What is the right mental model for having multiple directories bound to an azure subscription?
Obviously, it has nothing to do with multi-tenant apps.
Having bound my own certified domain (wrapping an office AAD) to my azure directory, things work fine ... for directory #1. My IDP introduces co-admins, for example, and I can use the AAD console to manipulate users (and add azure specific features such as rights).
Then I did a bit of NSA/GCHQ dupery and subversion and induced a system admin to bind a (operational) corporate directory to my same azure subscription.
(a) he wishes he hadnt since Im really not that trustworthy (and we CANNOT delete it, using azure console). I get rights to administer his office365 user records ... now - which is WAY beyond what ought to be my privilege level.
(b) users from that directory #2 CANNOT apparent be co-admins (which was the original idea) in azure land.
I now have several directories tied to my azure account (for ever, apparently). What are they "really" for?
for example, I could imagine an "enterprise" directory manager being able to administer "sub-enterprise" directories - in much the same way that certification courses teach one how to operate AD and VPNs and LANs and IP-based replication in "enterprise mode".