In this post I’ll describe two ways that you can use to manage Azure AD in a CSP subscription using a GUI.
CSP, CSP, CSP – that’s all you can hear these days in the Microsoft channel. In short, CSP is a new channel by which customers can buy Azure or partners can resell Azure, with a post-utilization monthly invoice.
That all sounds good – but the downside with CSP is that it only includes Azure v2 (Azure Resource Manager or ARM), unlike all of the other channels which also support Azure v1 (Service Manager). So we lose lots of features and we also lose the classic portal – no storage imports, no RemoteApp, no Azure AD, etc. We also lose the class Azure management site for managing the Azure in CSP subscription – and there’s the issue for Azure AD.
The lack of a UI for managing Azure AD does cause issues:
- The cries of “use PowerShell” or “use this opensource stuff” suit the 1%-ers but not the rest of us.
- We lose the ability to start doing clever RBAC using resource groups in Azure.
- We lose all the Azure AD features, such as single sign-on.
- We lose the Azure Ad Premium features, sold via CSP too (standalone or in EMS).
Is there a solution? Hmm, there is a workaround which isn’t pretty but it works. There are ways to manage the Azure directory:
- You have also deployed Office 365 via CSP with the same .onmicrosoft.com domain. You can create users and Office 365 groups in the Office Admin portal.
- You can also share the directory of the CSP account into another Azure subscription that does support Azure v1; from there, we can manage the directory.
In my lab, I have the following CSP services with a common .onmicrosoft.com domain (deployed by the reseller – my employers, in this case, because we are a Tier 2 distributor of CSP):
- Office 365
I also have an Azure in Open subscription. I can easily create users in my CSP subscription using Azure AD Connect (from on premises domain) or using the Office 365 admin portal. But what about the other features of Azure AD? I’ll need to share the CSP domain with a subscription that does support the classic management portal.
Here’s what you’ll do:
- Use another Azure subscription that is not in CSP. Maybe you already have one; if not, start a trial and make sure you don’t enable spending – you’ll still need to verify credit card details. You won’t be charged for managing Azure AD, and you’ll still have access to the subscription when the trial ends – you just can’t deploy things that will cost money, e.g. storage, VMs, and so on.
- Sign into https://manage.windowsazure.com using valid Microsoft Account (Live ID) credentials of the non-CSP subscription and browse to Active Directory.
- Click New > Active Directory > Directory > Custom Create
- Select the option to Use Existing Directory. Make sure you check the box to sign out.
- You’ll be signed out and a new login will appear. Sign in with the admin credentials for your CSP domain.
- Verify that you want to share the domain. You’ll be signed out again.
- Sign into the classic management portal again using your non-CSP credentials. If all has worked correctly, you should be able to see and manage the CSP domain.
This is how I enabled multi-factor authentication, created users, groups, and other cool things in an CSP Azure domain.