Azure 365
Azure Information Protection for Microsoft 365 is included in the Office 365 Enterprise E3 and E5 plans. It can also be purchased as a standalone with these plans: Office 365 Enterprise E1, Office 365 Enterprise K1, Exchange Online Plan 1, Exchange Online Plan 2, and Exchange Online Kiosk. Azure AD identities are assigned Office 365 licenses, which triggers provisioning. Office 365 objects such as distribution lists, Modern Groups, contacts, and Microsoft Teams, are represented by Azure AD directory objects, and managed in Azure AD. Office 365 services provide authorization using.
-->As an educational institution, you can sign up for a free trial of Microsoft 365 Education and complete an eligibility verification wizard to purchase subscriptions at academic prices.
Creating an Azure Active Directory Tenant
When you sign up for a paid or trial subscription of Microsoft 365 Education, an Azure Active Directory (Azure AD) tenant is created as part of the underlying Office 365 services. Likewise, an Azure AD tenant is created when you sign up for Azure. You can also manually create an Azure AD tenant through the Azure portal and add Office 365 services at a later time.
Important
When creating an Azure AD tenant, you must specify a logical region that will determine the location of the data center. This must be chosen very carefully because it cannot be changed after creation.
For more information, see the Microsoft 365 Education deployment guide.
What is an Azure AD tenant?
An Azure AD tenant provides identity and access management (IAM) capabilities to applications and resources used by your organization. An identity is a directory object that can be authenticated and authorized for access to a resource. Identity objects exist for human identities such as students and teachers, and non-human identities like classroom and student devices, applications, and service principles.
The Azure AD tenant is an identity security boundary that is under the control of your organization’s IT department. Within this security boundary, administration of objects (such as user objects) and configuration of tenant-wide settings are controlled by your IT administrators.
Resources in a tenant
Azure AD is used to grant objects representing identities access to resources like applications and their underlying Azure resources, which might include databases, and Learning management Systems (LMS).
Access to apps that use Azure AD
Identities can be granted access to many types of applications, including but not limited to:
Microsoft productivity services such as Exchange Online, Microsoft Teams, and SharePoint Online
Microsoft IT services such as Azure Sentinel, Microsoft Intune, and Microsoft Defender ATP
Microsoft Developer tools such as Azure DevOps
Third-party applications such as Learning Management Systems (LMS)
On-premises applications integrated with hybrid access capabilities such as Azure AD Application Proxy
Custom in-house developed applications
Applications that use Azure AD require directory objects to be configured and managed in the trusted Azure AD tenant. Examples of directory objects include application registrations, service principals, groups, and schema attribute extensions.
While some applications can have multiple instances per tenant, for example a test instance and a production instance, some Microsoft Services such as Exchange Online can only have one instance per tenant.
Access to Directory Objects
Identities, resources, and their relationships are represented in an Azure AD tenant as directory objects. Examples of directory objects include users, groups, service principals, and app registrations.
When objects are in an Azure AD tenant, the following occurs:
Visibility. Identities can discover or enumerate resources, users, groups, and access usage reporting and audit logs if they have the right permissions. For example, a member of the directory can discover users in the directory with default user permissions.
Applications can affect objects. Applications can manipulate directory objects through Microsoft Graph as part of their business logic. Typical examples include reading or setting user attributes, updating user’s calendar, and sending emails on behalf of the user. Consent is necessary to allow applications to affect the tenant. Administrators can consent for all users. For more information, see Permissions and consent in the Microsoft identity platform.
Note
Use caution when using application permissions. For example, with Exchange Online, you should scope application permissions to specific mailboxes and permissions.
Throttling and service limits. Runtime behavior of a resource might trigger throttling to prevent overuse or service degradation. Throttling can occur at the application, tenant, or entire service level. Most commonly it occurs when an application has a large number of requests within or across tenants.
Every tenant has a total object limit. By default, a tenant is limited to 50,000 total objects. After a custom domain is added, the limit increases to 300,000. You can increase this object limit further by contacting the EDU Customer Success Team team. We recommended that a single Azure AD tenant not exceed 1 million users, which usually equates to approximately 3 million total objects. For more information about service limits in Azure AD, see Azure AD service limits and restrictions.
