Thank you , May I ask you if you can also sometimes share the work experience , in terms to the issues during the migration to the cloud and risks and concerns , and even integration with 3rd party tools , I think it'll be also more informative , real case scenarios :), thank you in advance ! cheers
We underprivileged and don't have good resources generally and cant manage good learning stuff frequently nether can enroll in good courses to learn AZURE, your channel is only HOPE for us. Long Live you and your channel !
Hey John, at the 11th minute , what would be then the best practices of Subscription owners. For example we do not want to give this to humans, but automate it. If we automate how to protect it. No worries don't need full A-Z tutorials 😁 🙈 just some pointers 🍺💪🇬🇧
Some companies would only have pipelines with that kind of permission and the pipelines would be controlled as to what they are doing. Many companies are not super concerned, there is a level of trust to people you make subscription owners and worse case you can take ownership and move back.
Hi John, the video is quite interesting but I would prefer more analogies with the Active Directory on premise. Since a lot of admins are moving from the classical AD on prem and supposing they know that system it would be easier to highlight similarities and differences here. As I understand Azure AD it is just a specialized AD for the cloud. Basically the forest root is onmicrosoft.com and each tenant is a subdomain. Relationships between the domains can be umderstood as the old trusted relationships of NT4 domains; they are not trusted until explicid configured to do so, e.g. B2B relations. In this sense I would compare a subscription object like an email account, which can be migrated on premise from one domain to another; you keep the emails but the server location, group memberships, login & password etc. may change. If I'm wrong let me know.
No, that is not correct, they are completely different. You should watch my Azure AD overview. Azure AD is nothing like AD so that may be why you think I should talk about AD. The reality is AD has really nothing to do with this particular conversion. Check out my other videos should help clear up the confusion. Marketing use the Azure AD name but there is no AD in it really ;-) B2B is not relationship between AAD tenants, its a single guest with no relationship between tenants and can even be from gmail, msa or an email with OTP. onmicrosoft.com is just part of the default name of domains, e.g. savilltech.onmicrosoft.com but then I can give custom name. There is no onmicrosoft.com domain, its just part of the DNS name. There is no root onmicrosoft.com domain because there is no AD here. No trusts, no forest, no tree etc. No kerberos (normally) :-)
@@LarsEllerhorst yeah, the names make it confusing but really they are completely different with different goals. In the next couple of weeks I'll be posting an identity video where I'll go into detail on Azure AD which will help a lot and also how AD relates to AAD.
@@NTFAQGuy Thanks, looking forward to it. I always thought, regarding AD Connect or ADFS, both are quite similar, just Azure AD a different flavour to accommodate to the needs being hosted in a cloud environment. So much parts seems to be equal, user objects, computer objects, the hierarchy, ACLs etc.
@@LarsEllerhorst right AAD Connect replicates objects from AD to Azure AD. ADFS can be used to federate the authentication from AAD to use AD. They have same type of objects like users and groups (but so do most systems with identities :-) ) but fulfil different use cases. I think the video will fill in the gaps. But things like hierarchy, there is no hierarchy, ACLs are a common component across nearly any system but once again different with AD and AAD. Look for video in couple of weeks but hopefully for now at least understand Azure AD is not AD in the cloud :-)
Great video again John! Any amazing shirt 👕 this time but in any case, the content and the explanation deserves to be shared on LinkedIn. Quick question, as far as I understood, as owner/admin, you are able to create as many AADs as you want, right? Like for example, one for test, one for dev and one for prod correct? Thanks!
John, If I have 2 tenants (tenant 1 is the o365 tenant and tenant 2 is the infrastructure workload tenant), the issue is i need two log logins! what is best practice here? move subscription?
We have been discussing this very topic at my organisation, my worry is that someone adds a subscription to our AAD, they build an app and let people have the ability access to that application that has not been verified for corporate standards, governance, dpio etc. Maybe that app is asking for personal information, maybe the data is stored in a region that violates our data protection rules. Maybe the app is unsecured and data is exposed publicly. It seems strange any user can spin up a subscription, add users and then maybe use that membership from a corporate level without any oversight. Is this the case, or am I missing something around this. Look forward to your thoughts around this.
