I am struggling to distinguish how an Azure Subscription and an Azure tenant are different? I have tried figuring it out using examples but each time I come to the conclusion that they are the same thing in a way? If a tenant is a dedicated instance of the Azure AD service that an organization receives and owns when it signs up for a Microsoft cloud service, then is that not what a subscription is too?
Basic understanding:
a tenant is associated with a single identity (person, company, or organization) and can own one or several subscriptions
a subscription is linked to a payment setup and each subscription will result in a separate bill
in every subscription, you can add virtual resources (VM, storage, network, ...)
Additionally:
Every tenant is linked to a single Azure AD instance, which is shared with all tenant's subscriptions
Resources from one subscription are isolated from resources in other subscriptions
An owner of a tenant can decide to have multiple subscriptions:
when Subscriptions limits are reached
to use different payment methods
to isolate resources between different departments, projects, regional offices, and so on.
Example 1:
Contoso decides to have a tenant with 2 subscriptions:
one subscription for the Prod department with Credit Card A
one subscription for the Dev department with Credit Card B
(but could also be the same Credit Card as the one of another subscription)
In this example, the two departments share the same Azure AD database.
However, resources are isolated between departments, and budgets can be separated too.
Example 2:
A holding company decides to have 2 tenants:
one tenant for subsidiary Contoso with one subscription for Dev and Prod
one tenant for subsidiary Fabrikam with one subscription for Dev and another subscription for Prod
In this example, both companies have a different Azure AD database.
Example 3:
You have a tenant for your personal training.
In this tenant, you can have:
one free Azure subscription (linked to a credit card but not charged, and can be converted to a Pay-As-You-Go subscription after the free trial)
one or several Pay-As-You-Go subscriptions (linked to different credit cards)
one or several Azure Pass Sponsorship subscriptions, not linked to any credit card because these subscriptions are obtained during Microsoft trainings
one Visual Studio subscription (linked to a credit card) and with different quotas (of free resources) than the free subscription
Despite all those subscriptions have isolated resources (per subscription), and some are free while you have to pay for others, all subscriptions share the same Azure AD database.
Azure tenant is a directory. Azure subscription is an object that represents a "folder" that you can put resources in. Subscriptions are tied to tenants. so 1 tenant can have many subscriptions, but not vice versa.
Link:
https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits
It helps to take a scenario:
Let's say you logged into portal.azure.com for the first time and created a free tier account.
When you login to Azure, you have a single tenant ID associated with your account which will not change unless you ask Microsoft to delete your account(this is not your Azure domain user, this is your Microsoft subscription account - eg. bob#gmail.com).
You will only have 1 subscription unless you've purchased or manage other subscriptions (by using the 'transfer billing ownership' function), then they will all be listed under subscriptions.
You will have FULL access to all "resources" associated with your tenant ID. These resources can be part of your own Azure 'directory' or from another domain that someone has given you access to.
You can create up to 20 directories, and you can belong to up to 500 directories.
When you own the subscription (eg. a free account) you'll have full rights up to the 'root' of the subscription - eg. if you click on your name in the top right corner and select "... > your permissions" you see something like:
Your account 'YOURACCOUNT#gmail.com' has been assigned the role 'User Access Administrator' (type BuiltInRole) and has access to scope /.
Your resources have Role Based Access controls that you, the subscription owner, can assign to other users in your Azure Active Directory (or other trusted directories).
By default, for a new subscription, the Account Administrator is assigned the "Service Administrator" privilege. This is 'above' the RBAC roles - there can only be one service administrator per subscription. In RBAC terms this is an 'owner'.
More points:
A single tenant can have multiple AD directories, but a single directory can only have 1 tenant.
*It is recommended to maintain only a single tenant and manage all of your AD domains from that single tenant, otherwise the user experience between domains will not be a seamless.
*A tenant is directly associated with an AD resource - if you mouse over your username in the top right corner you'll see the AD domain you're connected to and a long alphanumeric string - that's the same string in AD > properties.
*If you switch to another directory (assuming you have one) your subscription name (bob#gmail.com) doesn't change, but the tenant ID will be different.