Configuration in a tenant
Policies and settings in Azure AD impact resources in the Azure AD tenant through targeted, or tenant-wide configurations.
Examples of tenant-wide policies and settings include:
External identities. Global administrators for the tenant identify and control the external identities that can be provisioned in the tenant.
Whether to allow external identities in the tenant
From which domain(s) external identities can be added
Whether users can invite users from other tenants
Named Locations. Global administrators can create named locations, which can then be used to:
Block sign in from specific locations.
Trigger conditional access policies such as MFA.
Allowed authentication methods. Global administrators set the authentication methods allowed for the tenant.
Can i download mac os x 10.6 snow leopard. Self-service options. Global Administrators set self-service options such as self-service password reset and create Office 365 groups at the tenant level.
The implementation of some tenant-wide configurations can be scoped as long as they don't get overridden by global administration policies. For example:
If the tenant is configured to allow external identities, a resource administrator can still exclude those identities from accessing a resource.
If the tenant is configured to allow personal device registration, a resource administrator can exclude those devices from accessing specific resources.
If named locations are configured, a resource administrator can configure policies either allowing or excluding access from those locations.
Administration in a tenant
Administration includes the management of identity objects and scoped implementation of tenant-wide configurations. Objects include users, groups, and devices, and service principles. You can scope the effects of tenant-wide configurations for authentication, authorization, self-serve options, and so on.
Tenant-wide administrators, or global admins, can:
Grant access to any resource to any user
Assign resource roles to any user
Assign lower-scoped admin roles to any user
Ms Office 365 Azure
Administration of directory objects
Administrators manage how identity objects can access resources, and under what circumstances. They also can disable, delete, or modify directory objects based on their privileges. Identity objects include:
Organizational identities, such as the following, are represented by user objects:
Administrators
Organizational users
Organizational developers
Test users**
External identities represent users from outside the organization such as:
Partners or other educational institutions that are provisioned with accounts local to the organization environment
Partners or other educational institutions that are provisioned via Azure B2B collaboration
Groups are represented by objects such as:
Security groups
Office 365 groups
Devices are represented by objects such as:
Hybrid Azure AD joined devices (on-premises computers synchronized from on-premises Active Directory)
Azure AD joined devices
Azure AD registered mobile devices used by employees to access their workplace applications.
Note
In a hybrid environment, identities are typically synchronized from the on-premises Active Directory environment using Azure AD Connect.
Administration of identity services
Administrators with appropriate permissions can manage how tenant-wide policies are implemented at the level of resource groups, security groups, or applications. When considering administration of resources, keep the following in mind. Each can be a reason to keep resources together, or to isolate them.
An identity assigned an Authentication Administrator role can require non-administrators to reregister for MFA or FIDO authentication.
A Conditional Access (CA) Administrator can create CA policies that require users signing-in to specific apps to do so only from organization-owned devices. They can also scope configurations. For example, even if external identities are allowed in the tenant, they can exclude those identities from accessing a resource.
A Cloud Application Administrator can consent to application permissions on behalf of all users.
A Global Administrator can take control of a subscription.
Azure 365 Login
Licensing
Microsoft paid cloud services, such as Office 365, require licenses. These licenses are assigned to each user who needs access to the services. Azure AD is the underlying infrastructure that supports identity management for all Microsoft cloud services and stores information about license assignment states for users. Traditionally, administrators would use one of the management portals (Office or Azure) and PowerShell cmdlets to manage licenses. Azure AD supports group-based licensing which enables you to assign one or more product licenses to a group of users.
Azure AD in Microsoft 365 Education scenarios
Azure AD helps students and faculty sign in and access resources and services in, including:
Sign in and authorization to resources
Audio converter mac free download. Domains for sign in and email are configured for cloud authentication in Azure AD.
Most external collaboration capabilities use Azure AD B2B collaboration.
