This chapter covers Azure tenants and directories, the foundational identity and access management layer of Microsoft Azure. Understanding tenants and Azure Active Directory (Azure AD) is critical for the AZ-900 exam because it underpins secure access to all Azure services. This objective area (Azure Architecture Services, Objective 2.1) represents approximately 15–20% of the exam questions, making it a high-weight topic. By the end of this chapter, you will grasp the relationship between Azure AD, tenants, subscriptions, and how they enable identity-based access control at cloud scale.
Jump to a section
Think of an Azure tenant as the corporate headquarters of a large multinational company. The headquarters holds the master list of all employees, their roles, and the security policies that apply across the entire organization. When a new employee is hired, their identity is created in the headquarters—this is like a user account created in Azure Active Directory (Azure AD) within the tenant. Now, consider that this company has multiple regional branch offices, each with its own building and local resources like printers, servers, and conference rooms. These branches are like Azure subscriptions. The headquarters (tenant) does not directly own the physical resources; it simply grants permission for employees to access the resources in each branch. When an employee from one branch visits another, they can still use their headquarters-issued badge to access the local resources, provided the headquarters has authorized it. This is how Azure AD enables single sign-on (SSO) across subscriptions. The tenant itself is a dedicated instance of Azure AD, and it is the top-level boundary for identity and security. You can have multiple subscriptions under one tenant, but the tenant is the authoritative source for who can do what. If the headquarters is compromised, all branches are at risk—just as a breach in Azure AD affects all subscriptions and resources within that tenant.
What Is an Azure Tenant?
An Azure tenant is a dedicated and isolated instance of Azure Active Directory (Azure AD) that an organization receives when it signs up for a Microsoft cloud service, such as Azure, Microsoft 365, or Dynamics 365. Think of the tenant as the top-level container for identity and security—it holds all user accounts, groups, and application registrations for that organization. Every Azure subscription must be associated with exactly one tenant, and that tenant provides the identity backbone for all resources within those subscriptions.
The business problem an Azure tenant solves is identity federation and centralized management. Without a tenant, each Azure subscription would need its own separate user database, making it impossible to have single sign-on (SSO), consistent security policies, or unified auditing across subscriptions. The tenant enables organizations to manage identities once and apply access controls across all their Azure resources.
How Does an Azure Tenant Work?
The mechanism starts when an organization signs up for Azure. Microsoft creates a new Azure AD directory for that organization, which is the tenant. This directory is a cloud-based identity store that implements the same core protocols as on-premises Active Directory (Kerberos, LDAP, etc.) but is fully managed by Microsoft. When a user authenticates to Azure, they are actually authenticating against their tenant’s Azure AD instance.
Behind the scenes, Azure AD uses OAuth 2.0 and OpenID Connect for authentication and authorization. When a user logs in, Azure AD issues a token that contains claims about the user’s identity and group memberships. Azure resources (like VMs, storage accounts, or databases) trust these tokens because they are configured to use Azure AD as their identity provider. The token is passed to the resource, which validates it using Azure AD’s public keys. This process happens automatically and is transparent to the user.
Key Components of Azure AD
Users: Each user has a unique User Principal Name (UPN) that looks like an email address (e.g., user@contoso.com). Users can be cloud-only (created in Azure AD) or synchronized from on-premises AD using Azure AD Connect.
Groups: Azure AD supports two types of groups: security groups (for assigning permissions) and Microsoft 365 groups (for collaboration). Groups can be static (manually assigned members) or dynamic (membership based on rules, e.g., all users in Sales department).
Applications: Azure AD can register applications and control which users or groups can access them. This enables SSO for SaaS apps like Salesforce, ServiceNow, or custom line-of-business applications.
Service Principals: A service principal is an identity for an application or automated tool (like Azure DevOps) to access Azure resources. It is analogous to a service account in on-premises AD.
Domains: Each tenant has an initial domain like contoso.onmicrosoft.com. Organizations can add custom domains (e.g., contoso.com) and verify ownership via DNS records. Custom domains allow users to sign in with familiar email addresses.
Azure AD comes in four editions: Free, Office 365 Apps, Premium P1, and Premium P2. The Free edition, included with any Azure subscription, provides user and group management, SSO, and basic security reports. P1 adds advanced administration tools like Conditional Access and dynamic groups. P2 adds Identity Protection and Privileged Identity Management (PIM).
