WEBVTT 0:00:02.640000 --> 0:00:07.860000 In this video, we're going to take a look at multiple directors and why 0:00:07.860000 --> 0:00:12.280000 we might have multiple directories in our environment. 0:00:12.280000 --> 0:00:14.720000 Let's take a look at what we're going to take a look at. 0:00:14.720000 --> 0:00:19.500000 We start out looking at the architecture of implementing multiple directories, 0:00:19.500000 --> 0:00:21.880000 which is actually really pretty straightforward. 0:00:21.880000 --> 0:00:27.140000 Then I want to go ahead and demonstrate the process of provisioning multiple 0:00:27.140000 --> 0:00:30.940000 directories, or at least provisioning one extra directory. 0:00:30.940000 --> 0:00:36.800000 Before we go into the details of it, I want to map it out just a little 0:00:36.800000 --> 0:00:45.860000 bit so we get a good feeling for what multiple directories work. 0:00:45.860000 --> 0:00:48.760000 I'm going to start out with an account. 0:00:48.760000 --> 0:00:51.840000 Now, this could be a Microsoft account. 0:00:51.840000 --> 0:00:55.060000 It could be an enterprise account if you've got an enterprise agreement. 0:00:55.060000 --> 0:00:56.040000 But I have an account. 0:00:56.040000 --> 0:01:03.660000 This is separate from Azure AD. 0:01:03.660000 --> 0:01:08.480000 Then I am going to simply, initially, in order to use Azure, you're going 0:01:08.480000 --> 0:01:15.360000 to provision an Azure AD tenant. 0:01:15.360000 --> 0:01:21.540000 Now, I will use the words tenant and directory interchangeably because 0:01:21.540000 --> 0:01:27.820000 for now at least a tenant is a directory is a tenant in Azure AD. 0:01:27.820000 --> 0:01:32.580000 I can have multiple directories associated with the same account, which, 0:01:32.580000 --> 0:01:36.440000 again, could be a Microsoft account, could be an enterprise account. 0:01:36.440000 --> 0:01:42.840000 You can have up to 20 directories associated, that's a terrible A, up 0:01:42.840000 --> 0:01:47.360000 to 20 directories associated with a single account. 0:01:47.360000 --> 0:01:53.820000 Then you can associate Azure subscriptions with your account. 0:01:53.820000 --> 0:01:58.060000 So this could be just, I'm going to say, A for Azure. 0:01:58.060000 --> 0:02:01.040000 And I can have multiple Azure subscriptions where I'm going to have resource 0:02:01.040000 --> 0:02:05.940000 groups and I'm going to have resources within those subscriptions. 0:02:05.940000 --> 0:02:09.140000 And I can have those associated with different Azure ADs. 0:02:09.140000 --> 0:02:15.820000 Or I might have an Azure AD that's simply used for some kind of cloud 0:02:15.820000 --> 0:02:19.140000 service such as Microsoft 365. 0:02:19.140000 --> 0:02:28.120000 And that really gets to why you might have multiple directories or tenants. 0:02:28.120000 --> 0:02:34.180000 In most cases, an organization can have a single tenant. 0:02:34.180000 --> 0:02:37.420000 And again, I'm using the words tenant and directory interchangeably. 0:02:37.420000 --> 0:02:40.720000 I tend to use tenant, but that's just because I try to be consistent with 0:02:40.720000 --> 0:02:45.220000 it. But I could have an organization as long as I'm on a higher tier, 0:02:45.220000 --> 0:02:47.580000 not the free tier of Azure AD. 0:02:47.580000 --> 0:02:50.660000 I can have unlimited objects in Azure AD. 0:02:50.660000 --> 0:02:54.600000 So I don't need to have multiple directories to take care of that. 0:02:54.600000 --> 0:02:57.280000 But there may be reasons I want to have multiple directories. 0:02:57.280000 --> 0:03:01.300000 For example, maybe I've got a development environment that I want to be 0:03:01.300000 --> 0:03:06.720000 really similar to my actual production environment for my cloud based 0:03:06.720000 --> 0:03:09.260000 applications, my software as a service applications. 0:03:09.260000 --> 0:03:13.300000 But I really want test users and that kind of thing that my dev team can 0:03:13.300000 --> 0:03:15.680000 work with. So I might split that off. 0:03:15.680000 --> 0:03:18.840000 Or this is an architecture that I've implemented. 0:03:18.840000 --> 0:03:25.540000 I might want one Azure AD tenant for managing the resources in Azure and 0:03:25.540000 --> 0:03:30.100000 then a second Azure AD tenant that I'm really replicating with my on premises 0:03:30.100000 --> 0:03:34.700000 environment so that all of my on-prem users go into that second Azure 0:03:34.700000 --> 0:03:38.880000 AD tenant and that second tenant is then connected to all of my cloud 0:03:38.880000 --> 0:03:40.100000 based applications. 0:03:40.100000 --> 0:03:46.380000 A couple of advantages of having multiple subscriptions associated with 0:03:46.380000 --> 0:03:48.100000 the same account. 