April 30, 2014 at 15:38How to configure access to Microsoft Azure through a corporate account (Organizational Account) and enable multi-factor authentication
- Tutorial
Initially, you could use only Microsoft Account (LiveID) to manage and access Azure resources, but some time ago support for the Organizational Account was added. Organizational Accounts are hosted by Azure Active Directory , and this provides advanced account management features within your organization (for which dedicated Azure Active Directory is created). For example, Organizational Account, like Microsoft Account (LiveID), supports two-factor authentication. But for the Organizational Account, the requirement to use multifactor authentication can be specified as mandatory , i.e. a user can access the Azure management portal only by completing all the steps of two-factor verification.
I am often asked a question about providing access to control the system deployed in Azure. Providing access based on Microsoft Account (LiveID) is not always suitable for a real system, because it is more difficult for administrators to control both the applied security measures and the rights of users / employees. For example, an employee may quit or his account will be hacked (not everyone includes two-factor authentication for their account), in this case, you must suspend access to the cloud system for this account so that no actions can be performed either through the portal or through the API .
Organizational Account just solves most of the issues (centralized access control, advanced security settings, etc.). For more information on managing accounts and subscriptions in Azure, see the Manage Accounts, Subscriptions, and Administrative Roles article on MSDN .
And then there will be a step-by-step instruction on setting up an Organizational Account and linking it to Azure and enabling two-factor authentication for your account.
1. Go to the Sign up for Azure as an organization page and select Sign up now .
2. Next, you will be prompted to sign in using Microsoft Account (LiveID) or Organizational Account. Choose Organizational Account .
3. A page will open where you will be asked to create an Organizational Account and define Azure Active Directory. The DOMAIN NAME field just defines the name of Azure Active Directory (the full name will be <specified value> .onmicrosoft.com ), to which the created user will be added and which you can manage in the future. In this example, DOMAIN NAME is defined as dxrussia (and the full name asdxrussia.onmicrosoft.com , which is the prefix for the full username).
You will need to specify a mobile phone number for verification, SMS with a code will come to the specified phone number.
4. Next, it will be proposed to create an account in Azure on the user created in the previous step ( natale@dxrussia.onmicrosoft.com ).
You will need to specify your bank card information for verification and check the box next to I agree to the Windows Azure Agreement, Offer Details and Privacy Policy , if you agree with the terms of use of Azure.
5. Actually, that's all - now created:
And now, so that nobody-nobody gets into our Azure, let's set up multi-factor authentication for our account.
Note : the inclusion of multi-factor authentication for accounts is a paid service (see paragraph 10 at the end of the article).
1. To do this, go to the Azure management portal - https://manage.windowsazure.com .
By the way, when you sign in, note that the address will be in the form manage.windowsazure.com <Your Azure Active Directpory Name> .onmicrosoft.com . In this example, it is manage.windowsazure.com/dxrussia.onmicrosoft.com#Workspaces/All/dashboard .
2. Go to the Azure Active Directory tab, in the sectionConfigure You Directory, select Enable Multi-Factor Authentication .
3. Now go to the Users tab and click the Manage Multi-Factor Auth button at the bottom of the page. A page will open with two-factor authentication settings for users of your Azure Active Directory.
Enable two-factor authentication ( Enable ) for users.
4. Now go back to the Azure Management Portal, as security settings have been changed, the system will ask you to determine a convenient way for additional account verification.
5. Actually, I propose to configure =) By default, “Call me” is set, I preferred to still receive the code via SMS.
6. The next step is to check the operability of the selected confirmation method. I got an SMS with a code on my phone.
7. Now again we go to the portal. Enter your username ( natale@dxrussia.onmicrosoft.com ) and password.
8. And now the code that came in SMS.
9. Now you can see on the portal that a new provider has appeared - Multi-Factor Auth Provider .
10. Once again, I note that the inclusion of multi-factor authentication for accounts is a paid service. Rates are given here . The amount is charged \ deducted from the total account for Azure resources.
There are two payment methods:
In addition, two-factor authentication can be used when the user has access to other resources and applications, and not just to manage Azure resources.
