Ensuring Ownership of Azure Active Directory

Many Azure Microsoft-hosted services provide free trials that result in an organization’s employees creating freestanding Azure Active Directory (AAD) tenancies based on the organization’s domain names. Now organizations can take steps to ensure they at least have management oversight of such AAD tenancies created by individual end users without the consent of IT. This DNS takeover process ensures that IT administrators are aware of how some Microsoft-hosted technology is used within their organization and could help prevent license compliance risk owing to users signing up for free tiers of service with their organizational accounts.

End Users Can Own Company AAD Domains

Implementing certain Microsoft services, notably the free tiers of Azure Rights Management, Power BI, and Microsoft’s AAD Business to Business (B2B) service, can result in the creation of AAD shadow tenancies. A shadow tenancy is an unmanaged tenancy created when any individual user with an e-mail address in a specific Internet domain (for example, user@anycompany.com) registers to use certain Microsoft-hosted services. If no one has previously provisioned an AAD tenancy for that domain name (anycompany.com), a new, unmanaged AAD tenancy will be created for the domain on behalf of that user. Other users who use an e-mail address in the same domain for another applicable Microsoft-hosted service will then automatically join the same AAD tenancy.