[Windows Azure] Administering your Windows Azure AD tenant

Administering your Windows Azure AD tenant

19 out of 20 rated this helpful - Rate this topic

Published: April 16, 2012

Updated: June 3, 2013

Applies To: Office 365, Windows Azure, Windows Intune

Note

This topic provides online help content for cloud services, such as Windows Intune and Office 365, which rely on Windows Azure Active Directory for identity and directory services.

Windows Azure Active Directory provides the core directory and identity management capabilities behind most of Microsoft’s cloud services. These services include, but are not limited to:

• Microsoft Office 365
• Microsoft Dynamics CRM Online
• Windows Azure
• Windows InTune

Similarities between Active Directory and Windows Azure AD

Much like how Active Directory serves as the data store for identities in your on-premises environment, Windows Azure AD provides a repository for all of your organization’s directory data in the cloud so that it can be readily available to all of the services you have subscribed to with your tenant.

Similar to how a line of business (LOB) application might use LDAP to access data in your local Active Directory, 3rd party cloud applications can interact with your data in Windows Azure AD through the Graph API.  For more information about the Graph API, see Windows Azure Active Directory Graph Overview.

The following diagram illustrates how various applications, whether they are hosted locally or in the cloud, use a similar methodology to access identity data stored in the most applicable directory store available to them. 

Why integrate Active Directory with Windows Azure AD?

Directory integration provides several benefits to streamline identity management such as syncing user data between your local directory and Windows Azure AD.

You only need to integrate once!

One of the primary benefits of setting up directory integration capabilities such as directory sync or single sign-on, is that once you’ve configured it, all of the cloud services you have subscribed to in your Windows Azure AD tenant can utilize the data that is now provisioned and updated in your cloud store. In other words, you only need to set up your Directory Integration components once, and every service can use it.

For example, after you have set up directory sync initially to continuously sync users and contacts for use with Exchange Online, that same directory integration configuration and infrastructure will also be available to all current and future services that you subscribed to with your tenant. This means that you will not need to configure a different instance of directory sync in order to use another service, like the Windows InTune service.

Or, in another example, let’s say you set up Directory Sync with Password Sync for use with SharePoint Online, in this case you wouldn’t need to setup Directory Sync or Password Sync again when you start subscribing to Lync Online. For more information, see Directory integration.

Managing your tenant data

As an administrator of one or more Microsoft cloud service subscriptions, you can either use the Windows Azure Management Portal, the Windows Azure Active Directory (Windows Azure AD) portal, the Windows Intune account portal, or the Office 365 account portal to manage your organizations tenant data. You can also use the downloadable Windows Azure Active Directory Module for Windows PowerShell cmdlets to help you manage your tenant data stored in Windows Azure AD. For more information about your tenant, see What is a Windows Azure AD tenant?.

From either of these portals (or cmdlets), you can:

• Create and manage accounts
• Manage the cloud service(s) your organization subscribes to
• Set up on-premises integration with your directory service

The Windows Azure Management Portal, the Windows Azure AD portal, Office 365 account portal, Windows Intune account portal and the cmdlets all read from and write to a single shared instance of Windows Azure AD that is associated with your organization’s tenant, as shown in the following illustration. In this way, portals (or cmdlets) act as a front-end interface that pull in and/or modify your tenant data.

The above listed account portals and the associated Windows PowerShell cmdlets used for Windows Azure AD to manage users and your subscription, are built on top of the Windows Azure AD platform.

Caution

When you make a change to your organizations data using any of the portals (or cmdlets) shown in the illustration above while signed in under the context of one of these services, it is important you understand that this change will also be shown in either of the other portals the next time you sign-in under the context of that service because this data is shared across the services you are subscribed to in your tenant.

For example, if you used the Office 365 account portal to block a user from signing in, that action will block the user from signing in to any other service that your organization is currently subscribed to, and if you were to then pull up that same users account under the context of the Windows Intune account portal you will see that the user is blocked.

Using the Windows Azure Management Portal

The Windows Azure Management Portal is typically used to manage the services associated with your Windows Azure subscription. One of the newer Windows Azure services that you can use for identity management and directory tenant capabilities is the Active Directory service. If you are an administrator, you can manage these capabilities by clicking on Active Directory in the left-nav of the Management Portal.

If you have an existing Windows Azure subscription using your Microsoft account, you can also use the Management Portal to create, and later manage your new directory tenant. To create a new directory tenant associated with your Microsoft account by using the Management Portal, click Active Directory, click Create, and then specify your Domain Name, Country, and Organization Name that you want to use.

If you don’t have an existing Windows Azure subscription, you can Sign up for Windows Azure as an organization, so that you can begin using the Windows Azure Management Portal to create, distribute and manage user accounts and other identity management capabilities for use by your organization. When you sign up for Windows Azure as an organization, a directory tenant is created for you automatically based on the value of the Organization Name field used during sign up.

Using the Windows Azure AD portal

You can use the Windows Azure AD portal to do most of the functions you can do using other portals, with the added benefit of having a single place to see all of the users, groups, domains, licenses associated with all of the cloud services that your organization subscribes to in your Windows Azure AD tenant.

Using the Office 365 or Windows Intune account portals

You can use an account portal to manage your Office 365 or Windows Intune subscription and specify the users who can access its various services. From the account portal, you can perform tasks such as manually adding user accounts and security groups, setting up and managing service settings, checking service status, and accessing online Help.

Windows Azure AD currently supports front-end access to your organizations subscription data using one or more of the following account portals, depending on whether you are subscribed to their corresponding service:

• Office 365 account portal
• Windows Intune account portal

Users can also access these account portals but only to change their password or to access the various services for which they have been assigned licenses.

Using the Windows Azure AD PowerShell cmdlets

You can use the Windows Azure Active Directory Module for Windows PowerShell cmdlets to accomplish many Windows Azure AD tenant-based administrative tasks. For more information, see Manage Windows Azure AD using Windows PowerShell.

What are tenant administrator responsibilities?

Despite which method you use to manage your tenant, you can assign different types of administrators to performing various tasks such as creating and editing users, managing billing operations, and resetting passwords. Global administrators grant permissions to different administrators within your organization based on the administrator role. For more information, see Assigning administrator roles.

In addition to performing specific tasks related to their role, we recommend that all administrators have experience in the following areas:

• Knowledge of the organization’s IT environment, network, and Internet connectivity
• Experience supporting and administering operating systems and applications for personal computers
• Experience providing user assistance or training
• Ability to troubleshoot user issues

The following are examples of potential administrator responsibilities:

• Create, change, or delete user accounts
• Monitor service licenses and service health
• Manage passwords
• Resolve user issues with email and other services
• Manage sites and site collections
• Pay subscription fees
• Migrate from the existing organizations environment to the cloud
• Train and support workers on how to use cloud services
• Escalate issues to Microsoft Support