Multitenant applications in what is now called Entra ID, but what I am sure I will continue to call Azure AD (AAD) for some time, are a way for developers to create Azure AD-backed applications that are managed in the developer tenant but allow users to log in and manage users from their tenant. They are a very common way for SaaS developers to manage application authentication whilst leaving the user management to the client.
If you use Azure AD Multi-Factor authentication, then you should be aware that as of 27th February 2023, Microsoft will begin enforcing number matching with MFA requests using the authenticator app. So what does this mean?
What is Number Matching If you’ve used Azure AD MFA push notifications using the authenticator app, you’ll be familiar with the popup you get when logging in, asking you to confirm your request.
The problem with this approach is MFA fatigue.
The relationship between an Azure Subscription and Azure AD is not always obvious, but each subscription is tied to to an AAD tenant, this allows for authorization of users in that tenant to undertake operations on that subscription. Sometimes it is necessary to change the tenant a subscription sits under, usually this is either to change the scope of users that can be granted roles in that subscription, delegate permissions for that subscription, or for services like Azure AD Domain Services, which require the subscription to sit under the AAD tenant that contians the AAD DS instance.
Back in November I published an article on Azure Active Directory Domain Services (AAD DS), detailing some of the limitations of the service and what it is and isn’t intended for. If you’ve not read that I recommend going back and reading through that first so this article makes sense.
Since this article was published there have been some big updates to the service that mean some of these limitations have gone away, so I thought it was time to detail some of these changes and what they mean for Azures Domain Controller as a Service offering.
The AAD DS team has released new features that mean some of the limitations in this article are no longer present. Be sure to read my update on this service to get the latest information.
Azure AD has always been a little bit confusing to new users of Azure, the name implies it’s a cloud version of AD, but it quickly becomes clear to most that it very much is not.
Earlier last week I had a need to delete an Azure AD tenant, and this turned out to be a much more difficult task than I had originally anticipated so I thought I would document the steps I went through in case others encounter the same problems.
1. Disable AD Sync If your syncing your on-prem AD up to Azure AD you need to disable this from inside the Azure Portal so that it disconnects your users from the sync, otherwise you cannot delete your synced users.