Microsoft office 365 capabilities
Azure AD identities are assigned Office 365 licenses, which triggers provisioning.
Office 365 objects such as distribution lists, Modern Groups, contacts, and Microsoft Teams, are represented by Azure AD directory objects, and managed in Azure AD.
Office 365 services provide authorization using Azure AD Groups.
Access to Office 365 is controlled through Azure AD.
Governance and Security
Management and security features such as Intune for Education rely on Azure AD users, groups, devices, and policies.
Privileged Identity Management to allow Just-in-Time (JIT) and Just Enough Administration (JEA) access to privileged operations.
Sign-in logs and audit activity reports.
Governance capabilities such as Access Reviews.
Azure AD provides the hybrid capabilities to synchronize from on-premises Active Directory through Azure AD Connect.
Azure AD Connect enables you to configure the authentication method appropriate for your organization, including password hash synchronization, pass-through authentication, or federation integration with AD FS or non-Microsoft SAML identity provider.
APIs to provision directory objects from SIS using School Data Sync
Next steps
-->Microsoft provides a hierarchy of organizations, subscriptions, licenses, and user accounts for consistent use of identities and billing across its cloud offerings:
- Microsoft 365 and Microsoft Office 365
- Microsoft Azure
- Microsoft Dynamics 365
Elements of the hierarchy
Here are the elements of the hierarchy:
Organization
An organization represents a business entity that is using Microsoft cloud offerings, typically identified by one or more public Domain Name System (DNS) domain names, such as contoso.com. The organization is a container for subscriptions.
Subscriptions
A subscription is an agreement with Microsoft to use one or more Microsoft cloud platforms or services, for which charges accrue based on either a per-user license fee or on cloud-based resource consumption.
- Microsoft's Software as a Service (SaaS)-based cloud offerings (Microsoft 365 and Dynamics 365) charge per-user license fees.
- Microsoft's Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) cloud offerings (Azure) charge based on cloud resource consumption.
You can also use a trial subscription, but the subscription expires after a specific amount of time or consumption charges. You can convert a trial subscription to a paid subscription.
Organizations can have multiple subscriptions for Microsoft's cloud offerings. Figure 1 shows a single organization that has multiple Microsoft 365 subscriptions, a Dynamics 365 subscription, and multiple Azure subscriptions.
Figure 1: Example of multiple subscriptions for an organization
Licenses
For Microsoft's SaaS cloud offerings, a license allows a specific user account to use the services of the cloud offering. You are charged a fixed monthly fee as part of your subscription. Administrators assign licenses to individual user accounts in the subscription. For the example in Figure 2, the Contoso Corporation has a Microsoft 365 E5 subscription with 100 licenses, which allows to up to 100 individual user accounts to use Microsoft 365 E5 features and services.
Figure 2: Licenses within the SaaS-based subscriptions for an organization
Note
A security best practice is to use separate user accounts that are assigned specific roles for administrative functions. These dedicated administrator accounts do not need to be assigned a license for the cloud services that they administer. For example, a SharePoint administrator account does not need to be assigned a Microsoft 365 license.
For Azure PaaS-based cloud services, software licenses are built into the service pricing.
For Azure IaaS-based virtual machines, additional licenses to use the software or application installed on a virtual machine image might be required. Some virtual machine images have licensed versions of software installed and the cost is included in the per-minute rate for the server. Examples are the virtual machine images for SQL Server 2014 and SQL Server 2016.
Some virtual machine images have trial versions of applications installed and need additional software application licenses for use beyond the trial period. For example, the SharePoint Server 2016 Trial virtual machine image includes a trial version of SharePoint Server 2016 pre-installed. To continue using SharePoint Server 2016 after the trial expiration date, you must purchase a SharePoint Server 2016 license and client licenses from Microsoft. These charges are separate from the Azure subscription and the per-minute rate to run the virtual machine still applies.
User accounts
User accounts for all of Microsoft's cloud offerings are stored in an Azure Active Directory (Azure AD) tenant, which contains user accounts and groups. An Azure AD tenant can be synchronized with your existing Active Directory Domain Services (AD DS) accounts using Azure AD Connect, a Windows server-based service. This is known as directory synchronization.
