I am trying to understand why several lectures say that an Azure tenat is a directory (example here). According to the docs an Azure tenant is a trusted instance of the Azure AD, and, again, according that docs a Azure AD is a service a not a directory. Could you help me to understand why several lectures say the Azure tenant is a directory if docs say that is an instance of a service, please?
I think what is confusing is that the word directory has several meanings. When directory is used in this context it means an Azure Active Directory instance. An instance of the Azure Active Directory service is a tenant. If you created multiple Azure ADs in your Azure Portal you would have multiple instances therefore you would have multiple tenants or as some would say directories. I hope that clarifies it a little.
Related
Microsoft says, "In Azure Active Directory a tenant is an instance of Azure Active Directory that an organization receives when it signs up for a cloud application like Microsoft 365."
Could anyone explain what it means for a tenant to be an instance of the Azure Active Directory?
I know that an instance is basically a virtual machine. However, I'm failing to see how that definition applies in this particular context.
In your context, Instance of Azure Active Directory means Azure tenant.
I agree with #Peter Bons, Azure tenant is a dedicated and trusted instance of Azure AD.
Tenant refers to a single instance of Azure Active Directory.
Please note that tenant will be automatically created when your organization signs up for a Microsoft cloud service subscription.
To make it simple, you can consider it as parent group that includes users and groups along with the access control to application and resources.
A tenant is associated with a single identity and can have one or several subscriptions.
Based on your requirement, you can have single tenant or multitenant.
Every tenant is linked to a single Azure AD instance, which is shared with all tenant's subscriptions.
Azure AD Tenants are globally unique and have scopes with a domain name ending with ‘onmicrosoft.com’ and has a Tenant ID in the form of UUID/GUID.
For more in detail, please refer below links:
Understanding Tenants, Subscriptions, Regions and Geographies in Azure – siliconvalve
What is Azure Active Directory Tenant and How to create (azurelib.com)
Currently i am trying to dig deeper into the organizational/entity structure of ms azure. All I find online in discussions and official ms documentation only shows parts of the bigger picture but never the underlying relationships between them.
I try to formulate statements which I ask you to correct in case they are wrong:
I log in to the azure portal using an email adress witch is called account
In the azure portal I am acting in the context of a directory
The account i use to log in is associated with an identity in the directory
A directory belongs to a tenant
Signing up for MS Azure using my Microsoft Account will create a Tenant
A Subscription I create is assoiciated with but not created/stored within a directory (not with a tenant)
A Subscription I create is associated with the Account I am currently logged in, called Azure Account
A Management Group will be created within the directory per default, called Root Management Group
When no other Management Group is created, all Subscriptions I create are associated with this Root Management Group
Any thoughts on that?
Thanks TGY for your question. The terms "tenant" and "directory" are for the most part interchangeable and are used in Azure.
A tenant is an instance of an Azure Active Directory. The tenant is an account in Azure that comes with a subdomain and an associated Azure Active Directory. In order to use an Azure Active Directory you need to become a tenant within the system. So a tenant is basically securing a .onmicrosoft.com subdomain. At that point you would have one account registered in your Azure AD.
An Azure subscription is a logical container used to provision resources in Azure.It serves as a single billing unit for Azure resources in that services used in Azure are billed to a subscription. An Azure subscription is linked to a single account, but you can add multiple subscriptions to the same directory.
Please see this DOC if it helps you.
Root Management>>Management Group>>Subscription>>Resources Group>>Resources. So for IAM(Identity & Access Management) purpose, management Group is higher level than Subscription. Subscription is higher than Resource Group and Resource Group is higher than a particular resource level.
Please find below Architectural structure for more understanding and pictorial representation --
Following on from this question, I don't understand what the difference between an Azure Tenant, Azure Directory and Azure Active Directory.
When I log in to Azure and click my profile it lets me Switch Directory.
In my case I can switch to my company directory and also to the directory of another company where I have guest credits.
Does Directory in this context mean the same as Azure Active Directory?
The documentation says a tenant is:
Azure tenant: A dedicated and trusted instance of Azure AD that's
automatically created when your organization signs up for a Microsoft
cloud service subscription, such as Microsoft Azure, Microsoft Intune,
or Office 365. An Azure tenant represents a single organization.
So is Tenant the same as Directory in this case as well?
Yes, in this case the tenant is the same as an Azure AD. In the Azure portal you are changing Azure Active Directories when you use the Switch Directory feature. You can currently only be in the context of a single directory at a time; however, as the previous question you pointed to indicates, multiple subscriptions can be tied to a tenant/directory. So when you are in the context of a directory you'll see all the subscriptions under that tenant to which you have access to one or more resources based on security.
To be fair, I use Azure AD Tenant/Azure AD Directory interchangeably. The Portal UI calls them directories; however, the properties on resources, REST APIs, CLI commands, etc. all refer to it as a tenant.
Directory == Tenant.
When you utilize azure services, the TenantId will be requested. The TenantId is non other than the DirectoryId which can be found in the Properties tab within Azure Active Directory.
Furthermore, as answered in the link you provided:
"Subscriptions are tied to tenants. so 1 tenant can have many subscriptions, but not vice versa."
Azure Active Directory is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources
Tenant is a digital representation of the organization.
Azure Active Directory creating a directory objects in the form of tenant name. Azure Active Directory and tenants are interrelated.
In total, the Azure AD Tenant provides identity and access management (IAM) capabilities to applications and resources.
Link : https://learn.microsoft.com/en-us/microsoft-365/education/deploy/intro-azure-active-directory#what-is-an-azure-ad-tenant
In my azure account I have 2 directories, lets call them directory A and B.
With some recent changes I need to switch a app service from a subscription in directory A to a subscription that is on directory B.
Is this possible to achieve, and if it is how?
EDIT 1
As directory I mean the directory that you can see in the image below:
EDIT 2
Since It seems that I have mislead people I will try to explain what i want to achieve with images.
I want to move the App Service from the App Service Plan in the directory A as you can see in here:
to the App Service Plan in the directory B that you can see in here:
It looks like you want to move resources between subscriptions. It is possible to do this but there are a few restictions and rules around what you can do.
You can definitely move an App Service between subscriptions. However, in your case, as the subscriptions in question exist in different AD tenants, you will need to change the tenant of one of the subscriptions. You can only do this if you are a Service Administrator and signed in using a Microsoft i.e non organizational account.
Check this reference document from Microsoft, it explains in detail how the transfer process works.
I think we might need some additional information, since it seems that the terms we're using are sometimes equivocal. Microsoft Azure subscriptions are not associated to Azure Active Directories, but to an Service Account. You can add how many Azure ADs you want to an Azure subscription, but the Azure subscription itself will be managed by the service account (which is not necessarily member of a certain Azure AD).
Further, only the service administrator can manage Azure resources, like VMs, App Services and so on. Azure AD admins can only manage identity aspects that define identity life cycles within that specific Azure AD. The service admin could add a co-admin a user from the default Azure AD and that user would then also be able to manage Azure resources, like App Services and so on.
So the Azure App Service is tied to a Azure subscription that is managed by a service account, not by the Azure AD. Please check the official documentation on this topic. Also please clarify exactly what you would like to do.
Is it possible to programmatically create a Azure Active Directory within a Azure subscription.
I have looked through the Azure Management API's and can see methods to create VM's, databases but not WAAD's.
If it is possible. How many WAADs can be created per subscription?
No, it isn't possible to create Azure Active Directories programmatically.
As Jeff pointed, the directories listed in the Azure AD node are not contained in the subscription - but instead are the directories in which the currently signed in user account exists.