Using Azure AD with AKS can be a bit confusing, here’s what the different services do and how to use them to protect your AKS cluster.
WTH are Azure AD Security Defaults? Learn how you can use security defaults to secure your AAD tenant and get MFA for free.
The relationship between an Azure Subscription and Azure AD is not always obvious, but each subscription is tied to to an AAD tenant, this allows for authorization of users in that tenant to undertake operations on that subscription. Sometimes it is necessary to change the tenant a subscription sits under, usually this is either to change the scope of users that can be granted roles in that subscription, delegate permissions for that subscription, or for services like Azure AD Domain Services, which require the subscription to sit under the AAD tenant that contians the AAD DS instance.
Back in November I published an article on Azure Active Directory Domain Services (AAD DS), detailing some of the limitations of the service and what it is and isn’t intended for. If you’ve not read that I recommend going back and reading through that first so this article makes sense. Since this article was published there have been some big updates to the service that mean some of these limitations have gone away, so I thought it was time to detail some of these changes and what they mean for Azures Domain Controller as a Service offering.
The AAD DS team has released new features that mean some of the limitations in this article are no longer present. Be sure to read my update on this service to get the latest information. Azure AD has always been a little bit confusing to new users of Azure, the name implies it’s a cloud version of AD, but it quickly becomes clear to most that it very much is not.
Earlier last week I had a need to delete an Azure AD tenant, and this turned out to be a much more difficult task than I had originally anticipated so I thought I would document the steps I went through in case others encounter the same problems. 1. Disable AD Sync If your syncing your on-prem AD up to Azure AD you need to disable this from inside the Azure Portal so that it disconnects your users from the sync, otherwise you cannot delete your synced users.