References:
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
https://marckean.com/2016/06/01/azure-vs-azure-ad-accounts-tenants-subscriptions/
https://blogit.create.pt/miguelisidoro/2019/01/07/pros-and-cons-of-single-tenant-vs-multiple-tenants-in-office-365/
This MS doc has explained everything very nicely - Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings
Quoting from the Summary of the hierarchy section in the documentation:
Here is a quick recap:
An organization can have multiple subscriptions
A subscription can have multiple licenses
Licenses can be assigned to individual user accounts
User accounts are stored in an Azure AD tenant
Later in the same section it says:
Multiple Microsoft cloud offering subscriptions can use the same Azure
AD tenant that acts as a common identity provider. A central Azure AD
tenant that contains the synchronized accounts of your on-premises AD
DS provides cloud-based Identity as a Service (IDaaS) for your
organization.
Let us try to understand all this with the help of a real-life example. Let's assume that I'm the owner of a company named FooBar which manufactures software products. Now here is what I'll do to setup Azure infrastructure for my company:
I'll crete an Azure account using my email id.
Then for managing the employees of the company, I created below mentioned Azure Active Directories (AAD aka tenant) in my Azure account:
PermanentAad
AdhocAad
User account of all full-time employees (FTEs) will be added into PermanentAad AAD and all temporary or contractual employees will be added into AdhocAad AAD.
Similarly, I would like to manage the billing of adhoc employees and FTEs separately. So I creates two subscriptions namely PermanenetSub and AdhocSub. I'll setup a trust relationship between PermanentAad and PermanentSub. Similarly for AdhocAad and AdhocSub. So when any FTE creates an Azure resource e.g. a virtual machine(VM) then the cost of that VM will get added to total bill in PermanentSub subscription.
Now comes the licensing part. Licenses empower a user to do things in Azure e.g. creating resources, VMs etc. I can give Enterprise Mobility + Security E5 license to an FTE so that he can create VMs for testing any stuff.
To summarize:
If you want to work in Azure you need an Azure account. To create an Azure account you need an active email id.
If you want to add people/employees or machines/devices who would be part of your IT infrastructure you need a tenant/AAD. You get one tenant/AAD by default when you create an Azure account. You can create more if you require for any kind of logical separation. AAD service is a global service spanning across all locations in Azure which manages all of our AAD instances. AAD is also known as Azure Active Directory, AAD, an Azure AD instance, an AAD Instance, an Azure AD Tenant, an AAD tenant, simply tenant or an organization, etc. They all mean the same. Therefore:
Organization == Tenant == Azure Active Directory
If you require logical separation of billing for users of your Azure account then you need multiple subscriptions. You get one subscription by default when you create a new Azure account. Subscription can be of four types as per below list:
Free
Pay-as-you-go
Enterprise agreement
Cloud Solution Provider
If you want to enable the users to do things then you issue license(s) e.g. license to be able to create VM or Azure app service. Also remember that license and Role Based Access Control (RBAC) are not same although both enable you to do things in Azure portal. But they've different nuances which you can explore on your own.
Below image summarizes the above explanation. I've taken it from the same documentation that I referred at the starting of this answer - Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings
Quoting from the User accounts section in the documentation:
So, all the user accounts and devices of an organization reside in a common Azure AD tenant/instance.
Adding more to existing answers
Tenant is a domain, If these are email addresses of a certain company,
user#exampledomain.com
admin#exampledomain.com
The tenant can be recognized as "exampledomain", in a practical scenario you create a tenant against a company or a client.
Subscriptions are like another logical high-level grouping. For example, you can create a subscription for each environment you work with in the same tenant.
as an example, exampledomain.com tenant can have Development, QA, and Production subscriptions. Those will be billed separately according to the plans you take in
Below are succinct descriptions of key terms and the relationship between them.
They are all sourced from official Microsoft documentation.
Account
Tenant
Identity
Subscription
Resource
Resource Group
Account
To create and use Azure services, you first need to sign up [for an
Azure account].