If you worried about an app then that is what governance will provide. Have the root mg in place and you’ll know if subscriptions are added can apply policy and rbac. On the user info side that is really about guest access and there are ways to restrict permissions of guests to a certain level.
Thanks John for this wonderful video. Is it possible for you to take a video on Azure AD B2B? I am sure you already did this, but just want to know any additional features in Azure AD B2B and what is the different between this and SPO external sharing, etc., Thanks once again.
Great video. For Subscriptions that get created automatically under the tenant (e.g. Visual Studio Sub), do they possess any risk to other subscriptions ?
Enterprise enrollments don't change anything about relationship between Azure AD and subscriptions. The enterprise enrollment will trust a certain Azure AD for its RBAC/account/dept owners etc. (the first AAD login of the enrollment) The subscriptions will trust the AAD of the subscription creator (since you could have dept/account admins from other tenants). HTH
Is it generally best practice to create a management group, even if you only have 1 subscription? Oh and your videos are great, you explain things really clearly.
The nice thing about management groups is you can turn them on and move things around at any time. If you just have one subscription you really don’t need to yet. Use them when you want to use rbac/policy/budget at a higher level.
Great video. I think the only thing I would have liked to see discussed is when using Management Groups, a Global Administrator in AAD can add themselves to User Access Administrator which then allows them access to the Subscriptions underneath.
management groups are really separate from this (in fact I cover this on my last Azure update on this channel :-) ). You don't need management groups for GA to get user access administrator and get sub access. management groups are great for governance on the azure resources (including RBAC) but not much to do with AAD relationship with subs.
John Savill Very good point. Thank you. You ever run into customers that have a huge problem with Global Admins being able to gain access to Azure Subscriptions so easily via User Access Administrator?
Hi John, great video (again) ;). I would like you to address some time on this topic related to CSP Azure plans and subscriptions, as it is enormous important that the customer understands that the CSP is by default owner of that subscription. You can remove that inherited security principal that resembles a group in the CSP AAD tenant, which for a lot of organization I would definitely advise to look at, or request (at least) the procedures they have in-place to allow their staff to have access to their customer's resources.
@ronald Yes cap model brings some more aspects to subscriptions ;) you can technically remove the cup providerˋs permission (aobo, admin on behalf of;, a special service principal) BUT from commercial site the csp then gets no more discount from ms billing)
Do you have a path for study for Azure ? I mean once your good with Windows Server and creating Active Directory Users share files and all that offline what's the path to learn Azure correctly ? I am asking this because like I told you in the past I study Linux and Windows Server together Do you feel like going back to programming at times ? Learning web development or C# and have a great career well paid doing remote work ?
@@NTFAQGuy ok thank you thought it was a bundle on a paying site like udemy and the others etc Have you studied Linux and Cisco a little ? What do you think of programming ?
I've created content for Pluralsight and they have a high standard. I've never looked at Udemy. I would focus more on the instructor but first exhaust the free materials. Having at least a basic knowledge of programming I think is useful for scripting etc. I have never dabbled with Cisco. You have to decide what path you want to take. Jack of all trades, master of none :-)
Great as usual! Where I see this a bit concerning, is let’s say an organisation is using PIM to grant temporary permissions as ‘Owner’ for specific use cases (i.e Locks management), if they become rogue, and move a subscription, the entire RBAC model falls apart including PIM since it’s tied to the home AAD tenant. And even rolling back this action is a nightmare because SPNs, managed identities, users and groups will need to be reassigned 😂
Yes, owner is super powerful and really careful consideration should be used for its use. Some companies don’t have anyone with owner and use processes for any owner type operations. Whenever you move a sub all rbac is ripped out.
Agreed, and in the end even if it’s a ‘zero trust’ model, You would still have some level of trust with users possessing such roles or even smaller roles. Btw the Load balancer video was awesome, would be great to have one covering all load balancing technologies side by side compared deep dive ☺️☺️
@@NTFAQGuy - yes "Owner" is powerful but I think that is in the case of "pay as you go" model. With CSP you will have "service account" that is owner for all of your subscriptions and only that account can transfer subscription out of your AAD (all this is done in different portal then portal.azure.com). P.S. I like your explanations of Azure topics.
