Ensuring Ownership of Azure Active Directory

The free-trial nature of many Azure Microsoft-hosted services can create situations where an organization’s employees create freestanding Azure Active Directory (AAD) tenancies based on the organization’s domain names. Now, organizations can take steps to ensure they at least have management oversight of such AAD tenancies created without the consent of IT, by individual end users. This will ensure that IT admins are aware of how some Microsoft-hosted technology is used within their organization.

End Users Can Own Company AAD Domains

Implementing certain Microsoft services, notably the free tiers of Azure Rights Management, Power BI, and Microsoft’s new AAD Business to Business (B2B) tier, can result in the creation of “shadow tenancies” of AAD. A shadow tenancy is an unmanaged tenancy created when any individual user with an e-mail address in a specific Internet domain (for example, user@anycompany.com) registers to use certain Microsoft-hosted services. If no one has provisioned a tenancy for that domain name (anycompany.com) in AAD, an unmanaged AAD tenancy will be created on behalf of that user. Other users who use an e-mail address in the same domain for another applicable Microsoft-hosted service will then automatically join the same AAD tenancy. AAD will not create a new tenancy if one already exists for a domain, but if a user is the first to register that domain, that user will have created an unmanaged tenancy.