Creating an Azure Organizational Account
You require an "organizational" Azure account with sufficient privileges to be able to import keys into a Microsoft Azure Key Vault using the Key Broker for Azure service.
This page will walk you through the steps to create an "organizational" Azure account with the appropriate privileges and permissions. This page assumes that you are starting with no Azure account, or are the "Owner" or "Global Administrator" of an existing Azure account.
Create an Azure organizational account for the Key Broker for Azure service
-
Buy an Internet domain name, or be the domain admin for an existing domain name.
This will be the domain for your "organization". You require privileges to add a new DNS record for this domain.
-
Sign up with Microsoft Azure, or be an "Owner" or "Global Administrator" of an existing Azure account.
This will enable you to create/manage your organizational directory (Azure Active Directory).
-
Log in to your Microsoft Azure Portal.
-
In the Azure Portal, create a new Azure Active Directory (AAD).
You can do that from the Marketplace or by clicking "Create a resource" in the main menu. For pricing details, please see Azure Pricing.
-
Add a "custom domain" to your AAD.
a. Navigate to Custom domain names and click Add custom domain.
b. Enter your internet domain name.
c. Follow the instructions to add a
TXT
orMX
record to the DNS settings of your domain.Once complete, you may need to wait a few hours until the DNS records are propagated and visible to Azure servers.
-
Once the DNS record you added propagates, verify your custom domain.
a. Log in to the Azure Portal, select the AAD service, and access the Custom domain names section.
b. Click the Verify button for the new custom domain name.
This allows the users of this AAD to have the domain name in their User Name.
-
Create a user in the AAD.
a. Select Azure Active Directory -> Users, then click New User.
b. Make note of the initial password.
Ensure that:
- the domain name used for the User Name is the custom domain (not the default
*.onmicrosoft.com
). - the Directory Role is User.
The new user should show up in the Users list of AAD with the Source listed as Azure Active Directory (as opposed to the "Microsoft Account" used by personal accounts).
- the domain name used for the User Name is the custom domain (not the default
-
Make the new user a "Global Administrator".
a. Navigate to the new user's detail page, then select Assigned Roles.
b. Click Add Assignments.
c. Enable Global administrator.
d. Click Add.
-
Grant at least Contributor access to the Microsoft Azure subscription.
a. Navigate to the Subscriptions service page, and select the subscription you want the new user to have access to.
b. Select Access Control (IAM).
c. Click Add.
d. Select the Add Role Assignment option.
e. Select Contributor (or higher) as the Role.
f. Select the user you want this applied to and click Save.
-
Log into the Azure Portal as the new "organizational" user. You will need to provide the initial password.
You are prompted to change the initial password.
Now you are ready to use this Azure account with the DPoD Key Broker for Azure service.
When you create a Key Broker for Azure service, authenticate with Azure using this account. The Key Vault and the keys inside will be imported under this Azure account.