@@NTFAQGuy My MSDN based subscription has an "Account Admin" role (unique, attached to the account that set the subscription up) it is the only one that can transfer subscriptions. Nobody with "Owner" rights can. Just like the "service account" story from Elvir I guess. "Owners" can't also access Payment Methods under Subscriptions, they will get a pop-up telling them that only "Account Admins" can access this info. Maybe a little too soon, but my conclusion is that the "Owner" role is not the absolute owner of a subscription". Indeed GREAT videos, many many thanks.
Please don’t stop doing videos. You have no idea how much these help us. Thank you so much.🙏
I really admire love like... your videos the most :) . Your presentation skills and depth of knowldge is unique.
Very kind, thank you!
Thank you , May I ask you if you can also sometimes share the work experience , in terms to the issues during the migration to the cloud and risks and concerns , and even integration with 3rd party tools , I think it'll be also more informative , real case scenarios :), thank you in advance ! cheers
Nice video, Any resources on how to integrate Azure from different companies during a company acquisition ?
I have videos on things like b2b and migrate technologies. Different aspects to consider
Generic comment to show my appreciation. Keep winning John!
We underprivileged and don't have good resources generally and cant manage good learning stuff frequently nether can enroll in good courses to learn AZURE, your channel is only HOPE for us.
Long Live you and your channel !
Good luck and remember there are free Azure trials and certain services that are always free to help you learn at no cost.
Hey John, at the 11th minute , what would be then the best practices of Subscription owners. For example we do not want to give this to humans, but automate it. If we automate how to protect it. No worries don't need full A-Z tutorials 😁 🙈 just some pointers 🍺💪🇬🇧
Some companies would only have pipelines with that kind of permission and the pipelines would be controlled as to what they are doing. Many companies are not super concerned, there is a level of trust to people you make subscription owners and worse case you can take ownership and move back.
@@NTFAQGuy 🇬🇧💪 thanks 👍
Hi John, the video is quite interesting but I would prefer more analogies with the Active Directory on premise. Since a lot of admins are moving from the classical AD on prem and supposing they know that system it would be easier to highlight similarities and differences here. As I understand Azure AD it is just a specialized AD for the cloud. Basically the forest root is onmicrosoft.com and each tenant is a subdomain. Relationships between the domains can be umderstood as the old trusted relationships of NT4 domains; they are not trusted until explicid configured to do so, e.g. B2B relations. In this sense I would compare a subscription object like an email account, which can be migrated on premise from one domain to another; you keep the emails but the server location, group memberships, login & password etc. may change. If I'm wrong let me know.
No, that is not correct, they are completely different. You should watch my Azure AD overview. Azure AD is nothing like AD so that may be why you think I should talk about AD. The reality is AD has really nothing to do with this particular conversion. Check out my other videos should help clear up the confusion. Marketing use the Azure AD name but there is no AD in it really ;-) B2B is not relationship between AAD tenants, its a single guest with no relationship between tenants and can even be from gmail, msa or an email with OTP. onmicrosoft.com is just part of the default name of domains, e.g. savilltech.onmicrosoft.com but then I can give custom name. There is no onmicrosoft.com domain, its just part of the DNS name. There is no root onmicrosoft.com domain because there is no AD here. No trusts, no forest, no tree etc. No kerberos (normally) :-)
@@NTFAQGuy Thanks for the clarification. To me it always seemed to be quite similar.
@@LarsEllerhorst yeah, the names make it confusing but really they are completely different with different goals. In the next couple of weeks I'll be posting an identity video where I'll go into detail on Azure AD which will help a lot and also how AD relates to AAD.
@@NTFAQGuy Thanks, looking forward to it. I always thought, regarding AD Connect or ADFS, both are quite similar, just Azure AD a different flavour to accommodate to the needs being hosted in a cloud environment. So much parts seems to be equal, user objects, computer objects, the hierarchy, ACLs etc.
