Azure AD, subscriptions and objects

NndnG 1,111 Reputation points
2021-02-08T20:57:32.737+00:00

Hi,

Previously I have done lab at Microsoft Azure Free Trial.

During lab I worked only at resources like creating VM, VNet, etc. I didn’t work at objects.

Later on, I gone through the link:
https://learn.microsoft.com/en-us/learn/modules/manage-users-and-groups-in-aad/2-create-aad

Moreover, there is an example in the link as below:
65460-2-users-subs-and-directories.png

That’s why I have multiple doubts related to Azure AD, subscriptions and objects. All are related to each other. That’s why I am posting a single question.

  1. In a Microsoft account, how many Azure AD can be possible?
  2. As per above example, there can be more than one subscription in an Azure AD and one user can be member of more than on Azure AD. Am I right?
  3. The above link explains, various users and groups can be created under an Azure AD. At another side, various types of entity can be created under a subscription. Are both different? Do we need to assign roles to various users for managing resources created under a subscription?
  4. What is the need of creating and managing various objects at Azure?
  5. Does creating objects affect billing?

I request to clarify and elaborate all doubts. I’ll be thankful for giving your time.

Best Regards
NndnG

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,435 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 36,936 Reputation points Microsoft Employee
    2021-02-09T00:09:49.397+00:00
    1. 500 is the maximum number of Azure AD tenants that a user can be a member of, and a user is only allowed to create 200 total. "https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/directory-service-limits-restrictions#:~:text=A%20single%20user%20can%20belong,a%20member%20or%20a%20guest.
    2. Yes. Multiple subscriptions can trust the same Azure AD directory. Each subscription can only trust a single directory. And users can be members of multiple directories as mentioned.
    3. There are subscription-level roles and tenant/directory-level roles. Account Administrator, Service Administrator, and Co-Administrator are subscription-level roles that manage subscriptions and billing. Azure RBAC roles are directory-level roles intended for managing resources within the tenant. There are 70 built-in roles and four fundamental roles, and you also have the ability to create custom roles.
    4. Having objects in the cloud gives you a lot of flexibility and capabilities for scaling your environment. You can simplify access and authentication, and there are a number of security advantages and cost optimization options. See Why migrate to Azure?
    5. The object limit for Azure AD Free version is by default 50,000. If you add a custom domain to your Azure AD tenant, this limit is extended to 300,000 automatically. In order to further raise this limit to 500,000, you have to open a support ticket and request for extension.
      https://azure.microsoft.com/en-us/pricing/details/active-directory/

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.