Associate or add an Azure subscription to your Azure Active Directory tenant

An Azure subscription has a trust relationship with Azure Active Directory (Azure AD), which means that the subscription trusts Azure AD to authenticate users, services, and devices. Multiple subscriptions can trust the same Azure AD directory, but each subscription can only trust a single directory.

If your subscription expires, you lose access to all the other resources associated with the subscription. However, the Azure AD directory remains in Azure, letting you associate and manage the directory using a different Azure subscription.

All of your users have a single home directory for authentication. However, your users can also be guests in other directories. You can see both the home and guest directories for each user in Azure AD.

Important

When you associate a subscription to a different directory, users that have roles assigned using role-based access control (RBAC) will lose their access. Classic subscription administrators (Service Administrator and Co-Administrators) will also lose access.

Before you begin

Before you can associate or add your subscription, you must perform the following tasks:

  1. Review the following list of changes and how you might be affected:

    • Users that have been assigned roles using RBAC will lose their access
    • Service Administrator and Co-Administrators will lose access
    • If you have any key vaults, they'll be inaccessible and you'll have to fix them after association
    • If you have a registered Azure Stack, you'll have to re-register it after association
  2. Sign in using an account that:

  3. Make sure you're not using an Azure Cloud Service Providers (CSP) subscription (MS-AZR-0145P, MS-AZR-0146P, MS-AZR-159P), a Microsoft Internal subscription (MS-AZR-0015P), or a Microsoft Imagine subscription (MS-AZR-0144P).

To associate an existing subscription to your Azure AD directory

  1. Sign in and select the subscription you want to use from the Subscriptions page in Azure portal.

  2. Select Change directory.

    Subscriptions page, with Change directory option highlighted

  3. Review any warnings that appear, and then select Change.

    Change the directory page, showing the directory to change to

    The directory is changed for the subscription and you get a success message.

    Success message about directory change

  4. Use the Directory switcher to go to your new directory. It might take up to 10 minutes for everything to show up properly.

    Directory switcher page, with sample information

Changing the subscription directory is a service-level operation, so it doesn't affect subscription billing ownership. The Account Admin can still change the Service Admin from the Account Center. To delete the original directory, you must transfer the subscription billing ownership to a new Account Admin. To learn more about transferring billing ownership, see Transfer ownership of an Azure subscription to another account.

Post association steps

After you associate a subscription to a different directory, there might be additional steps that you must perform to resume operations.

  1. If you have any key vaults, you must change the key vault tenant ID. For more information, see Change a key vault tenant ID after a subscription move.

  2. If you have registered an Azure Stack using this subscription, you must re-register. For more information, see Register Azure Stack with Azure.

Next steps