question

ThomasZieglmeier-8274 avatar image
0 Votes"
ThomasZieglmeier-8274 asked JamesTran-MSFT commented

New subscription not added to any directory

We have two Azure tenants/directories:
- Company
- CompanyPlayground

"Company" has a subscription, everything works fine. For our students/trainees we wanted a different directory, so they can't mess anything up. So in "CompanyPlayground" we added a subscription ("Pay as you go") and entered the same billing data as for "Company". What happens:
- We are redirected to the "Company" directory
- "CompanyPlayground" still has no subscription
We did this multiple times, a subscription is actually created every time: When we go to "switch directory" we can see a list of subscriptions. But they don't show up in any directory and we can't use our "CompanyPlayground" (because no subscription is linked to it).

The same user created the new directory and the subscription, there should be no permission issues.

azure-active-directoryazure-ad-tenant
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ThomasZieglmeier-8274
I just wanted to check in and see if you required additional assistance or if you were able to resolve this issue?


If any reply/answer helped resolve your question, please remember to "mark as answer" so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

1 Answer

shashishailaj avatar image
0 Votes"
shashishailaj answered

Hello @ThomasZieglmeier-8274 ,

I will answer your query with some example in detail and some assumptions. Lets say that you have two tenants as below.

  1. company.onmicrosoft.com - Main company directory

  2. complay.onmicrosoft.com - Lab directory for trainees/students


You mentioned that for your students/trainees you wanted a different subscription so you create a separate directory along with subscription. Lets say the admin on your side has a userID of admin@company.onmicrosoft.com and a student has a userID of student@comPLAY.onmicrosoft.com in the second directory . I am assuming that your students would have an account in your main directory already . Do they have two different userIDs that they need to maintain, one for each directory or their main company ID is the one using which they are invited in lab directory (complay.onmicrosoft.com)? If they have a single ID and you have created an organisational relationship (B2B) between two directories , then the workflow may differ . Let me give you more context on why I have asked you the above questions and will this will slowly become more clear.

Every subscription has to be associated with a azure Active directory when its created. You can not have a subscription without a directory due to technical design . So every time you try to create subscription , it will try to create a new directory if the email address/account using which you are creating it is not part of any azure active directory . This does not applies to live IDs or MSAs( MSA are microsoft Account or LiveIds which are created on consumer facing Microsoft services like xbox live , onedrive.com , outlook.com , onenote.com etc. ) If you are trying to create a subscription using an MSA you will get a new directory created. If you are logged on to azure portal using the same MSA next time while creating the subscription , the subscription will automatically be created in same directory which you created last time. If you are using a non microsoft service ID , for example even if you use user@gmail.com to start creating a new subscription , this email will be used within the workflow to be added as a Microsoft account in the background through the subscription sign up/creation workflow. So the ID which is used to create a subscription has to be either Microsoft Account or an Azure Active directory based user ID.

So for example , if you have a MSA like user_20@outlook.com and you try to sign in to the azure portal and create a subscription for the first time , then it will let you create a subscription and automatically create a directory in the background to associate the subscription to . So if you check you will see a directory named user20outlook.onmicrosoft.com would have been created .

Similarly if you were creating a subscription using an existing azure active directory userID , the subscription will automatically get associated with the parent organisation/directory of the user who is creating it . So in your case if admin user admin@company.onmicrosoft.com creates a subscription then resulting new subscription will automatically be associated with company.onmicrosoft.com . Now if you were logged in with student@comPLAY.onmicrosoft.com ,logged in to their parent directory (meaning comPLAY.onmicrosoft.com) the resulting subscription will get associated to comPLAY.onmicrosoft.com .

So when do complications like the one you described arise? They arise when admin of the company admin@company.onmicrosoft.com who created the second directory comPLAY.onmicrosoft.com created new subscription while being still logged into the company.onmicrosoft.com directory. Since admin@company.onmicrosoft.com is who created comPLAY.onmicrosoft.com , they are global admin on that directory by default despite the fact that they are the users from an external azure AD. So you can still be able to fix this easily by transferring subscription from one directory to another.

Now that I have provided you some context let us get to your main issue. You have mentioned When we go to "switch directory" we can see a list of subscriptions. But they don't show up in any directory and we can't use our "CompanyPlayground" (because no subscription is linked to it).

As you mentioned that it is the same user who has created the subscription so permission issue is to be ruled out. But which directory user was logged into while creating the subscription matters. So when you switch directory , you logon to the directory where the subscriptions are associated to and hence you can see them. In this scenario , I would suggest you to just change the directory of the subscription to comPLAY.onmicrosoft.com (I mean the directory which is your company playground). There is an easy solution for the same to transfer the subscriptions you created to the new directory using the change directory button as shown below by going to the subscription object properties in the azure portal. Please check the linked article on how to do that.

24592-image.png

The above picture also shows the directory name the subscription is in. You can check each of your subscriptions as to which directory they are in. You do not have any asset in the subscription as you have mentioned that its a new subscription however if you have already created any azure resources in the new subscriptions then you should read the details in the before you begin section. Make sure you have admin access in the directory and service administrator access on the subscription. Any existing resource access will be lost though old directory account because the old directory will no longer be associated with the subscription. I would suggest you to do this by launching Azure portal in the Incognito/Inprivate mode of the browser so that you exactly know which directory you logged in to. Whether you see a subscription or not depends on two factors , one of them is that you need to be associated to the directory as a user which the subscription is liked to and the other is that you need to have relevant RBAC role based permissions on the subscription resource to see it on the portal (Like owner,contributor etc.). You can read about billing ownership transfer as well but I would say that your requirement would get fulfilled by changing the directory of the subscription.

I have added some links relevant to the answer , please go through them once to understand more . Hope the above clarifies the query for you and provides you a solution on how to get the subscription associated to the company playground directory as you want to. If you are able to resolve this issue by the instructions provided , please do accept this post as answer so that it increases relevancy of this answer and this is useful to other community members as well . If I have misunderstood any query , please do let me know in comments. If the issue does not get solved even after the above , please send us an email at azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN shashi"and we will be happy to help you further with alternate support options.

Thank you.





image.png (28.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.