Azure AD Terminologies

Pratyusha Menon 21 Reputation points
2020-11-09T21:51:27.527+00:00

Can someone pls explain to me the puzzle of Azure AD Terms = subscription / tenant / directory ?

What I understood:

When I sign up for an Azure subscription = 1 subscription = 1 organization = 1 AD tenant eg: john@Company portal .onmicrosoft.com

I can create another organization in the same subscription using the same AD Tenant eg: john@cronus.onmicrosoft.com

When I can create 2 directories and/or/also organization, why does the documentation say:

When a company or organization signs up to use one of these offerings, they are assigned a default directory, which is an instance of Azure AD. The default directory is sometimes referred to as a tenant. A given subscription is also associated to a single Azure AD directory. Multiple subscriptions can trust the same directory, but a subscription can only trust one directory."

Can someone pls help with this nomenclature confusion?

Microsoft Entra

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2020-11-10T02:18:04.237+00:00

    Hi @Pratyusha Menon ,

    The terms "tenant" and "directory" are for the most part interchangeable and are used that way in Azure documentation.

    A tenant is an instance of an Azure Active Directory. The tenant is an account in Azure that comes with a subdomain and an associated Azure Active Directory. In order to use an Azure Active Directory you need to become a tenant within the system. So a tenant is basically securing a .onmicrosoft.com subdomain. At that point you would have one account registered in your Azure AD.

    As you mentioned, a subscription is associated to a single Azure Active Directory, but you can add multiple subscriptions to the same directory. One reason you might do this is to separate the finances and administration within a company. For example, a company might have a single org-wide tenant, but different Azure subscriptions for each department. That way the company can track how much money each department is spending on resources.

    Another reason for doing this would be to divide subscriptions for different development purposes such as having a sandbox environment, staging environment, and production environment that each have different subscriptions attached.

    Hope this helps and let me know if you have further questions!

  2. Sani Garba 1 Reputation point
    2021-08-19T13:00:09.32+00:00

    Looking closely at the explanation by @MarileeTurskac and combining that with Microsoft’s position that “…….. but a subscription can only trust one directory”, we may say that, while many subscriptions can belong to a single AAD, you can’t have a single subscription belonging to two or more AADs. Yes, the use of “trust” gives it an opaque meaning, such that, it can be interpreted to mean, even though you can do the association, but the subscription won’t be recognized/trusted by AAD.

    0 comments