Hierarchy / Relationships
I'm rather confused about the relationship between Azure AD, subscriptions, resources and Azure AD B2C.
This is how I think it's tied together:
- An Azure AD directory (or organization?) can have many subscriptions
- Subscriptions can only be tied to a single directory
- Resources (inside resource groups) can only belong to a single subscription
- You can have up to 20 Azure AD B2C tenants/directories per subscription
This gives the following example hierarchy:
- Azure AD directory (contoso.com)
- Dev subscription
- Resource group X
- Azure AD B2C #1
- Azure AD B2C #2
- Resource group X
- Prod subscription
- Resource Group Y
- Azure AD B2C #3
- Azure AD B2C #4
- Resource Group Y
- Dev subscription
Do correct me if I'm wrong, please!
The really confusing part
In the Azure portal, I have a B2C tenant resource in my AD directory:
Also, from the menu in the top right corner, I can click 'Switch directory', and see both my AD directory and my B2C directory:
When I switch to the B2C directory, I get the same left menu that I have in my AD directory:
Ok.
So I have a menu option to create a resource, and I can also view resources inside this B2C directory!
Questions:
- Can you actually create resources inside a B2C directory? Seems to me that B2C is itself a resource, belonging to a specific subscription and a specific AD directory.
- If you can, when would you – if ever – do it?
I'm thinking this is simply a quirk of the Azure Portal. I don't see how you could create a resource inside a B2C directory using e.g. ARM / Bicep / Terraform.
CodePudding user response:
You cannot create resources in B2C tenant. In general resources are created and belong to the subscription, not the tenant. You would have to have the subscription assigned to your B2C tenant but that is not possible.
Yes it is a resource, belonging to specific subscription (for billing purposes) and subscription is linked to AAD tenant
No, the main goal of B2C is to manage identities. If it would be ever possible it wouldn't work well. Much better idea is to create an additional subscription in your base tenant if you ever need to separate resources (for example for billing purposes).