Figure 3 shows an example of multiple subscriptions of an organization using a common Azure AD tenant that contains the organization's accounts.
Figure 3: Multiple subscriptions of an organization that use the same Azure AD tenant
Tenants
For SaaS cloud offerings, the tenant is the regional location that houses the servers providing cloud services. For example, the Contoso Corporation chose the European region to host its Microsoft 365, EMS, and Dynamics 365 subscriptions for the 15,000 workers in their Paris headquarters.
Azure PaaS services and virtual machine-based workloads hosted in Azure IaaS can have tenancy in any Azure datacenter across the world. You specify the Azure datacenter, known as the location, when you create the Azure PaaS app or service or element of an IaaS workload.
An Azure AD tenant is a specific instance of Azure AD containing accounts and groups. Paid or trial subscriptions of Microsoft 365 or Dynamics 365 include a free Azure AD tenant. This Azure AD tenant does not include other Azure services and is not the same as an Azure trial or paid subscription.
Summary of the hierarchy
Here is a quick recap:
An organization can have multiple subscriptions
A subscription can have multiple licenses
Licenses can be assigned to individual user accounts
User accounts are stored in an Azure AD tenant
Here is an example of the relationship of organizations, subscriptions, licenses, and user accounts:
An organization identified by its public domain name.
A Microsoft 365 E3 subscription with user licenses.
A Microsoft 365 E5 subscription with user licenses.
A Dynamics 365 subscription with user licenses.
Multiple Azure subscriptions.
The organization's user accounts in a common Azure AD tenant.
Multiple Microsoft cloud offering subscriptions can use the same Azure AD tenant that acts as a common identity provider. A central Azure AD tenant that contains the synchronized accounts of your on-premises AD DS provides cloud-based Identity as a Service (IDaaS) for your organization.
Figure 4: Synchronized on-premises accounts and IDaaS for an organization
Figure 4 shows how a common Azure AD tenant is used by Microsoft's SaaS cloud offerings, Azure PaaS apps, and virtual machines in Azure IaaS that use Azure AD Domain Services. Azure AD Connect synchronizes the on-premises AD DS forest with the Azure AD tenant.
Combining subscriptions for multiple Microsoft cloud offerings
The following table describes how you can combine multiple Microsoft cloud offerings based on already having a subscription for one type of cloud offering (the labels going down the first column) and adding a subscription for a different cloud offering (going across the columns).
Azure 365 Fundamentals
| Microsoft 365 | Azure | Dynamics 365 | |
|---|---|---|---|
| Microsoft 365 | NA | You add an Azure subscription to your organization from the Azure portal. | You add a Dynamics 365 subscription to your organization from the Microsoft 365 admin center. |
| Azure | You add a Microsoft 365 subscription to your organization. | NA | You add a Dynamics 365 subscription to your organization. |
| Dynamics 365 | You add a Microsoft 365 subscription to your organization. | You add an Azure subscription to your organization from the Azure portal. | NA |
An easy way to add subscriptions to your organization for Microsoft SaaS-based services is through the admin center:
Sign in to the Microsoft 365 admin center (https://admin.microsoft.com) with your global administrator account.
From the left navigation of the Admin center home page, click Billing, and then Purchase services.
On the Purchase services page, purchase your new subscriptions.
The admin center assigns the organization and Azure AD tenant of your Microsoft 365 subscription to the new subscriptions for SaaS-based cloud offerings.
To add an Azure subscription with the same organization and Azure AD tenant as your Microsoft 365 subscription:
Sign in to the Azure portal (https://portal.azure.com) with your Microsoft 365 global administrator account.
In the left navigation, click Subscriptions, and then click Add.
On the Add subscription page, select an offer and complete the payment information and agreement.
If you purchased Azure and Microsoft 365 subscriptions separately and want to access the Microsoft 365 Azure AD tenant from your Azure subscription, see the instructions in Add an existing Azure subscription to your Azure Active Directory tenant.
See also
Next step