Set up an account for Azure Sphere

Azure Sphere uses Azure Active Directory (AAD) to enforce enterprise access control. Therefore, to use Azure Sphere, you need a Microsoft work or school account (sometimes called an organizational account) that is associated with an AAD.

If you already use Microsoft Azure through work or school, or if you or your employer/school subscribes to any other Microsoft Online services (for example, Office 365 for Business, OneDrive for Business, or InTune), you probably have an account and directory that you can use with Azure Sphere. A personal account (also called an MSA), such as an account that is associated with an Office 365 Home subscription, a personal OneDrive account, or an outlook.com email address, does not provide the necessary AAD.

Azure Sphere account

In the figure, Contoso Corp. has an AAD, so Contoso users can sign in to use Azure Sphere with their Contoso work accounts. After Azure authenticates the sign-in, the Contoso user can create an Azure Sphere tenant if Contoso does not already have one. The Azure Sphere tenant isolates Contoso's Azure Sphere devices from those of all other Azure Sphere customers and enables Contoso personnel to manage them. The Azure Sphere tenant is strictly used for Azure Sphere; it is not the same as an Azure AD tenant.

Tip

For help with Azure directories, accounts, tenants, and identities, see Understanding Azure identity solutions.

Find out whether your existing account works with Azure Sphere

To find out whether you have an account, open an Azure Sphere Developer Command prompt (on the Start menu under Azure Sphere) and sign in to Azure Sphere with your work or school account:

azsphere login

In response, azsphere prompts you to pick an account. Choose your work/school account and type your password if required. If login succeeds, the command returns a list of the Azure Sphere tenants that are available for you. If you are the first in your organization to sign in, you will not see any tenants. Be aware, however, that the Azure Sphere Security Service currently enables all members of the organization to manage all devices in an Azure Sphere tenant. If you want greater control over access to your Azure Sphere devices, you or your IT administrator can limit access to your tenant.

If login fails, the account is not associated with an AAD. If you have another account, try it; if not, you can create a new account. Choose the option that describes your situation:

Create a new account and directory that are not associated with any other account

If you don't have a work or school account that you want to use with Azure Sphere, and you have no other account with Microsoft or Azure, you can create a new directory that has a new work/school account. (The Azure documentation refers to this directory as an Azure AD tenant; we call it a "directory" to distinguish it from the Azure Sphere tenant.)

To create a new directory that has a work/school account, visit the Microsoft Azure Get started page.

Fill in the requested information and create a domain name, a user ID, and a password. Provide the details necessary to verify your information. When you click Continue, you will be prompted to sign up for an Azure subscription that is associated with the directory. If you don't want to sign up for an Azure subscription, you can leave the web page. An Azure subscription is not required to use Azure Sphere, but a subscription is required to use Azure IoT Hub.

Important

Although you can create an Azure subscription for no charge, the sign-up process requires you to enter a credit card number. Azure provides several levels of subscription service. The Free tier includes the services required to use your device with an IoT Hub.

If you plan to use an Azure IoT Hub, follow the instructions to create an Azure subscription. If prompted, sign into your newly created directory as userID@domainname.onmicrosoft.com. Then follow the prompts to sign up for a free Azure subscription. You will need to enter credit card details for verification only.

Create a work/school account that is associated with the personal/MSA account that you use with Azure

If you have a personal/MSA account that you use with Azure, you can create an associated user identity and directory to use with Azure Sphere.

  1. Log in to the Azure portal using your existing personal/MSA account.

  2. Create a user in the directory. In the Azure Portal, click Azure Active Directory on the left side menu and Users on the pane to its right.

    Azure portal menu with Azure Active Directory highlighted

  3. Click +New User at the top of the Users pane and then fill in the information to create a new user. Specify the username@directoryname.onmicrosoft.com as the login and set the role for the user. If this user will manage access to your Azure Sphere applications and devices, select the Global Administrator role. Select Show Password to display the auto-generated password so that you can note it for future use, and then click Create. This is the account you'll use to log in to Azure Sphere.

    Important

    Record the auto-generated password and the user name. You will need them both to log in to the tenant so that you can use your Azure Sphere device.

    Add user dialog box

    Important

    Record the auto-generated password and the user name. You will need them both to log in to the tenant so that you can use your Azure Sphere device.

Next steps

  • Claim your device and create an Azure Sphere tenant if you have not already done so