@@LarsEllerhorst right AAD Connect replicates objects from AD to Azure AD. ADFS can be used to federate the authentication from AAD to use AD. They have same type of objects like users and groups (but so do most systems with identities :-) ) but fulfil different use cases. I think the video will fill in the gaps. But things like hierarchy, there is no hierarchy, ACLs are a common component across nearly any system but once again different with AD and AAD. Look for video in couple of weeks but hopefully for now at least understand Azure AD is not AD in the cloud :-)
Great video again John! Any amazing shirt 👕 this time but in any case, the content and the explanation deserves to be shared on LinkedIn. Quick question, as far as I understood, as owner/admin, you are able to create as many AADs as you want, right? Like for example, one for test, one for dev and one for prod correct? Thanks!
Anyone can create as many aads as they want. That is the point. They are not related to subscription rights.
WoW, this is by far the best explanation on this matter, keep it up 👍
Thanks a lot!
Short but precious video. Thanks again John!
Emmm as a newbie in Azure I felt even more confused watching this vid. Maybe i'll come back to it later when I grasp more idea about the Azure.
This is not a beginner video. Start with the getting started with azure playlist
John, If I have 2 tenants (tenant 1 is the o365 tenant and tenant 2 is the infrastructure workload tenant), the issue is i need two log logins! what is best practice here? move subscription?
you can add an account as a guest (b2b) to the other.
We have been discussing this very topic at my organisation, my worry is that someone adds a subscription to our AAD, they build an app and let people have the ability access to that application that has not been verified for corporate standards, governance, dpio etc. Maybe that app is asking for personal information, maybe the data is stored in a region that violates our data protection rules. Maybe the app is unsecured and data is exposed publicly. It seems strange any user can spin up a subscription, add users and then maybe use that membership from a corporate level without any oversight. Is this the case, or am I missing something around this. Look forward to your thoughts around this.
If you worried about an app then that is what governance will provide. Have the root mg in place and you’ll know if subscriptions are added can apply policy and rbac. On the user info side that is really about guest access and there are ways to restrict permissions of guests to a certain level.
GREEEEEEAT
Liked and subscribed. Good work there John
Thank you!
You are awesome man, thanks a lot for clarifying the concepts ! !
Thanks John for this wonderful video. Is it possible for you to take a video on Azure AD B2B? I am sure you already did this, but just want to know any additional features in Azure AD B2B and what is the different between this and SPO external sharing, etc.,
Thanks once again.
I already did a pretty deep dive on b2b. It’s on this channel. Thanks.
Great video. For Subscriptions that get created automatically under the tenant (e.g. Visual Studio Sub), do they possess any risk to other subscriptions ?
There is no inherent connection between them or permission.
How Azure Tenant related to AAD and Azure Subscription?
Azure tenant is an AAD instance.
The video series is better than Pluralsight content. Thank you John
Glad you enjoy it
Like your way of presentation on the topics you deliver. subscribed
Thanks and welcome
Would it be possible to extend the explanation to include Enterprise Enrollments?
Enterprise enrollments don't change anything about relationship between Azure AD and subscriptions. The enterprise enrollment will trust a certain Azure AD for its RBAC/account/dept owners etc. (the first AAD login of the enrollment) The subscriptions will trust the AAD of the subscription creator (since you could have dept/account admins from other tenants). HTH
Is it generally best practice to create a management group, even if you only have 1 subscription?
Oh and your videos are great, you explain things really clearly.
The nice thing about management groups is you can turn them on and move things around at any time. If you just have one subscription you really don’t need to yet. Use them when you want to use rbac/policy/budget at a higher level.
@@NTFAQGuy Thanks for the explanation!
Another concise and useful video John, thank you very much.
Thanks!
Did your coin arrive yet? :)
@@NTFAQGuy Not yet John. I will let you know when it arrives :-)
@@NTFAQGuy Yes, my coin arrived today, thank you very much. It is very cool :-)
Ken RQ great to hear, sorry it took so long! Crazy!
Great video thank you
Great video. I think the only thing I would have liked to see discussed is when using Management Groups, a Global Administrator in AAD can add themselves to User Access Administrator which then allows them access to the Subscriptions underneath.
management groups are really separate from this (in fact I cover this on my last Azure update on this channel :-) ). You don't need management groups for GA to get user access administrator and get sub access. management groups are great for governance on the azure resources (including RBAC) but not much to do with AAD relationship with subs.
