Azure Enterprise Agreement Guidance - using your existing work accounts (AAD) as oppose to Microsoft Accounts (MSA)...
As Microsoft Azure grows I am sure there are many of you out there whom may have already or are in the process of signing a new Microsoft Enterprise Agreement! I am sure most of you out there have gone through the normal motions have just gone ahead and used Microsoft Accounts (Live ID) as oppose to maybe using your existing Work Accounts (Azure AD). If you are new to signing an agreement I recommend that you consider setting things up using work accounts from the start, as oppose to using Microsoft Accounts or/ if you have already set everything up then maybe look at re-aligning your account and subscription set-up before you head in too deep!
I hope the below guidance will be of some use, and if you have any questions please be sure to reach out to me.
when you receive the e-mail to sign your new agreement (today) you will be asked to sign the agreement using a Microsoft Account and then once this has been done, this account will be the first Enterprise Admin on your Enterprise Agreement.
Once you have signed your agreement and login to https://ea.azure.com for the first time using that account, this is where you should ensure that you think about how you proceed before just going in and creating new account administrators and subscriptions.
If you are already using one of Microsoft's 1st party services such as Office 365, Dynamics CRM etc. then you will already no doubt have work accounts (AAD) and so it is recommended that you look at using these for your Enterprise Agreement. The first thing you should do is add your work account as an Enterprise Administrator (if your MSA uses the same domain namespace as your work account it will auto merge the 2 accounts together and use the work account (AAD)). If you are not overlapping the namespaces then you will need first ensure that your Enrollment Authentication Level is set to Mixed Account.
Once this has been done, select add administrator and then add your work account as an administrator, you will receive an e-mail once you click on the URL contained within it will then confirm your account and you will be added as an enterprise administrator.
Moving forward, ensure that when you add new Enterprise Administrators or/ Account Administrators you add your employees 'work accounts'. The purpose behind doing this is to give your employees a consistent experience across all the administration portals but the most important reason is because when you create an account administrator, this person can create subscriptions... when new subscriptions are created by using the work account this will ensure that the subscriptions automatically get linked to the existing azure active directory and doesn't create a new directory.
I see the following as the fundamental best practices, obvious every enterprise company is different but hopefully understanding these concepts will help..
- An Account Administrator will become the Account Administrator of each subscription they create and be the initial Service Administrator.
- It is good practice to ensure that your Account Administrators are 'Service Accounts' as oppose to Individuals so I would recommend you creating 3 service accounts
UserPrincipalName | Role | Purpose |
aa_azure@contoso.com | Account Administrator | Individual Account Administrator for each subscription |
sa_azure@contoso.com | Service Administrator | Individual Service Administrator for Each Subscription |
ea_azure@contoso.com | Enterprise Administrator | EA Top Level Administrator |
You can change the Service Administrator of the Subscription when it has been created to be the sa_azure@contoso.com account. to ensure that finance teams whom may have access to the account administrator role do not have administrator privileges over your resources hosted within the subscriptions.
If I was to draw this in to rough picture, it would look something like the following:
This in essence shows that your synchronize your on-premise identities to Azure Active Directory and you use this directory service for Office 365 and you also use the same directory service for your Azure Enterprise Agreement which in turn also means that for each of the subscriptions you create under the EA you will also sign-in to these using your work account. This ensures that you have a consistent, secure and manageable identity across all of your Microsoft Services.
If you are not currently a customer of any of the 1st party services, you can still create a azure active directory to ensure that you start off on the right path you can sign-up to Azure AD using https://account.windowsazure.com/organization and then you can manage that directory service using https://portal.office.com and then once you can use the directory and the accounts with-in it to structure your EA as per above. later, if you plan to use Office 365 or any of other Microsoft Online Services you can use the directory service you have already setup. you just add the subscription via purchase services in the portal.office.com.
I hope that this helps, of course every enterprise is different and so this is to give you a example. the only rule i would take away is to ensure no matter how you setup the EA ensure that you use work accounts NOT Microsoft Accounts. Microsoft Accounts aka Live IDs are consumer identities and you should avoid using these if possible in the Enterprise unless the service your attempting to use does not support work accounts.
Thanks,
James.
Comments
- Anonymous
December 09, 2017
In an Azure EA agreement, can the admin create a new Azure AD directory for the purposes of using it against web applications (e.g. sharepoint) to support external user. Also try Azure AD B2C. Probably not ideal practice, but just wondering if it is allowed in EA.