Adding Azure subscription to Azure AD Tenant
In this tutorial, we will learn and understand about the adding Azure subscription process with Azure Active Directory (Azure AD). However, a subscription trusts Azure AD for authenticating users, services, and devices. Also, multiple subscriptions can trust the same Azure AD directory. But, each subscription can only have trust in a single directory.
However, if your subscription expires, then you will lose access to all the other resources linked with the subscription. But, the Azure AD directory remains in Azure only.
Before beginning
Before associating or adding your subscription, do the following tasks:
Check the list of changes given below that will occur after associating or adding subscription:
- Firstly, users that have been assigned roles using RBAC will lose their access
- Secondly, service Administrator and Co-Administrators will lose access
- Thirdly, if you have any key vaults, they’ll be inaccessible and you’ll have to fix them after association
- Fourthly, if you have any managed identities for resources such as Virtual Machines or Logic Apps, you must re-enable or recreate them after the association
- Lastly, if you have a registered Azure Stack, you’ll have to re-register it after association
Sign in using an account that:
- Firstly, that has an Owner role assignment for the subscription.
- Secondly, exists in both the current directory and in the new directory. The current directory is associated with the subscription. You’ll associate the new directory with the subscription.
However, make sure you’re not using an:
- Azure Cloud Service Providers (CSP) subscription like MS-AZR-0145P, MS-AZR-0146P, MS-AZR-159P
- Microsoft Internal subscription (MS-AZR-0015P)
- Microsoft Imagine subscription (MS-AZR-0144P).
Adding a subscription to a directory
For adding or to associate an existing subscription to your Azure AD directory, follow the given steps:
- Firstly, sign in and select the subscription you want to use from the Subscriptions page in Azure portal.
- Then, select Change directory.
- Thirdly, review any warnings that appear, and then select Change. After changing the directory for the subscription, you will receive a success message.
- After that, select Switch directories on the subscription page to go to your new directory.
However, it may take several hours for everything to show up properly. So, if it seems to be taking too long, check the Global subscription filter. Make sure the moved subscription isn’t hidden.
Changing the subscription directory refers to a service-level operation that doesn’t affect subscription billing ownership. And, the Account Admin can still have access to change the Service Admin from the Account Center. Further, for deleting the original directory, you must transfer the subscription billing ownership to a new Account Admin.
Post-association steps
After adding or associating a subscription to a different directory, you might need to do the following tasks to resume operations:
- Firstly, if you have any key vaults, you must change the key vault tenant ID.
- Secondly, if you use system-assigned Managed Identities for resources, then you must re-enable these identities. And, if you used user-assigned Managed Identities, then you must recreate these identities.
- Lastly, if you’ve registered an Azure Stack using this subscription, you must re-register.
Reference: Microsoft Documentation