By the way, you can read more about managing multi-factor authentication in my colleague's article - Overview of multifactor authentication in the Microsoft Azure cloud .
I am often asked a question about providing access to control the system deployed in Azure. Providing access based on Microsoft Account (LiveID) is not always suitable for a real system, because it is more difficult for administrators to control both the applied security measures and the rights of users / employees. For example, an employee may quit or his account will be hacked (not everyone includes two-factor authentication for their account), in this case, you must suspend access to the cloud system for this account so that no actions can be performed either through the portal or through the API .
Organizational Account just solves most of the issues (centralized access control, advanced security settings, etc.). For more information on managing accounts and subscriptions in Azure, see the Manage Accounts, Subscriptions, and Administrative Roles article on MSDN .
And then there will be a step-by-step instruction on setting up an Organizational Account and linking it to Azure and enabling two-factor authentication for your account.
Organizational Account and its bindings in Azure
1. Go to the Sign up for Azure as an organization page and select Sign up now .
2. Next, you will be prompted to sign in using Microsoft Account (LiveID) or Organizational Account. Choose Organizational Account .
3. A page will open where you will be asked to create an Organizational Account and define Azure Active Directory. The DOMAIN NAME field just defines the name of Azure Active Directory (the full name will be <specified value> .onmicrosoft.com ), to which the created user will be added and which you can manage in the future. In this example, DOMAIN NAME is defined as dxrussia (and the full name asdxrussia.onmicrosoft.com , which is the prefix for the full username).
You will need to specify a mobile phone number for verification, SMS with a code will come to the specified phone number.
4. Next, it will be proposed to create an account in Azure on the user created in the previous step ( natale@dxrussia.onmicrosoft.com ).
You will need to specify your bank card information for verification and check the box next to I agree to the Windows Azure Agreement, Offer Details and Privacy Policy , if you agree with the terms of use of Azure.
5. Actually, that's all - now created:
- Organizational Account
- Your Azure Active Directory
- Azure Account
- Account linked Azure subscription.
Configure two-factor authentication for Organizational Account
And now, so that nobody-nobody gets into our Azure, let's set up multi-factor authentication for our account.
Note : the inclusion of multi-factor authentication for accounts is a paid service (see paragraph 10 at the end of the article).
1. To do this, go to the Azure management portal - https://manage.windowsazure.com .
By the way, when you sign in, note that the address will be in the form manage.windowsazure.com <Your Azure Active Directpory Name> .onmicrosoft.com . In this example, it is manage.windowsazure.com/dxrussia.onmicrosoft.com#Workspaces/All/dashboard .
2. Go to the Azure Active Directory tab, in the sectionConfigure You Directory, select Enable Multi-Factor Authentication .
3. Now go to the Users tab and click the Manage Multi-Factor Auth button at the bottom of the page. A page will open with two-factor authentication settings for users of your Azure Active Directory.
Enable two-factor authentication ( Enable ) for users.
4. Now go back to the Azure Management Portal, as security settings have been changed, the system will ask you to determine a convenient way for additional account verification.
5. Actually, I propose to configure =) By default, “Call me” is set, I preferred to still receive the code via SMS.
6. The next step is to check the operability of the selected confirmation method. I got an SMS with a code on my phone.
7. Now again we go to the portal. Enter your username ( natale@dxrussia.onmicrosoft.com ) and password.
8. And now the code that came in SMS.
9. Now you can see on the portal that a new provider has appeared - Multi-Factor Auth Provider .
10. Once again, I note that the inclusion of multi-factor authentication for accounts is a paid service. Rates are given here . The amount is charged \ deducted from the total account for Azure resources.
There are two payment methods:
- Per user (unlimited authentications per user) is $ 2 \ month per user.
- Per Authentication - $ 2 \ 10 Authentications
In addition, two-factor authentication can be used when the user has access to other resources and applications, and not just to manage Azure resources.
By the way, you can read more about managing multi-factor authentication in my colleague's article - Overview of multifactor authentication in the Microsoft Azure cloud .