Source:
Learning Path: Manage identity and access in Azure Active Directory
Module: Create an Azure account
Exercise: Create an Azure account
Tenant
An Azure tenant is a single dedicated and trusted instance of Azure
AD. Each tenant (also called a directory) represents a single
organization. When your organization signs up for a Microsoft cloud
service subscription, a new tenant is automatically created. Because
each tenant is a dedicated and trusted instance of Azure AD, you can
create multiple tenants or instances.
Identity
An identity is an object that can be authenticated. The identity can
be a user with a username and password. Identities can also be
applications or other servers that require authentication by using
secret keys or certificates. Azure AD is the underlying product that
provides the identity service.
Source:
Learning Path: AZ-104: Manage identities and governance in Azure
Module: Configure Azure Active Directory
Exercise: Describe Azure Active Directory concepts
Subscription
To create and use Azure services, you need an Azure
subscription...you're free to create additional subscriptions. For
example, your company might use a single Azure account for your
business and separate subscriptions for development, marketing, and
sales departments. After you've created an Azure subscription, you can start
creating Azure resources within each subscription.
Source:
Learning Path: Azure Fundamentals: Describe Azure architecture and services
Module: Get started with Azure accounts
In Azure, subscriptions are a unit of management, billing, and scale.
Similar to how resource groups are a way to logically organize
resources, subscriptions allow you to logically organize your resource
groups and facilitate billing...An account can have multiple
subscriptions, but it’s only required to have one. In a
multi-subscription account, you can use the subscriptions to configure
different billing models and apply different access-management
policies. You can use Azure subscriptions to define boundaries around
Azure products, services, and resources.
Source:
Learning Path: Azure Fundamentals: Describe Azure architecture and services
Module: Describe Azure management infrastructure
Resource
A resource is the basic building block of Azure. Anything you create,
provision, deploy, etc. is a resource. Virtual Machines (VMs), virtual
networks, databases, cognitive services, etc. are all considered
resources within Azure.
Resource Group
Resource groups are simply groupings of resources. When you create a
resource, you’re required to place it into a resource group. While a
resource group can contain many resources, a single resource can only
be in one resource group at a time. Some resources may be moved
between resource groups, but when you move a resource to a new group,
it will no longer be associated with the former group. Additionally,
resource groups can't be nested, meaning you can’t put resource group
B inside of resource group A.
Resource groups provide a convenient way to group resources together.
When you apply an action to a resource group, that action will apply
to all the resources within the resource group. If you delete a
resource group, all the resources will be deleted. If you grant or
deny access to a resource group, you’ve granted or denied access to
all the resources within the resource group.
When you’re provisioning resources, it’s good to think about the
resource group structure that best suits your needs.
For example, if you’re setting up a temporary dev environment,
grouping all the resources together means you can deprovision all of
the associated resources at once by deleting the resource group. If
you’re provisioning compute resources that will need three different
access schemas, it may be best to group resources based on the access
schema, and then assign access at the resource group level.
There aren’t hard rules about how you use resource groups, so consider
how to set up your resource groups to maximize their usefulness for
you.
Source:
Learning Path: Azure Fundamentals: Describe Azure architecture and services
Module: Describe Azure management infrastructure
Simply put, an instance of Azure AD is what an organization receives when the organization creates a relationship with Microsoft such as signing up for Azure, Microsoft Intune, or Microsoft 365.
A tenant is similar to a forest in an on-premise environment.
An Active Directory forest (AD forest) is the topmost logical container in an Active Directory configuration that contains domains, users, computers, and group policies
Think of a tenant as a user/domain entity that is registered in Azure. Tenants are Azure 'customer' - a unique entity that will be registered in Azure directories.
Subscription is an operational level of grouping resources. Tenants have subscriptions.
Tenant is quite a useful approach, which, in my opinion, is missing in AWS.
Related
Microsoft says, "In Azure Active Directory a tenant is an instance of Azure Active Directory that an organization receives when it signs up for a cloud application like Microsoft 365."
Could anyone explain what it means for a tenant to be an instance of the Azure Active Directory?
I know that an instance is basically a virtual machine. However, I'm failing to see how that definition applies in this particular context.
In your context, Instance of Azure Active Directory means Azure tenant.
I agree with #Peter Bons, Azure tenant is a dedicated and trusted instance of Azure AD.
Tenant refers to a single instance of Azure Active Directory.
