Enterprise Mobility and Security Blog

RSS

Howdy folks,

I wanted to let you know about a few changes we’re making in Azure AD data in preparation for a very cool set of new capabilities we’re working to bring online. In the next few days, those of you who use Azure AD to manage access to Azure itself and who are also using a Microsoft Account to administer that directory will receive an email below regarding you Azure subscription like this:

Your Microsoft Azure subscriptions uses Azure Active Directory to sign users in to the management portal and to secure access to the Azure management API.  In preparation for upcoming management capabilities, Microsoft is ensuring that all Azure subscription administrators are members of the directory that secures access for that subscription.  Microsoft accounts being used as subscription administrators will be added as Guest accounts in the directory if they are not already registered in the directory.  You are receiving this notice because:

  • You are the global administrator of an Azure Active Directory that is used to secure access to one or more Azure subscriptions, and
  • The subscription has an Account Administrator, Service Administrator, or Co-Administrator that is a Microsoft account, and
  • The Microsoft account is not registered as a Guest account in the subscription’s Azure Active Directory.

Azure will soon require administrators to be registered in Azure Active Directory to be able to sign in to the Azure portal or use the Azure management API.  The Guest accounts will be added by August 31st 2014. While as Guests these subscription administrators will have limited access to the Azure Active Directory, they will have no change in their experience for managing Azure resources.  These users do not need to take any action. For more information on Guest accounts including how to search in the directory for them, please see: http://go.microsoft.com/fwlink/?LinkId=507349

A Guest is a user in your directory that has a User Type set to “Guest”.  Normal users will have a user type of “Member” to indicate that they are a member of your directory.  Guests added, as part of the process above, will have the department set to ‘Created as guest by Microsoft Azure’.  You can find these users in your directory by using the Azure Active Directory PowerShell module.  For example the command below will return all guest users that were created by the back fill operation.

Get-MsolUser -All -Department “Created as guest by Microsoft Azure”

Guests have a limited set of rights in the directory.  These rights limit the ability for Guests to discover information about other users in the directory while still being able to interact with the users and groups associated with the resources they are working on.  For example, a Guest assigned to an Azure subscription will be able to see other users and groups associated with the Azure subscription.  They can also locate other users in the directory who should be given access to the subscription provided they know the full email address of the user. A Guest is only able to see a limited set of properties of other users.  These properties are limited to Display name, email address, user principal name (UPN) and thumbnail photo.

If you want to give a Guest the same access as a Member, you can change a Guest into a Member by setting the User Type to Member.  This is possible via the Azure AD PowerShell module using a command similar to the following.

Set-MsolUser -UserPrincipalName user@company.com -UserType Member

We’re really excited about some of the big improvements we have coming over the next 90 days. This set of changes sets us up to be able to share them with you soon!

Best Regards,

Alex Simons (twitter: Alex_A_Simons)

Director of PM

Active Directory Team