John Savill Very good point. Thank you. You ever run into customers that have a huge problem with Global Admins being able to gain access to Azure Subscriptions so easily via User Access Administrator?
Sometimes however generally should really limit who has ga. Most trusted :) use pim etc
So informative! Thanks so much ❤️
Glad it was helpful!
Hi John, great video (again) ;).
I would like you to address some time on this topic related to CSP Azure plans and subscriptions, as it is enormous important that the customer understands that the CSP is by default owner of that subscription. You can remove that inherited security principal that resembles a group in the CSP AAD tenant, which for a lot of organization I would definitely advise to look at, or request (at least) the procedures they have in-place to allow their staff to have access to their customer's resources.
Thanks. I'll think about that. Honestly I don't deal with CSP so have little experience with them or their impact. I'll have to dig into it.
@ronald Yes cap model brings some more aspects to subscriptions ;) you can technically remove the cup providerˋs permission (aobo, admin on behalf of;, a special service principal) BUT from commercial site the csp then gets no more discount from ms billing)
Awesome 👌 👏
Do you have a path for study for Azure ? I mean once your good with Windows Server and creating Active Directory Users share files and all that offline what's the path to learn Azure correctly ? I am asking this because like I told you in the past I study Linux and Windows Server together
Do you feel like going back to programming at times ? Learning web development or C# and have a great career well paid doing remote work ?
I’m about to release my azure master class which will be a good starting point for people. Good luck!
@@NTFAQGuy How expensive it will be ? How good are you with Linux now ?
Masterclass will be free and no adverts etc like all my other TH-cam videos.
@@NTFAQGuy ok thank you thought it was a bundle on a paying site like udemy and the others etc
Have you studied Linux and Cisco a little ? What do you think of programming ?
I've created content for Pluralsight and they have a high standard. I've never looked at Udemy. I would focus more on the instructor but first exhaust the free materials. Having at least a basic knowledge of programming I think is useful for scripting etc. I have never dabbled with Cisco. You have to decide what path you want to take. Jack of all trades, master of none :-)
once again as usual excellent video....
Thank you!
Helpful! Thanks John!
You're welcome!
Great as usual! Where I see this a bit concerning, is let’s say an organisation is using PIM to grant temporary permissions as ‘Owner’ for specific use cases (i.e Locks management), if they become rogue, and move a subscription, the entire RBAC model falls apart including PIM since it’s tied to the home AAD tenant. And even rolling back this action is a nightmare because SPNs, managed identities, users and groups will need to be reassigned 😂
Yes, owner is super powerful and really careful consideration should be used for its use. Some companies don’t have anyone with owner and use processes for any owner type operations. Whenever you move a sub all rbac is ripped out.
Agreed, and in the end even if it’s a ‘zero trust’ model, You would still have some level of trust with users possessing such roles or even smaller roles. Btw the Load balancer video was awesome, would be great to have one covering all load balancing technologies side by side compared deep dive ☺️☺️
@@NTFAQGuy - yes "Owner" is powerful but I think that is in the case of "pay as you go" model. With CSP you will have "service account" that is owner for all of your subscriptions and only that account can transfer subscription out of your AAD (all this is done in different portal then portal.azure.com). P.S. I like your explanations of Azure topics.
Elvir Karic interesting, thanks. I don’t have much interaction with CSP. Note owner also applies to ea enrollments, not just pay as you go.
@@NTFAQGuy My MSDN based subscription has an "Account Admin" role (unique, attached to the account that set the subscription up) it is the only one that can transfer subscriptions. Nobody with "Owner" rights can. Just like the "service account" story from Elvir I guess. "Owners" can't also access Payment Methods under Subscriptions, they will get a pop-up telling them that only "Account Admins" can access this info.
Maybe a little too soon, but my conclusion is that the "Owner" role is not the absolute owner of a subscription".
Indeed GREAT videos, many many thanks.
your are always great👍
Thank you!
Thank you!
My pleasure!