Azure AD Terminology

Posted on

When do you have a tenant?

A Microsoft Azure tenant is the company in charge of running and maintaining a certain Azure cloud service. Common usage includes “we’ve configured our tenant in this way” to refer to an organization’s collection of Azure Active Directory and Office 365 services, however this is not an accurate term. The University of Washington, like many other large institutions, has multiple tenants. To avoid confusion, the UW uses each tenant’s core domain name. The root domain is designated by the form tenantname>.onmicrosoft.com, where tenantname> is replaced with the tenant’s actual name. There may be multiple domains and/or subscriptions tied to a single tenant’s directory.

UW mostly utilises the uwnetid.onmicrosoft.com Azure AD tenancy. The cloud.washington.edu address is associated with it by default. This tenant heavily relies on the uw.edu domain. In addition to washington.edu and u.washington.edu, this tenant also has a number of other related domains. The corporate Azure Active Directory tenant is what is meant when you see “tenant” in a sentence.

Why is it important to have a directory in Azure Active Directory?

To put it simply, an Azure Active Directory directory is the tenant’s own personal Azure Active Directory service. Multiple domains can be found in each directory. Multiple subscriptions are possible in a directory, but only one tenant is allowed. The features of an Azure AD directory are extensive. Additional licencing on a per-user basis may be necessary for some of these features (implying an additional cost for you to use those capabilities).

What’s an Azure AD domain or approved domain?

A DNS zone for which a tenant has established legal possession is called a domain (or accepted domain) (by creating an arbitrarily named DNS record as requested by Microsoft). Directory objects’ ability to use a certain domain suffix (or namespace) is represented below. Each tenant has a core domain (<tenantname>.onmicrosoft.com) and a default domain (which by default is the core domain, but which can be altered) (which by default is the core domain, but which can be changed). A tenant may use neither of these as their preferred domain.

Azure Active Directory (AAD) Security Token Service (STS): What Is It?

This is an Authentication Service that can be used with Azure Active Directory apps to generate access tokens. It works with OpenID Connect, OAuth 2.0, SAML, and WS-Federation. Microsoft doesn’t make much of the fact that the OAuth 2.0 tokens themselves are issued via the Azure AD OAuth Authorization Server. Federation with third-party Identity Providers is possible with the Azure AD STS. Both the overall Azure AD architecture and the support of specific applications place constraints on the federation scenarios that can be implemented.

The University of Washington employs the Azure Active Directory (AD) Federation Service (ADFS) to federate with its uw.edu Azure Active Directory (AD) enterprise tenant, which in turn uses the UW Shibboleth IdP, which in turn uses the UW Weblogin (and UW MIT Kerberos realm) for authentication.

Can you explain Azure Business Connectivity Services (B2B)?

As a catch-all term, “Azure AD B2B” describes a suite of tools that facilitates communication and cooperation between companies. In specific, Azure AD permits users from other Azure AD tenants and Microsoft Accounts to be guest users in your Azure AD tenant. These outsiders are referred to as External Users. Access to resources and other Azure AD features, such as Azure MFA, can be granted to an external user once they have been successfully added to your Azure AD tenant (e.g. requiring them to provide a stronger authentication). Leveraging these additional features may incur additional costs for licencing.

When you join the uw.edu Azure AD enterprise tenant, you’ll have the option to invite anyone from outside the tenant. Future restrictions or limitations may be implemented when Microsoft expands its management tools for third-party users.

This feature is described in greater detail at https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-what-is-azure-ad-b2b/.

Explain Azure B2C AD.

Microsoft’s Azure Active Directory Business-to-Consumer (AD B2C) is a solution that makes it simple for businesses to offer a standardised set of features that are highly sought after by their clientele. You provide the web application, and we’ll set up an Azure Active Directory for you with enhanced federation capabilities and a simple-to-use user registration system. In this way, not only can you grant access to the application within your organisation, but you can also encourage individual registration. You can use all the other features of Azure AD with these user accounts as well.

Use this service if your application has users who cannot obtain a UW NetID. Some of the other user population may already have an established identity, in which case alternative University of Washington options, such as UW Shibboleth, would be preferable. This service comes at an extra charge. Discuss potential solutions with UW-IT.

Why am I being asked to choose an account when I want to log in? In simple terms, what does it mean to have a Microsoft account? What is a ‘Work or school account’? Can you tell me which one I should use?
As shown below, logging in to most Microsoft products and services is mandatory. A username, like me@uw.edu or me@hotmail.com, is required to begin the login process.

When you input a username, Microsoft verifies it to determine what kind of account it is and whether or not it is shared by other accounts. If there are multiple sorts of accounts with that same login, then you receive the next popup as depicted below.

Pick whichever one suits you best. Depending on which you chose, the sign in experience will be different and what you have access to will also be different.

The ‘Work or school account’ option will nearly always be the proper one to pick for any UW resource or application. The terms “Azure Active Directory user account,” “Office 365 user,” and “Azure user” are all equivalent to “work or school account.” That is, you may sign in to any service, such as Office 365 or Azure, using the same credentials you use for Azure Active Directory. University of Washington personnel oversee and link this service to your UW NetID.

Only if you are accessing materials that are completely separate from the UW should you select the ‘Personal account’ option. A “personal account” is the same as a “Microsoft account,” “Hotmail account,” “Xbox account,” and others. In other words, this is a personal account for use with Microsoft’s consumer-oriented products and services. The University of Washington is NOT in charge of this account; you are solely responsible for its upkeep.

Both types of accounts are not compatible with all Microsoft products and services. In that situation, even though it has to do with the UW, you might be forced to select the “personal account” option.

Access to UW-managed resources may be granted to personal accounts (or Microsoft accounts) via Azure Active Directory as external users. When the other person is enrolled at the University of Washington, this is not a smart idea, but it may be the only choice for some.

Visit /tools-services-support/it-systems-infrastructure/msinf/aad/authn/ for more information about Azure Active Directory authentication and the typical Microsoft sign-in experience at the UW. Pages detailing the typical Microsoft sign-in process for UW students are available.