How I work effectively with multiple Azure AD tenants and user accounts

Many people have to work with several Azure AD and Microsoft 365 tenants, several user accounts in the same tenant, or a combination of both. I often see people working using a single browser, or using incognito mode, signing in and out all the time.

I work with several customers, several lab and demo environments, several different users – often in the same tenant, and I work super effectively. How? Let me show you!

Profiles – that’s how!

All proper browser have a feature for this. I use Chrome, but Edge and Firefox both have this feature as well.

The whole point is that each profile has a separate set of cookies, and therefore a separate user session towards, say, the Azure Portal or the Microsoft 365 Portals. The way I do it, is that each user account I have will have a separate browser profile. Let me show you, by creating a new Microsoft 365 Demo environment (available for Microsoft partners):

So, now I need to sign in as this admin account. What I do is go to my Chrome and click the profile icon:

Now i click + Add

And Continue without an account (because I do not want to create a Google account for each profile):

Name the profile something. I usually name it something relevant and the username, like this:

After clicking Done, I will get a brand new browser instance:

We can now sign into the Azure portal:

And I usually save the password, as the password will then be saved in this separate browser profile, and choose to stay signed in:

Now I can have as many separate windows as I want, with completely separate user accounts and tenants:

Ok, cool what about PowerShell?

The difficult part about PowerShell, is that both Azure CLI and the Az PowerShell Module both have their own session handling, with support for multiple accounts, and other modules such as the Microsoft.Graph module does not support such as thing.

Microsoft.Graph Module

This module only supports a single session, so it is as simple as running Connect-MgGraph when you want to switch which tenant you are working with. When running Connect-MgGraph, your last active browser window will be used for authentication, so make sure that if you want to sign into a specific profile, let’s say me purple profile above, that purple profile must be the last active browser window.

Connect-MgGraph -Scopes User.Read.All

Azure CLI

Azure CLI has its own global account cache that can be listed using az account list, and cleared using az account clear. The cache travels across PowerShell windows, so you cannot have one window per tenant or per user. The cache also covers which is the “default” account, so you cannot simply have several windows with different default accounts.

Same as other browser based interactive sign-in methods, the last active browser is used when triggering login. This means that when you are triggering a login, you need to make sure your last active browser window has the user session you want to access.

az login --allow-no-subscriptions

When logging into an account, that account will always be set as the default account, but you cannot guess which Azure subscription it the default one.

# Get the currently active account for az cli:
az account show

# List all active accounts in the az cli cache:
az account list

# Switch which account is active for az cli:
az account set --subscription=91871a06-4e5a-4423-bdcc-22b836cb4b3a

Az PowerShell Module

The Az PowerShell Module, much like Azure CLI ,has its own global account cache that can be listed using Get-AzContext -ListAvailable, and cleared using Clear-AzContext. The cache travels across PowerShell windows, so you cannot have one window per tenant or per user.

Connect-AzAccount

When logging into an account, that account will always be set as the default account, but you cannot guess which Azure subscription it the default one.

# Get the currently active account for the az ps module:
Get-AzContext -ListAvailable

# List all active accounts in the az ps module cache:
Get-AzContext -ListAvailable

# Switch which account is default for az ps module:
$Contexts = Get-AzContext -ListAvailable
Set-AzContext -Context $Contexts[2]

One thought on “How I work effectively with multiple Azure AD tenants and user accounts

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s