Understanding Windows Azure Access Control and Integration with Windows Azure Active Directory
Updated: January 16, 2014
In October 2013, the Windows Azure Management Portal and Service Management APIs were integrated with Windows Azure Active Directory in order to lay the groundwork for improving the user experience for managing access to Windows Azure resources. Windows Azure Active Directory already provides great capabilities such as user management, on-premises directory sync, multi-factor authentication, and application access control. Naturally, these should also be made available for managing Windows Azure resources across-the-board.
Access Control in Windows Azure starts from a Billing perspective. The owner of a Windows Azure Account, accessed by visiting the Windows Azure Accounts Center, is the Account Administrator (AA). Subscriptions are a container for billing, but they also act as a security boundary: each subscription has a Service Administrator (SA) who can add, remove, and modify Windows Azure resources in that subscription by using the Windows Azure Management Portal. The default SA of a new subscription is the AA, but the AA can change the SA in the Windows Azure Accounts Center.
Subscriptions also have an association with a Directory. The Directory defines a set of users, which can be Organizational (i.e. sourced in that Directory) or Foreign (such as Microsoft Accounts). Subscriptions are accessible by a subset of those Directory users who have been assigned as either Service Administrator (SA) or Co-Administrator (CA); the only exception is that, for legacy reasons, Microsoft Accounts (formerly Windows Live ID) can be assigned as SA or CA without being present in the Directory.
Functionality within the Windows Azure Management Portal enables SAs to change the Directory that a Subscription is associated with by using the Edit Directory command on the Subscriptions page in Settings. Note that this operation has implications on the access control of that subscription.
In the simple case, an organization (such as Contoso) will enforce Billing and Access Control across the same set of Subscriptions. That is, the Directory is associated to Subscriptions that are owned by a single Windows Azure Account. Upon successful login to the Windows Azure Management Portal, users see two collections of resources (depicted in orange in the previous illustration):
Directories where their user account exists (sourced or added as a foreign principal). Note that the Directory used for login isn’t relevant to this computation, so your Directories will always be shown regardless of where you logged in.
Resources that are part of Subscriptions that are associated with the Directory used for login AND which the user can access (where they are an SA or CA).
Users with subscriptions across multiple directories have the ability to switch the current context of the Windows Azure Management Portal by using the Subscription Filter. Under the covers, this results in a separate login to a different Directory, but this is accomplished seamlessly using single sign-on (SSO).
Operations such as moving resources between subscriptions can be more difficult as a result of this single directory view of subscriptions. To perform the resource transfer, it may be necessary to first use the Edit Directory command on the Subscriptions page in Settings to associate the subscriptions to the same directory.