Azure Stack Identity: Choosing the right Azure Stack Identity Model



AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at (hosted at Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either as you do today, or at our new site Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!


Hello Everyone, my name is Zoheb Shaikh and I’m a Premier Field Engineer with Microsoft India. I am back again with another blog and today I’ll share with you information about Azure Stack Identity models.

Before I explain the concept of this topic, if you are not aware about what Azure Stack is then go check this out

Coming back to our subject, Azure Stack requires Azure Active Directory or Active Directory Federation Services as its Identity Provider. Azure Stack works on OpenID Connect protocol just like Azure. AAD or ADFS both are compatible with these protocols.

Your decision to use Azure Active Directory or ADFS is dependent on the deployment models for Azure Stack should be i.e if you decide to use a Connected mode or a Disconnected mode respectively.

You must also decide which licensing model you wish to use. The available options depend upon whether or not you need to deploy Azure Stack connected to the internet.

  • For a Connected deployment, you may choose either Pay-as-you-use or Capacity-based licensing models. Pay-as-you-use requires a connection to Azure AD for it to report usage, which is then billed through Azure commerce.
  • Only Capacity-based licensing is supported when you deploy a Disconnected mode which means there is a disconnection with the internet. For more information about the licensing models, see Microsoft Azure Stack packaging and pricing.

To know more about choosing connected or disconnected modes please see Azure Stack Connection Models

Since we now know the two Identity models lets talk about scenarios where you could use them.

1. Enterprises : Dedicated hosting

This is a scenario of an Enterprise company that could use Azure Stack for a Single Directory Tenant in Azure AD. Authentication for Azure Stack Admins and Tenants will be served by a Single Directory Tenant. Since Authentication will be served by Azure AD this has to be connected and we can either use capacity-based or consumption-based licensing.

2. Azure Stack Service Provider : Shared hosting

Azure Stack allows users from multiple directories to sign in and use Azure AD but this would then have to be designed in such a way that only one Directory Tenant has access to the Admin Portal and Azure Resource Provider which means that the Admin Portal and Admin ARM are single-tenanted and the Public/User Portal, ARM and RPs are multi-tenanted. Since Authentication will be served by Azure AD this has to be connected to the internet and we can either use capacity-based or consumption-based licensing.

When a user from different tenants logs on, they will be redirected via their own ADFS to authenticate against their on-premises AD and gain access to Azure Stack Public portal.

3. Enterprises : Dedicated hosting

Since this is a disconnected scenario Azure AD is out of context here.

Azure Stack ADFS server and On-Premises ADFS server will be used for creating a Federation trust and the authentication will happen from On-Premises ADDS.

I hope this helps in understanding the different types of Identity scenerios that you can use for Azure Stack.