0:03:48.100000 --> 0:03:53.700000 First of all, when I'm managing multiple subscriptions, and again, reasons 0:03:53.700000 --> 0:03:56.220000 for having multiple subscriptions are similar. 0:03:56.220000 --> 0:04:01.200000 I may have different frankly, charge codes that need to be completely 0:04:01.200000 --> 0:04:05.320000 separate. And of course, you're paying at the subscription level. 0:04:05.320000 --> 0:04:10.060000 And I may want different groups having different rights at the subscription 0:04:10.060000 --> 0:04:15.560000 level. Or maybe we just acquired a new company and I want that company 0:04:15.560000 --> 0:04:20.120000 to have their subscription under my directory, under my tenant. 0:04:20.120000 --> 0:04:24.460000 So lots of reason you have that cool thing about having multiple directories 0:04:24.460000 --> 0:04:29.820000 or multiple subscriptions under the same tenant is that I can manage those 0:04:29.820000 --> 0:04:31.780000 together as long as I have rights. 0:04:31.780000 --> 0:04:36.280000 So in other words, if we're looking at this first environment here where 0:04:36.280000 --> 0:04:38.980000 I've got Azure AD. 0:04:38.980000 --> 0:04:44.660000 And that's my let's say my primary resource tenant. 0:04:44.660000 --> 0:04:50.480000 I can go into the portal and from the portal because these are in the 0:04:50.480000 --> 0:04:59.160000 same, or they're using the same primary tenant, then from the portal, 0:04:59.160000 --> 0:05:03.380000 I can actually access and manage both of those simultaneously. 0:05:03.380000 --> 0:05:04.760000 And I can filter and lots of other stuff. 0:05:04.760000 --> 0:05:09.480000 So lots of reasons for having multiple tenants, lots of reasons for having 0:05:09.480000 --> 0:05:12.420000 multiple objects within your tenants. 0:05:12.420000 --> 0:05:17.600000 Now let's talk about some details relative to multiple directory or multiple 0:05:17.600000 --> 0:05:19.220000 tenant architecture. 0:05:19.220000 --> 0:05:22.360000 So just some things to think about. 0:05:22.360000 --> 0:05:27.540000 First of all, tenants and directories are the same thing. 0:05:27.540000 --> 0:05:33.640000 And again, I'll try to use the word tenant as often as possible just for 0:05:33.640000 --> 0:05:37.840000 consistency. But again, if you use either word, just know that they're 0:05:37.840000 --> 0:05:40.660000 really relating to the same thing. 0:05:40.660000 --> 0:05:44.300000 All right, each subscription is associated with a primary tenant or with 0:05:44.300000 --> 0:05:47.840000 a tenant. You can actually pull the subscription information and see the 0:05:47.840000 --> 0:05:50.720000 tenant that a subscription is associated with. 0:05:50.720000 --> 0:05:56.560000 Now you can transfer a subscription from one tenant to another tenant. 0:05:56.560000 --> 0:06:01.400000 But if you do that, all of your RBAC in that subscription will be wiped 0:06:01.400000 --> 0:06:03.420000 out, which kind of makes sense, right? 0:06:03.420000 --> 0:06:06.100000 Because you have a really completely different set of users. 0:06:06.100000 --> 0:06:07.580000 But do be aware of that. 0:06:07.580000 --> 0:06:11.380000 That if you do transfer a subscription, there would be probably a fair 0:06:11.380000 --> 0:06:14.560000 bit of work making sure that that's up and running. 0:06:14.560000 --> 0:06:18.900000 And as I said, a single tenant can be the primary tenant for multiple 0:06:18.900000 --> 0:06:24.320000 subscriptions. And also keep in mind that there are different directory 0:06:24.320000 --> 0:06:28.480000 tiers and there's licensing that goes with that. 0:06:28.480000 --> 0:06:32.300000 When you first create a tenant, it's going to be on the free tier, which 0:06:32.300000 --> 0:06:35.140000 gives you up to top of my head 50,000 objects, I believe. 0:06:35.140000 --> 0:06:37.180000 It's 50 or 500,000 one of the other. 0:06:37.180000 --> 0:06:39.260000 I know that's a big difference. 0:06:39.260000 --> 0:06:42.840000 But make sure you have that solid for an exam. 0:06:42.840000 --> 0:06:46.480000 But in any case, you've got the free tier and it has some functionality. 0:06:46.480000 --> 0:06:48.460000 There's a basic tier above that. 0:06:48.460000 --> 0:06:53.940000 And then there's also a premium P1 tier and a premium P2 tier. 0:06:53.940000 --> 0:06:58.860000 Many of the things that we cover in this course are dependent on the premium 0:06:58.860000 --> 0:07:03.560000 P2 tier. So just be aware of that as you're thinking about how you want 0:07:03.560000 --> 0:07:06.380000 to implement your Azure licensing. 0:07:06.380000 --> 0:07:12.520000 Now the Azure AD licensing, the way that works is it's on a per user basis. 