Skip to main content
kishore.salipalli@gmail.com

1 week ago

Azure Tenant?

What exactly is azure tenant or tenant ID? Can someone please explain in layman terms?

Image of lfowler
lfowler
1 week ago
The tenant is basically the base level of your Azure presence. It identifies you and is the point from which you build the rest of your Azure infrastructure (subscriptions, resources, etc).

So if my new company was getting started with Azure we would register and receive our tenant name (ie awesomecompany.onmicrosoft.com). From there we could set up subscriptions that allow us to pay for things, and then resources to start building the service we want to offer. But it would all be within the tenant awesomecompany.onmicrosoft.com.

I hope this helps! Let us know if you have more questions.
Image of kishore.salipalli@gmail.com
kishore.salipalli@gmail.com
1 week ago
thanks Landon. So, as per my understanding, if I register for a free-trial  subscription with email id - kishore@gmail.com (for example),
I have created a directory by name cloudorg in Azure AD,
Directory Name: cloudorg
Tenant name: cloudorg.onmicrosoft.com
User account with Admin access - kishore@gmail.com

1) Is the above information and my understanding on the terminologies correct?
2)  if I create a new directory and switch directory, I believe the tenant ID will change right?
3) One tenant name/ID can be associated with multiple subscriptions?

Image of gmcleary
gmcleary
1 week ago
 Good morning,

Yes, for the most part you are correct. However, in response to #2, I may have misinterpreted your question but the initial tenant ID will remain the same but you will have a new tenant ID for the second directory. So you are correct in that the tenant ID will change when you switch directories but that is because the new directory will have it's own tenant ID. When you switch back to the initial directory, you will see the original tenant ID. Also, you can have one tenant name with multiple subscriptions.

Image of jameslee06
jameslee06
1 week ago
Your understanding looks correct to me!

Just to add to the other responses above, I always find it helps to have a quick example to demonstrate the "relationships" etc:

Example Azure AD tenant and Azure Subscription
These are example / not real values:
> Azure AD Tenant: lalabs.onmicrosoft.com
> Azure AD Tenant ID:  11c7a11b-b111-1234-ab1c-1a2b345cdefa1
> Azure Subscription: LA Labs Dev Subscription
> Azure Subscription 2: LA Labs Prod Subscription

What's quite common to do in the industry, is have a single Azure AD Tenant that you might use across multiple services.

For example, the 'lalabs.onmicrosoft.com' tenant above might be used by both 'LA Labs Dev Subscription', 'LA Labs Prod Subscription' and even other services like Office 365 Exchange Online.

This is the reason an Azure AD Tenant is entirely separate - it's NOT an Azure resource. It is NOT within your Azure subscription. It's entirely outside and separate.

What we do have, is a relationship between Azure AD Tenants, and other subscription services (Azure, O365, etc).

With respect to Azure, an Azure subscription MUST be associated with ONE Azure AD Tenant. But it cannot be associated with more than one tenant.

An Azure AD Tenant, on the other hand, can be associated with one or more Azure Subscriptions (and other services).

Similarly when you need to manage administrative access to Azure resources:
- Azure uses identities from your Azure AD Tenant (e.g. you might grant kishore@lalabs.onmicrosoft.com with OWNER privileges to LA Labs Dev Subscription 1 (not best practice)

But if you need to manage administrative access to Azure AD, you would need to assign:
- kishore@lalabs.onmicrosoft.com with GLOBAL ADMIN privileges to the lalabs.onmicrosoft.com tenant (because they're separate)

So for your questions:
1) Your terminology looks good :)

2) Switching directory (within the Azure Portal, top right) changes the Azure AD tenant you're using to access resources; the Azure Portal also automatically refreshes to now only show you the Azure subscription/resources that the other tenant has access to... this is NOT changing the link between Azure AD Tenant <> Azure Subscription (it's really just changing your view)

3) Correct :)  And this is really common as it helps centralize identity (which is one of the most important things in security these days... you can have lots of resources everywhere, and if you can use a single Azure AD tenant for them all, that helps security)

HTH!!
James