将 Azure 订阅关联或添加到 Azure Active Directory 租户Associate or add an Azure subscription to your Azure Active Directory tenant

Azure 订阅与 Azure Active Directory (Azure AD) 之间存在信任关系。An Azure subscription has a trust relationship with Azure Active Directory (Azure AD). 订阅信任 Azure AD 对用户、服务和设备执行身份验证。A subscription trusts Azure AD to authenticate users, services, and devices.

多个订阅可以信任同一个 Azure AD 目录。Multiple subscriptions can trust the same Azure AD directory. 每个订阅只能信任一个目录。Each subscription can only trust a single directory.

如果订阅过期,则将失去与该订阅关联的所有其他资源的访问权限。If your subscription expires, you lose access to all the other resources associated with the subscription. 但是,Azure AD 目录保留在 Azure 中。However, the Azure AD directory remains in Azure. 可以使用不同的 Azure 订阅来关联和管理该目录。You can associate and manage the directory using a different Azure subscription.

所有用户都有一个用于身份验证的“主”目录 。All of your users have a single home directory for authentication. 用户还可以充当其他目录中的来宾。Your users can also be guests in other directories. 可在 Azure AD 中查看每位用户的主目录和来宾目录。You can see both the home and guest directories for each user in Azure AD.

Important

当你将订阅与其他目录关联时,具有使用基于角色的访问控制 (RBAC) 分配的角色的用户将失去其访问权限。When you associate a subscription to a different directory, users that have roles assigned using role-based access control (RBAC) lose their access. 经典订阅管理员(包括服务管理员和共同管理员)也将失去其访问权限。Classic subscription administrators, including Service Administrator and Co-Administrators, also lose access.

当订阅与不同的目录关联时,还会从该订阅中删除策略分配。Policy Assignments are also removed from a subscription when the subscription is associated with a different directory.

如果将 Azure Kubernetes 服务 (AKS) 群集移到其他订阅,或者将拥有该群集的订阅移到新租户,该群集将会由于失去角色分配和服务主体权限而丢失功能。Moving your Azure Kubernetes Service (AKS) cluster to a different subscription, or moving the cluster-owning subscription to a new tenant, causes the cluster to lose functionality due to lost role assignments and service principal's rights. 有关 AKS 的详细信息,请参阅 Azure Kubernetes 服务 (AKS)For more information about AKS, see Azure Kubernetes Service (AKS).

准备阶段Before you begin

在关联或添加订阅之前,请执行以下任务:Before you can associate or add your subscription, do the following tasks:

  • 请查看下面包含更改及你可能受到的影响的列表:Review the following list of changes and how you might be affected:

    • 已使用 RBAC 为其分配了角色的用户将失去其访问权限Users that have been assigned roles using RBAC will lose their access
    • 服务管理员和共同管理员将失去其访问权限Service Administrator and Co-Administrators will lose access
    • 如果你有任何密钥保管库,这些密钥保管库将无法访问,而且你必须在关联后对其进行修复If you have any key vaults, they'll be inaccessible and you'll have to fix them after association
    • 如果对资源(例如虚拟机或逻辑应用)使用任何托管标识,则必须在关联后重新启用或重新创建这些标识If you have any managed identities for resources such as Virtual Machines or Logic Apps, you must re-enable or recreate them after the association
    • 如果拥有已注册的 Azure Stack,则将必须在关联后重新注册它If you have a registered Azure Stack, you'll have to re-register it after association
  • 使用符合以下条件的帐户登录:Sign in using an account that:

  • 请确保未使用 Azure 云服务提供商 (CSP) 订阅(MS-AZR-0145P、MS-AZR-0146P、MS-AZR-159P)、Microsoft 内部订阅 (MS-AZR-0015P) 或 Microsoft Imagine 订阅 (MS-AZR-0144P)。Make sure you're not using an Azure Cloud Service Providers (CSP) subscription (MS-AZR-0145P, MS-AZR-0146P, MS-AZR-159P), a Microsoft Internal subscription (MS-AZR-0015P), or a Microsoft Imagine subscription (MS-AZR-0144P).

将订阅关联到目录Associate a subscription to a directory

将现有订阅关联到 Azure AD 目录To associate an existing subscription to your Azure AD directory

  1. 登录,然后在门户中,选择“Azure Active Directory” 。Sign in and select Azure Active Directory in portal.

  2. 选择“切换目录” 。Select Switch directory.

    订阅页面,其中突出显示了“更改目录”选项

  3. 选择“所有目录” ,然后单击要切换的目录。Select All Directories and click a directory you want to switch.

    “更改目录”页,显示要更改到的目录

更改订阅目录是服务级操作,不会影响订阅的账单所有权。Changing the subscription directory is a service-level operation, so it doesn't affect subscription billing ownership. 帐户管理员仍可从帐户中心更改服务管理员。The Account Admin can still change the Service Admin from the Account Center. 若要删除原始目录,必须将订阅的账单所有权转让给新的帐户管理员。若要详细了解如何转让账单所有权,请参阅将 Azure 订阅所有权转让给其他帐户To delete the original directory, you must transfer the subscription billing ownership to a new Account Admin. To learn more about transferring billing ownership, see Transfer ownership of an Azure subscription to another account.

关联后的步骤Post-association steps

将订阅关联到不同的目录后,可能需要执行以下任务来恢复操作:After you associate a subscription to a different directory, you might need to do the following tasks to resume operations:

  • 如果有任何密钥保管库,则必须更改该密钥保管库租户 ID。If you have any key vaults, you must change the key vault tenant ID. 有关详细信息,请参阅在订阅移动后更改密钥保管库租户 IDFor more information, see Change a key vault tenant ID after a subscription move.

  • 如果对资源使用了系统分配的托管标识,则必须重新启用这些标识。If you used system-assigned Managed Identities for resources, you must re-enable these identities. 如果使用了用户分配的托管标识,则必须重新创建这些标识。If you used user-assigned Managed Identities, you must re-create these identities. 重新启用或重新创建托管标识后,必须重新建立分配给这些标识的权限。After re-enabling or recreating the Managed Identities, you must re-establish the permissions assigned to those identities. 有关详细信息,请参阅什么是 Azure 资源的托管标识?For more information, see What is managed identities for Azure resources?.

  • 如果已使用此订阅注册了 Azure Stack,则必须重新注册。If you've registered an Azure Stack using this subscription, you must re-register. 有关详细信息,请参阅将 Azure Stack 注册到 AzureFor more information, see Register Azure Stack with Azure.

后续步骤Next steps