Becoming the Owner
A tip to make it easier to get full control of your subscription (if you are like me that you have used your 12 month free subscription but you would love to use the provided visual studio benefits, usually bound to your company profile ).
What’s “the owner”?
Basically becoming the owner of your subscription means you can do everything.
But, I got my subscription through my company Visual Studio subscription… Aren’t I the Owner?
In short, No.
So, what’s the problem?
Most probably you have had a free 12 month subscription associated with your personal email, so if you associate another one, it will become a one month shot only - surprise! that will happen once you activate it or switch from your company to your own tenant/email. The trick to benefit from this is to redeem it with your work email associated with your company. But, that means that what you can do is limited.
Because on doing so, you receive the Subscription but it remains under control of your company as a Tenant. So some things like creating some resources or automating its deployment will be forbidden…
Ok, I got it… so what do I do?
Follow the steps I mention while we learn together some of the concepts of Azure ;)
What are we going to do?
In short we are going to “hack the system”; we will create our own Tenant, associate it to our subscription and make ourselves the owners of our Azure domain ;)
But, what’s a Tenant?
We will peek at these concepts right now so it is crystal clear what we are going to do.
Here we will see what do the terms Subscription, Tenant and Directory mean.
The subscription is the billing unit of Azure, as it name suggests, you subscribe to it for a resources and services that are hosted on it. So, it is a container of azure resources and/or services. The resources are hosted on resource groups. The subscription is also linked to a payment setup. As we mentioned Azure Resource and Resource groups, we will describe them shortly.
What’s an Azure Resource? It is an entity hosted and/or managed by Azure, which can be a single component or a service. For example, a virtual machine, a disk, a virtual network, a storage account.
Every resource is contained in a resource group, it is a logical Resource container which has an analogy to a folder. Enables to manage several resources as a single entity (permissions, lifecycle, etc…).
The following image depicts the relation visually.
Azure Directory (Directory)
Also named Azure Active Directory, Azure AD or simply, “Directory” is the lead service from Microsoft for IaaS (Identity as a Service) which manages identity and access management (permissions).
Note it is also called Azure AD Tenant. A Tenant is a dedicated instance of Azure AD. This is used to represent an organization or entity that owns a subscription. Each Azure Tenant has a dedicated Azure AD Directory, where the users, groups reside. And the subscription is associated with a Tenant. And the RBAC (Role Based Access Control) roles are managed at the Tenant Level.
Misleading disclaimer: Please note that the above statements have been taken from Microsoft documentation & Microsoft Learn… Which I find slightly misleading… Essentially one Microsoft statement says that the Tenant is an Azure AD Instance while another says it has a dedicated Azure AD Directory… To my understanding a Tenant (an Azure AD instance) has everything on it, so it does not need a dedicated Azure AD Directory as the Tenant itself is the Azure AD with directory, permissions et al…) But that is my understanding as I do not know what happens “behind the scenes” ;)
The following picture gives us a big overhead of what we just described:
Let’s do it ;)
So, now it is clear what we need to do and why. The current Tenant is managed by our company and we cannot manage the RBAC roles. Whereas if we create a new tenant which is hosted in our subscription we will be able to fully manage those permissions and assign us full ownership of the Subscription .
1. Create a new Tenant and associate it to your subscription.
- Open the Azure Portal.
- Go to the “Azure Active Directory” blade or resource and select “Create a Tenant” - if this option does not appear, go to “Manage Tenants” then select “Create”.
- Select “Azure Active Directory” as your tenant type, unless you want an extra cost or you need to csutomize the the identity management experience or scale up to hundreds of millions of users… that is supposedly your personal subscription for self learning - and you do not need that.
- Select “Next - Configuration” and enter the Organization and domain name, it will appear as DomainName.onmicrosoft.com.
- Click on “review and create” and once validated, click on “Create”.
- Once created, slect it and switch to it. You can also set it as default tenant.
- You can learn a bit more than the basic descriptions I provided you at the following Microsoft Learn link:
2. Associate it with your subscription
- Go to the blade Subscriptions and select your subscription.
- Click on “Change Directory”.
- Select your newly created tenant.
- Note that this will take some time, be sure to read the text pop-ups that appear. It can take minutes to 1 hour to have all permissions properly propagated…
3. Give yourself permissions
- Go to Azure Active Directory. Your tenant will be selected if everything went allright.
- Go to Users and select your user.
- Once on your user, go to “Assigned Roles”.
- Click on “Add Assignments”
- Select “Global Administrator” and Click the “Add” button at the bottom.
- Go to “Azure role assignments”.
- Check that you have the role “Owner” associated to your user.
- You can check that in the subscription view, on the Access control (IAM) section. There you should have a “View my access” button. There you should see the roles you have assigned, by default it should be “Service Administrator” but once you add “Owner” it should be seen there.
- If you are like me and love to double check, you can go to your “Azure Active Directory” which will show your tenant, then go to users and select your user. From there you can see you are Global Administrator of the tenant (this is automatic upon creation) and then go to Azure role assignments where you can see what roles/permissions you have assigned for a particular subscription. Before asigning yourself the Owner subscription, this should be empty. Afterwards you should see a nice “Owner” in there :) - note that in the picture it is not yet there as I want to do this on the video….
And that’s it, pretty straighforward, right? :) Next time that you try a deployment either through a script or Azure DevOps, you will no longer be stopped by lack of permissions, now you are a fully-fledged ownwer of your Tenant/Azure Active Directory and under it, your subscription, where now you can do as you please.
There is an acompaigning video walkthrough on the Azure Samurai channel.
In regards of the video…
It will follow in short :)
Also, I have been struggling with myself for quite some time, talking in public is a jump of faith, but you can do it easily - or found no issues once I got used to it. But the idea of publishing a video that you know is going to stay and announcing it to be seen has been quite a struggle for my inner perfectionist.
It is never going to be good enough. Ever.
That is what I have been feeling for the major part of this year… so I decided to go ahead, I will record & publish it and not look back…
It is going to be hard but I will grow. and maybe help you and some of the readers along the way while I get better to the point where I am where I want to be.