Difference between an Azure AD "directory" and an Azure AD "tenant"?

azure-active-directory

Hopefully this is a quick answer: I'm starting some work with Azure AD and a term I'm seeing over and over is an Azure AD "tenant". It seems to be synonymous and used interchangeably with an Azure AD "directory", but is it?

I'm probably just being pedantic, and I'm guessing it's obvious to everyone else, but nothing I can find explains this plainly. This is the closest thing I've found and even that makes a jump I can't follow, switching terms from "tenant" to "directory" without explaining:

With the identity platform provided by Microsoft Azure, a tenant is simply a dedicated instance of Azure Active Directory (Azure AD) that your organization receives and owns when it signs up for a Microsoft cloud service such as Azure or Office 365.

Each Azure AD directory is distinct and separate from other Azure AD directories. Just like a corporate office building is a secure asset specific to only your organization, an Azure AD directory [...]

Can anyone just confirm the relationship between these two terms, for the record?


You are correct, in order to use Azure AD you must become a "tenant" within the system. So a tenant is basically just securing a .onmicrosoft.com sub-domain. At that point you would have one account registered in your Azure AD. From there, you can activate Office365, Intune or any of the Azure services.


I don't have enough rep to comment on the other answer, but the comment "You can have multiple AAD directories assigned to a single subscription." is not correct per the documentation, rather the opposite. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-how-subscriptions-associated-directory

Multiple subscriptions can trust the same directory, but each subscription trusts only one directory.

My understanding is that "tenant" and "directory" are basically used interchangeably in the Active Directory documentation. I think it's just more convenient to use "tenant" sometimes since the title of the service is "Active Directory" so referring to an "Active Directory directory", for example, would be confusing.


You may find this blog post and associated diagram helpful:

  • https://marckean.com/2016/06/01/azure-vs-azure-ad-accounts-tenants-subscriptions/

The author's answer to your question seems to depend on how you obtain your Azure,

many of you would be setup with Azure in the middle (account) [tenant] level by possibly using a credit card or other type of licensing. Or some might be setup with the bottom level only in the case of CSP licensing.

Azure account / tenant / subscription hierarchy


Azure tenant A dedicated and trusted instance of Azure AD that's automatically created when your organization signs up for a Microsoft cloud service subscription, such as Microsoft Azure, Microsoft Intune, or Office 365. An Azure tenant represents a single organization.

Azure AD directory Each Azure tenant has a dedicated and trusted Azure AD directory. The Azure AD directory includes the tenant's users, groups, and apps and is used to perform identity and access management functions for tenant resource

source: What is Azure AD

Related

Resources for the accidental DBA [closed]
Network Printers Offline (but not really)
Managing iptables rules in Linux
Supervisor always quit process with 'exit status 0; not expected'
Long-term storage of Business Critical data
Why can't I cd into a directory?
vsFTPd default uploaded file permissions on Ubuntu not working
Deploying VM from vmdk / vmx file
ssh command line specify server host key fingerprint
Mount an VHD on Mac OS X
A secure, standard iptables rule-set for a basic HTTP(s) webserver
Disable IPv6 on Loopback address (Localhost, Computer name, ...)