What is the difference between an Azure tenant and Azure subscription?

I am struggling to distinguish how an Azure Subscription and an Azure tenant are different? I have tried figuring it out using examples but each time I come to the conclusion that they are the same thing in a way? If a tenant is a dedicated instance of the Azure AD service that an organization receives and owns when it signs up for a Microsoft cloud service, then is that not what a subscription is too?


Basic understanding:

  • a tenant is associated with a single identity (person, company, or organization) and can own one or several subscriptions
  • a subscription is linked to a payment setup and each subscription will result in a separate bill
  • in every subscription, you can add virtual resources (VM, storage, network, ...)

Additionally:

  • Every tenant is linked to a single Azure AD instance, which is shared with all tenant's subscriptions

  • Resources from one subscription are isolated from resources in other subscriptions

  • An owner of a tenant can decide to have multiple subscriptions:

    • when Subscriptions limits are reached
    • to use different payment methods
    • to isolate resources between different departments, projects, regional offices, and so on.

Example 1:

Contoso decides to have a tenant with 2 subscriptions:

  • one subscription for the Prod department with Credit Card A
  • one subscription for the Dev department with Credit Card B
    (but could also be the same Credit Card as the one of another subscription)

In this example, the two departments share the same Azure AD database. However, resources are isolated between departments, and budgets can be separated too.

Example 2:

A holding company decides to have 2 tenants:

  • one tenant for subsidiary Contoso with one subscription for Dev and Prod
  • one tenant for subsidiary Fabrikam with one subscription for Dev and another subscription for Prod

In this example, both companies have a different Azure AD database.

Example 3:

You have a tenant for your personal training.
In this tenant, you can have:

  • one free Azure subscription (linked to a credit card but not charged, and can be converted to a Pay-As-You-Go subscription after the free trial)
  • one or several Pay-As-You-Go subscriptions (linked to different credit cards)
  • one or several Azure Pass Sponsorship subscriptions, not linked to any credit card because these subscriptions are obtained during Microsoft trainings
  • one Visual Studio subscription (linked to a credit card) and with different quotas (of free resources) than the free subscription

Despite all those subscriptions have isolated resources (per subscription), and some are free while you have to pay for others, all subscriptions share the same Azure AD database.


Azure tenant is a directory. Azure subscription is an object that represents a "folder" that you can put resources in. Subscriptions are tied to tenants. so 1 tenant can have many subscriptions, but not vice versa.

Link:
https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits


It helps to take a scenario:

Let's say you logged into portal.azure.com for the first time and created a free tier account.

When you login to Azure, you have a single tenant ID associated with your account which will not change unless you ask Microsoft to delete your account(this is not your Azure domain user, this is your Microsoft subscription account - eg. [email protected]).

You will only have 1 subscription unless you've purchased or manage other subscriptions (by using the 'transfer billing ownership' function), then they will all be listed under subscriptions.

You will have FULL access to all "resources" associated with your tenant ID. These resources can be part of your own Azure 'directory' or from another domain that someone has given you access to.

You can create up to 20 directories, and you can belong to up to 500 directories.

When you own the subscription (eg. a free account) you'll have full rights up to the 'root' of the subscription - eg. if you click on your name in the top right corner and select "... > your permissions" you see something like: Your account '[email protected]' has been assigned the role 'User Access Administrator' (type BuiltInRole) and has access to scope /.

Your resources have Role Based Access controls that you, the subscription owner, can assign to other users in your Azure Active Directory (or other trusted directories).

By default, for a new subscription, the Account Administrator is assigned the "Service Administrator" privilege. This is 'above' the RBAC roles - there can only be one service administrator per subscription. In RBAC terms this is an 'owner'.

More points:

A single tenant can have multiple AD directories, but a single directory can only have 1 tenant.

*It is recommended to maintain only a single tenant and manage all of your AD domains from that single tenant, otherwise the user experience between domains will not be a seamless.

*A tenant is directly associated with an AD resource - if you mouse over your username in the top right corner you'll see the AD domain you're connected to and a long alphanumeric string - that's the same string in AD > properties.

*If you switch to another directory (assuming you have one) your subscription name ([email protected]) doesn't change, but the tenant ID will be different.

References:

https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

https://marckean.com/2016/06/01/azure-vs-azure-ad-accounts-tenants-subscriptions/

https://blogit.create.pt/miguelisidoro/2019/01/07/pros-and-cons-of-single-tenant-vs-multiple-tenants-in-office-365/


This MS doc has explained everything very nicely - Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings

Multiple Microsoft cloud offering subscriptions can use the same Azure AD tenant that acts as a common identity provider. A central Azure AD tenant that contains the synchronized accounts of your on-premises AD DS provides cloud-based Identity as a Service (IDaaS) for your organization.

Quoting from the documentation:

Summary of the hierarchy

An organization can have multiple subscriptions
 
 - A subscription can have multiple licenses
 - Licenses can be assigned to individual user accounts
 - User accounts are stored in an Azure AD tenant

enter image description here

So, the organization's user accounts reside in a common Azure AD tenant.


Simply put, an instance of Azure AD is what an organization receives when the organization creates a relationship with Microsoft such as signing up for Azure, Microsoft Intune, or Microsoft 365.

A tenant is similar to a forest in an on-premise environment.

An Active Directory forest (AD forest) is the topmost logical container in an Active Directory configuration that contains domains, users, computers, and group policies