure federation: The federation enables users from one tenant to access resources in another tenant without having to sign in again. Configure federation between your tenants to allow cross-tenant access to resources.
- Monitor access: Regularly review access and permissions to ensure that they are still appropriate for each user’s role and responsibilities. Use Azure AD reports and logs to monitor access and identify any potential security issues.
Tenant role in Azure, Office 365, and Dynamics 365 is critical to providing organizations with a secure and scalable cloud infrastructure that supports their business needs.