0:07:12.520000 --> 0:07:20.580000 And just because you have the P2 license active for an Azure AD tenant 0:07:20.580000 --> 0:07:24.440000 doesn't mean that every single user account in there will take a license. 0:07:24.440000 --> 0:07:27.160000 It depends on how you're using them certain things. 0:07:27.160000 --> 0:07:31.420000 For example, if you're using multi -factor authentication and a number 0:07:31.420000 --> 0:07:35.160000 of other capabilities that come into play are going to be charged based 0:07:35.160000 --> 0:07:37.100000 on how you implement them. 0:07:37.100000 --> 0:07:43.600000 Also be aware that you do have this concept of business to business connectivity. 0:07:43.600000 --> 0:07:46.960000 And what that is within Azure is actually pretty simple. 0:07:46.960000 --> 0:07:53.380000 And I'm going to just go ahead and draw this out really, really simple. 0:07:53.380000 --> 0:07:56.340000 I could actually manage to use my tools properly. 0:07:56.340000 --> 0:07:57.940000 We can do that. There we go. 0:07:57.940000 --> 0:08:01.320000 All right. Here is the idea with business to business. 0:08:01.320000 --> 0:08:04.620000 And it's a multi-tenant concept. 0:08:04.620000 --> 0:08:07.640000 Okay. So here I have tenant AAD1. 0:08:07.640000 --> 0:08:12.440000 You can't name your tenant that by the way. 0:08:12.440000 --> 0:08:17.900000 And over here I have tenant AAD2. 0:08:17.900000 --> 0:08:22.300000 And AAD1 has some resource, let's say it's a resource group. 0:08:22.300000 --> 0:08:29.980000 And I've got a user, this is as good as my drawing gets. 0:08:29.980000 --> 0:08:36.760000 I've got a user that's in AAD2, but that user is collaborating on a project 0:08:36.760000 --> 0:08:38.580000 that uses that resource group. 0:08:38.580000 --> 0:08:41.900000 But that resource group is in a subscription that's associated with AAD1. 0:08:41.900000 --> 0:08:45.760000 Well, what you can do is you can have what are called guest users, which 0:08:45.760000 --> 0:08:50.840000 are simply users from another tenant that are registered in your tenant 0:08:50.840000 --> 0:08:56.660000 and then can be assigned access to whatever cloud applications your tenant 0:08:56.660000 --> 0:09:01.500000 is responsible for, including the Azure subscription. 0:09:01.500000 --> 0:09:08.620000 So that concept is the business to business concept. 0:09:08.620000 --> 0:09:13.680000 And really that gives us the ideas behind having multiple directories. 0:09:13.680000 --> 0:09:21.300000 Now what I want to do is I want to go ahead and I want to shift over and 0:09:21.300000 --> 0:09:24.740000 demonstrate how to go about creating a directory. 0:09:24.740000 --> 0:09:28.120000 The process of creating a directory is actually really straightforward. 0:09:28.120000 --> 0:09:31.300000 I'm going to go in and say I use the directory instead of tenant, sorry 0:09:31.300000 --> 0:09:36.200000 about that. I'm going to type in active. 0:09:36.200000 --> 0:09:43.820000 As soon as I type in active, I've got Azure Active Directory and I'm going 0:09:43.820000 --> 0:09:47.140000 to create an Azure Active Directory. 0:09:47.140000 --> 0:09:49.860000 This is a pretty simple demonstration. 0:09:49.860000 --> 0:09:51.500000 I'm going to give this an organization name. 0:09:51.500000 --> 0:09:58.580000 Now the organization name must be unique within the Azure environment. 0:09:58.580000 --> 0:10:00.320000 And I'll tell you why that isn't just about it. 0:10:00.320000 --> 0:10:04.640000 It really has to be unique within the overall Microsoft environment. 0:10:04.640000 --> 0:10:09.660000 And so I'm going to call this az300.2. 0:10:09.660000 --> 0:10:13.780000 And the actual, the organization name doesn't have to be, but the initial 0:10:13.780000 --> 0:10:15.340000 domain name does. 0:10:15.340000 --> 0:10:20.360000 So let's go INE az300.2. 0:10:20.360000 --> 0:10:24.540000 And then you'll notice that it has the dot on Microsoft.com. 0:10:24.540000 --> 0:10:29.320000 That is going to be the name of that domain. 0:10:29.320000 --> 0:10:33.640000 So you're really creating a directory with a public domain name. 0:10:33.640000 --> 0:10:39.780000 And that's it. So the actual process, all that talk about working with 0:10:39.780000 --> 0:10:44.280000 multiple directories, the process for provisioning a new directory is 0:10:44.280000 --> 0:10:46.560000 really very straightforward. 0:10:46.560000 --> 0:10:51.140000 And what you need to think about architecturally is do I need to have 0:10:51.140000 --> 0:10:52.180000 multiple directories? 0:10:52.180000 --> 0:10:54.440000 Why would I use multiple directories? 0:10:54.440000 --> 0:10:58.400000 And then the implementation of said directories is fairly straightforward.