Please note that tenant will be automatically created when your organization signs up for a Microsoft cloud service subscription.
To make it simple, you can consider it as parent group that includes users and groups along with the access control to application and resources.
A tenant is associated with a single identity and can have one or several subscriptions.
Based on your requirement, you can have single tenant or multitenant.
Every tenant is linked to a single Azure AD instance, which is shared with all tenant's subscriptions.
Azure AD Tenants are globally unique and have scopes with a domain name ending with ‘onmicrosoft.com’ and has a Tenant ID in the form of UUID/GUID.
For more in detail, please refer below links:
Understanding Tenants, Subscriptions, Regions and Geographies in Azure – siliconvalve
What is Azure Active Directory Tenant and How to create (azurelib.com)
I'm in the process of moving a azure subscription from one Azure AD into another Azure AD.
Before I could do that I have to create a new Azure Account for the target Azure AD.
I assumed that a subscription and account was the same, but it's not.
How does an Azure account and an azure subscription relate to each other?
How does billing profiles relate to subscriptions and azure accounts?
Do these relate one to many or one to one?
Azure Account sits on an Azure Active Directory(AAD). It is a just an email (identity) which allows you to access the resources linked with all the subscriptions linked with the AAD with proper permissions of-course.
Azure Subscription : An Azure subscription is a base container that comprises a group of related business or technical resources. The group of resources are used and billed together. An Azure subscription also acts as an administrative boundary, meaning that it allows subscription administrators to access all resources within the subscription and delegate access through role-based access-control mechanisms.
Billing is directly linked with the subscription.
Subscription is billed based on the billing profile.
Normal Users (Azure Accounts) are not billed individually unless Subscription Admin decides a method for them.
Billing profile : A billing profile contains a payment method, Bill-to information, and other invoice settings, such as purchase order number and email invoice preference.
So multiple subscriptions can be charged with single billing profile or the Subscription admin can use different profiles for different subscription.
References-
What is Azure Active Directory:
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-whatis
The relationship between AAD and subscriptions:
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-how-subscriptions-associate...
Managing resource groups with AAD:
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-manage-groups
Understanding billing profile:
https://learn.microsoft.com/en-us/microsoft-365/commerce/billing-and-payments/manage-billing-profiles?view=o365-worldwide
Days ago I onboarded a customer using Service Principal with an ARM template in our blob storage, then the client went to this URL:
https://portal.azure.com/#create/Microsoft.Template/uri/{Blob Url}, accepted us as their resource manager, and we could make connections and go-to resources but via PowerShell, why it doesn't show to us in our Azure Lighthouse Customers page?
I can work with the resources, make deployments, and such but doesn't show in the list, I want to know if it is because we need to be gold competency or an expert MSP because we don't want to make a public offer in the market, we just want to manage certain customers.
It should be displayed there. No special conditions are required such as the ones you've mentioned. Are you definitely signed in to your own partner/MSP tenant with an account that has delegated access to the customers? Does anything show up under delegations within the Azure Lighthouse section?
If you have access to the customer tenant, does your company show up under Service Providers within Azure Lighthouse on the Azure portal?
Case closed, the Service Principal itself doesn't have the privileges on the service provider's tenant to make your user a reader. So the solution for this was:
Remove the offer in the customer tenant.
Add new authorization in the ARM template for a user/group with "Reader" built-in role id. (In our case, we decided to use an AD group because people in the organization is temporary)
Upload the new ARM template and re-onboarded the client.
After a couple of hours, the client's subscription showed in the subscription list in the section: Directories + subscriptions, checked it, and saw all the resources from the service provider's tenant.
I found a solution for this issue.
The Azure Lighthouse->My customers list on the azure portal only shows subscriptions activated in the global directories and subscription filter.
Please go to the global directories and subscriptions filter (in the portal top navigation) and open the drop downs for directories and for subscriptions and check, if your customer subscription appears here.
If yes, select all entries in both drop downs.
After that go back to Azure Lighthouse->My customers
and check, if the customer subscription appears now.
Azure ARM handles identity requirements for the requests it receives through Azure AD. The requesting user should be a valid Azure AD user with a valid identity and authorization roles. The azure subscription for which the request is made should comply to deployment limits and biling policies.
