Licencing Across Multiple Tenants

%3CLINGO-SUB%20id%3D%22lingo-sub-290291%22%20slang%3D%22en-US%22%3ELicencing%20Across%20Multiple%20Tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290291%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWondering%20if%20someone%20could%20give%20me%20some%20guidance%20on%20Azure%20Licencing%20and%20maybe%20on%20best%20practice%20for%20Azure%20with%20multiple%20Tenants.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ECurrently%2C%20one%20physical%20user%20will%20be%20a%20member%20of%20two%20separate%26nbsp%3BActive%20Directories.%20One%20of%20these%20active%20directories%20is%20connected%20to%20Office%20365%20and%20so%20to%20an%20Azure%20AD%20and%20these%20accounts%20are%20licensed%20with%20E3%2BEMS%20Licenses.%20The%20other%20active%20directory%20is%20connected%20to%20its%20own%20Azure%20Tenant%20and%20Azure%20Active%20Directory%20these%20users%20objects%20are%20currently%20licensed%20with%20an%20Azure%26nbsp%3BPremium%20P1%20license.%20We%20also%20have%20another%20Azure%20AD%20Tenant%20and%20Azure%20Active%20Directory%20for%20testing.%20The%20user%20objects%20here%20are%20licensed%20with%20an%20Azure%20Premium%20P1%20license.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20it%20means%20we%20have%201%20user%20with%203%20accounts%20with%202x%20Azure%20Premium%20P1%20license%20and%201x%20E3%2BEMS%20(which%20includes%20Azure%20Premium%20P1)%20license%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20do%20we%20really%20need%20to%20license%20each%20%22account%22%20or%20do%20we%20only%20need%20to%20license%20each%20%22physical%20user%22%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EAt%20the%20moment%20the%20Azure%20Tenants%20are%20all%20very%20separate%26nbsp%3BI%20was%20wondering%20if%20we%20could%20have%20configured%20this%20differently%20so%20we%20had%20one%20single%20Tenant%20with%20multiple%20Azure%20ADs%3F%20We%20need%20to%20be%20able%20to%20ensure%20segregation%20of%20data%20and%20of%20access%20%26amp%3B%20control.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20thoughts%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-290291%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Licencing%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290541%22%20slang%3D%22en-US%22%3ERe%3A%20Licencing%20Across%20Multiple%20Tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290541%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%20it%20gets%20messy%20with%20multiple%20tenants%2C%20and%20there's%20only%20one%20Azure%20AD%20per%20tenant.%20You%20need%20licensing%20per%20account%20as%20the%20benefits%20of%20that%20license%20are%20applied%20on%20login%20-%20the%20account%20is%20an%20entity%20as%20Azure%20has%20no%20concept%20of%20a%20physical%20user%20and%20you%20can't%20%22share%22%20a%20license%20across%20tenancies%20or%20across%20accounts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhere%20is%20your%20segregation%20of%20data%26nbsp%3Band%20access%20control%20if%20a%20physical%20user%20has%20access%20to%20three%20different%20accounts%3F%20They%20can't%20see%20or%20access%20one%20while%20logged%20on%20as%20another%2C%20I%20guess.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20preferred%20way%20of%20implementing%20data%26nbsp%3Baccess%20control%20is%20to%20use%20Role%20Based%20Access%20Control%20inside%20Azure.%20This%20can%20be%20applied%20to%20people%2C%20groups%2C%20resources%20and%20resource%20groups%2C%20and%20across%20multiple%20subscriptions.%20That's%20even%20easier%20to%20scale%20now%20with%20Azure%20Blueprints%20(in%20preview).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-Sonia%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi all,

 

Wondering if someone could give me some guidance on Azure Licencing and maybe on best practice for Azure with multiple Tenants. 

Currently, one physical user will be a member of two separate Active Directories. One of these active directories is connected to Office 365 and so to an Azure AD and these accounts are licensed with E3+EMS Licenses. The other active directory is connected to its own Azure Tenant and Azure Active Directory these users objects are currently licensed with an Azure Premium P1 license. We also have another Azure AD Tenant and Azure Active Directory for testing. The user objects here are licensed with an Azure Premium P1 license. 

So it means we have 1 user with 3 accounts with 2x Azure Premium P1 license and 1x E3+EMS (which includes Azure Premium P1) license

 

So do we really need to license each "account" or do we only need to license each "physical user"? 

At the moment the Azure Tenants are all very separate I was wondering if we could have configured this differently so we had one single Tenant with multiple Azure ADs? We need to be able to ensure segregation of data and of access & control. 

Any thoughts? 

1 Reply

Yeah it gets messy with multiple tenants, and there's only one Azure AD per tenant. You need licensing per account as the benefits of that license are applied on login - the account is an entity as Azure has no concept of a physical user and you can't "share" a license across tenancies or across accounts.

 

Where is your segregation of data and access control if a physical user has access to three different accounts? They can't see or access one while logged on as another, I guess.

 

The preferred way of implementing data access control is to use Role Based Access Control inside Azure. This can be applied to people, groups, resources and resource groups, and across multiple subscriptions. That's even easier to scale now with Azure Blueprints (in preview).

 

-Sonia