您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

将 Azure 订阅关联或添加到 Azure Active Directory 租户Associate or add an Azure subscription to your Azure Active Directory tenant

Azure 订阅已与 Azure Active Directory (Azure AD),这意味着该订阅信任 Azure AD 进行身份验证的用户、 服务和设备的信任关系。An Azure subscription has a trust relationship with Azure Active Directory (Azure AD), which means that the subscription trusts Azure AD to authenticate users, services, and devices. 多个订阅可以信任同一个 Azure AD 目录,但每个订阅只能信任一个目录。Multiple subscriptions can trust the same Azure AD directory, but each subscription can only trust a single directory.

如果订阅过期,则将失去与该订阅关联的所有其他资源的访问权限。If your subscription expires, you lose access to all the other resources associated with the subscription. 但是,Azure AD Directory 仍保留在 Azure 中,可使用不同的 Azure 订阅关联和管理目录。However, the Azure AD directory remains in Azure, letting you associate and manage the directory using a different Azure subscription.

你的所有用户具有单个家庭目录进行身份验证。All of your users have a single home directory for authentication. 但是,用户还可在其他目录中作为来宾。However, your users can also be guests in other directories. 可在 Azure AD 中查看每位用户的主目录和来宾目录。You can see both the home and guest directories for each user in Azure AD.

重要

在将对另一个目录,已使用分配的角色的用户的订阅基于角色的访问控制 (RBAC)将失去访问权限。When you associate a subscription to a different directory, users that have roles assigned using role-based access control (RBAC) will lose their access. 经典订阅管理员 (服务管理员和协同管理员) 还将失去访问权限。Classic subscription administrators (Service Administrator and Co-Administrators) will also lose access.

此外,Azure Kubernetes 服务 (AKS) 群集移到不同的订阅,或将群集拥有订阅移到新租户,会导致群集由于丢失的角色分配和服务主体权限的功能。Additionally, moving your Azure Kubernetes Service (AKS) cluster to a different subscription, or moving the cluster-owning subscription to a new tenant, causes the cluster to lose functionality due to lost role assignments and service principals rights. 有关 AKS 的详细信息,请参阅Azure Kubernetes 服务 (AKS)For more information about AKS, see Azure Kubernetes Service (AKS).

开始之前Before you begin

要想关联或添加订阅,必须先执行以下任务:Before you can associate or add your subscription, you must perform the following tasks:

  1. 请查看以下更改和可能如何影响您的列表:Review the following list of changes and how you might be affected:

    • 使用 RBAC 角色分配的用户将失去访问权限Users that have been assigned roles using RBAC will lose their access
    • 服务管理员和共同管理员将失去访问权限Service Administrator and Co-Administrators will lose access
    • 如果必须任何密钥保管库,则它们将无法访问,您必须修复在关联后If you have any key vaults, they'll be inaccessible and you'll have to fix them after association
    • 如果您具有资源,例如虚拟机或逻辑应用的任何托管的标识,将需要重新启用,或在关联后重新创建它们If you have any managed identities for resources such as Virtual Machines or Logic Apps, you'll have to re-enable or recreate them after the association
    • 如果你有已注册的 Azure Stack,必须关联过后重新注册If you have a registered Azure Stack, you'll have to re-register it after association
  2. 使用符合以下条件的帐户登录:Sign in using an account that:

  3. 请确保未使用 Azure 云服务提供商 (CSP) 订阅(MS-AZR-0145P、MS-AZR-0146P、MS-AZR-159P)、Microsoft 内部订阅 (MS-AZR-0015P) 或 Microsoft Imagine 订阅 (MS-AZR-0144P)。Make sure you're not using an Azure Cloud Service Providers (CSP) subscription (MS-AZR-0145P, MS-AZR-0146P, MS-AZR-159P), a Microsoft Internal subscription (MS-AZR-0015P), or a Microsoft Imagine subscription (MS-AZR-0144P).

将现有订阅关联到 Azure AD 目录To associate an existing subscription to your Azure AD directory

  1. 登录,然后从 Azure 门户中的“订阅”页面选择要使用的订阅。Sign in and select the subscription you want to use from the Subscriptions page in Azure portal.

  2. 选择“更改目录” 。Select Change directory.

    订阅页面,其中突出显示了“更改目录”选项

  3. 查看出现的任何警告,然后选择“更改” 。Review any warnings that appear, and then select Change.

    “更改目录”页,显示要更改到的目录

    订阅目录将发生更改并会显示一条成功消息。The directory is changed for the subscription and you get a success message.

    有关更改目录成功消息

  4. 使用目录切换器以转到新目录。Use the Directory switcher to go to your new directory. 可能需要几个小时内的所有内容正确显示。It can take several hours for everything to show up properly. 如果它看起来耗时较长,请确保您选中全局订阅筛选器移动订阅,以确保其处于不只是隐藏状态。If it seems to be taking too long, make sure you check the Global subscription filter for the moved subscription, to make sure it's not simply hidden.

    目录切换器页上,使用示例的信息

更改订阅目录是服务级操作,不会影响订阅的账单所有权。Changing the subscription directory is a service-level operation, so it doesn't affect subscription billing ownership. 帐户管理员仍可从帐户中心更改服务管理员。The Account Admin can still change the Service Admin from the Account Center. 若要删除原始目录,必须将订阅的账单所有权转让给新的帐户管理员。若要详细了解如何转让账单所有权,请参阅将 Azure 订阅所有权转让给其他帐户To delete the original directory, you must transfer the subscription billing ownership to a new Account Admin. To learn more about transferring billing ownership, see Transfer ownership of an Azure subscription to another account.

发布关联的步骤Post association steps

将关联到不同的目录的订阅后,可能必须执行恢复操作的其他步骤。After you associate a subscription to a different directory, there might be additional steps that you must perform to resume operations.

  1. 如果你有任何密钥保管库,则必须更改密钥保管库租户 id。If you have any key vaults, you must change the key vault tenant ID. 有关详细信息,请参阅订阅移动后更改密钥保管库租户 IDFor more information, see Change a key vault tenant ID after a subscription move.

  2. 如果在使用系统分配管理的标识的资源,则必须重新启用这些。If you were using system-assigned Managed Identities for resources, you must re-enable these. 如果已使用用户分配管理的标识,则必须重新创建这些。If you were using user-assigned Managed Identities, you must re-create these. 重新启用或重新创建托管标识之后, 必须重新建立分配给这些标识的权限。After re-enabling or recreating the Managed Identities, you must re-establish the permissions assigned to those identities. 有关详细信息请参阅什么是 Azure 资源的管理的标识?For more information see What is managed identities for Azure resources?.

  3. 如果你注册 Azure Stack 使用此订阅,则必须重新注册。If you have registered an Azure Stack using this subscription, you must re-register. 有关详细信息,请参阅使用 Azure 注册 Azure StackFor more information, see Register Azure Stack with Azure.

后续步骤Next steps