There is a role of Azure Tenant that is associated with requesting user and Subscription. What role these tenants play and what is the workflow ?
I'm not sure what you mean exactly by the role of the Azure tenant in this context, but you can assign roles at the tenant scope and that's what the ARM template documentation describes. For example, you can assign an Owner role to a user at the tenant scope so that the user is an Owner of the tenant. As for the relationship between tenants and subscriptions, multiple subscriptions can trust the same Azure AD tenant, but each subscription can only trust a single tenant. You can associate a subscription with a tenant by logging in and selecting the Subscription, and then changing the directory. With a Global Admin or User Admin role, you can add or remove users from your tenant.
As I'm sure you already know, an Azure tenant is a dedicated and trusted instance of Azure AD. Typically, each tenant represents a single organization. The words "tenant" and "directory" are used interchangeably. The tenant is an account in Azure that comes with a subdomain and an associated Azure Active Directory. In order to use an Azure Active Directory you need to become a tenant within the system. So a tenant is basically securing a .onmicrosoft.com subdomain. At that point you would have one account registered in your Azure AD.
So in the context of the ARM template, you need an Azure tenant to house your users and link to your subscriptions.
A tenant represents an organization in Azure Active Directory. It's a dedicated Azure AD service instance that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure, Microsoft Intune, or Microsoft 365. Each Azure AD tenant is distinct and separate from other Azure AD tenants. Once you have an Azure AD tenant, you can define an application and assign it permissions so it can call REST APIs. Your organization may already have an Azure AD tenant that you can use for your application.
In Azure AD, users are segmented into tenants. A tenant is a logical construct that represents a secure, dedicated instance of Azure AD typically associated with an organization. Each subscription is associated with an Azure AD tenant. Next, the ARM checks whether the user has sufficient permission to access a resource using Azure RBAC (Role based Access Control) which manages the permissions. An Azure role specifies a set of permissions a user may take on a specific resource. Next, the resource request is checked against an Azure Resource Policy which are defined to allow specific operations for a specific resource. Next, ARM checks the Azure subscription limit for the specific resources in that subscription for resource groups. And finally, the financial commitment associated with the subscription is checked as a final control before deploying the resource for management through the ARM.
ARM flow and working
Please find the below Microsoft documentation for your reference: -
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management
Thanking you,
Currently i am trying to dig deeper into the organizational/entity structure of ms azure. All I find online in discussions and official ms documentation only shows parts of the bigger picture but never the underlying relationships between them.
I try to formulate statements which I ask you to correct in case they are wrong:
I log in to the azure portal using an email adress witch is called account
In the azure portal I am acting in the context of a directory
The account i use to log in is associated with an identity in the directory
A directory belongs to a tenant
Signing up for MS Azure using my Microsoft Account will create a Tenant
A Subscription I create is assoiciated with but not created/stored within a directory (not with a tenant)
A Subscription I create is associated with the Account I am currently logged in, called Azure Account
A Management Group will be created within the directory per default, called Root Management Group
When no other Management Group is created, all Subscriptions I create are associated with this Root Management Group
Any thoughts on that?
Thanks TGY for your question. The terms "tenant" and "directory" are for the most part interchangeable and are used in Azure.
A tenant is an instance of an Azure Active Directory. The tenant is an account in Azure that comes with a subdomain and an associated Azure Active Directory. In order to use an Azure Active Directory you need to become a tenant within the system. So a tenant is basically securing a .onmicrosoft.com subdomain. At that point you would have one account registered in your Azure AD.
An Azure subscription is a logical container used to provision resources in Azure.It serves as a single billing unit for Azure resources in that services used in Azure are billed to a subscription. An Azure subscription is linked to a single account, but you can add multiple subscriptions to the same directory.
Please see this DOC if it helps you.
Root Management>>Management Group>>Subscription>>Resources Group>>Resources. So for IAM(Identity & Access Management) purpose, management Group is higher level than Subscription. Subscription is higher than Resource Group and Resource Group is higher than a particular resource level.
Please find below Architectural structure for more understanding and pictorial representation --