Relationship Between Tenant, Subscription, and Resources
A tenant is the identity container, while a subscription is the billing and resource container. A single tenant can have multiple subscriptions, and each subscription is associated with exactly one tenant. Resources (VMs, databases, etc.) live inside a subscription. When you assign a user access to a resource, you are actually granting that user’s tenant-level identity permission to the resource via Azure RBAC (Role-Based Access Control). This separation allows an organization to have multiple subscriptions (e.g., dev, test, prod) while using the same user identities across them.
Comparison to On-Premises Active Directory
On-premises Active Directory (AD DS) is a directory service that runs on Windows Server, typically in a corporate data center. It uses Kerberos for authentication and a hierarchical domain structure. Azure AD is a cloud-based identity service that uses REST APIs and modern protocols (OAuth, OpenID Connect, SAML). Unlike on-premises AD, Azure AD does not support computer objects, group policies, or NTLM authentication. It is designed for cloud applications and services, not for managing on-premises computers. However, Azure AD Connect can synchronize users and passwords between on-premises AD and Azure AD, providing a hybrid identity model.
Azure Portal and CLI Touchpoints
In the Azure portal, you can manage your tenant by navigating to Azure Active Directory (the service name). Here you can create users, groups, register applications, and configure security features like Conditional Access and Identity Protection.
Using the Azure CLI, you can query tenant information:
# List all tenants associated with your account
az account list --query "[].{Name:name, TenantId:tenantId}" --output table
# Get details of your current tenant
az account show --query tenantIdTo create a new user in Azure AD via CLI:
az ad user create --display-name "John Doe" --user-principal-name johndoe@contoso.com --password "P@ssw0rd!"Concrete Business Scenario
Consider a company called Contoso with 5,000 employees. They have three Azure subscriptions: one for development, one for testing, and one for production. Without a tenant, each subscription would need its own user database, and employees would need separate accounts for each subscription. With an Azure tenant, Contoso creates all user accounts once in Azure AD. They then assign RBAC roles (e.g., Contributor, Reader) to users or groups at the subscription or resource group level. When a new developer joins, they are added to the “Developers” group, which automatically grants them Contributor access to the dev subscription. No manual permission setup is needed per subscription. This centralization reduces administrative overhead and improves security by ensuring consistent identity policies.
Create an Azure Tenant
When you sign up for an Azure account, a tenant is automatically created for you. The tenant is associated with the email domain you used during sign-up. If you already have a Microsoft 365 tenant, that same tenant can be used for Azure. To create a new tenant manually, go to Azure Portal > Azure Active Directory > Manage tenants > Create. You must specify an organization name, initial domain (e.g., contoso.onmicrosoft.com), and country/region. The country cannot be changed later because it determines data residency. Behind the scenes, Azure provisions a new Azure AD directory with a globally unique tenant ID (a GUID). This tenant is isolated from all other tenants by default—users from Tenant A cannot access resources in Tenant B unless explicitly invited via B2B collaboration.
Add a Custom Domain
After the tenant is created, you can add a custom domain (e.g., contoso.com) to provide a familiar sign-in experience. In Azure AD > Custom domain names, click Add custom domain. Enter the domain name and click Add. Azure AD will generate a TXT record or MX record that you must add to your DNS registrar. Once the domain is verified (by Azure querying the DNS record), it becomes available for user UPNs and application URLs. This step is critical because without verification, you cannot use the domain for authentication. If you have multiple domains, you can add them all; Azure AD allows up to 500 custom domains per tenant. Verification must be repeated for each domain.
Create Users and Groups
Users can be created directly in Azure AD (cloud-only) or synchronized from on-premises AD using Azure AD Connect. To create a cloud user, go to Azure AD > Users > New user. Fill in the name, username (UPN), and initial password. You can also assign roles like Global Administrator or User Administrator at creation. Groups are created similarly under Azure AD > Groups. Choose between security group (for RBAC) or Microsoft 365 group. You can assign members manually or create a dynamic membership rule (e.g., (user.department -eq "Sales")). Dynamic groups require Azure AD Premium P1. Once a user is created, they can sign in to the Azure portal and access resources based on RBAC permissions.
Associate a Subscription with the Tenant
When you create a new Azure subscription (e.g., via Azure Portal or EA enrollment), it must be associated with a tenant. By default, the subscription is linked to the tenant of the account that created it. You can change the subscription’s tenant by transferring it, but this requires both the source and destination tenants to be in the same Azure AD organization. The subscription’s billing ownership is separate from identity—the subscription has a billing account owner (who pays) and a directory owner (who controls access). For the exam, remember that a subscription can only be associated with one tenant at a time, but a tenant can have many subscriptions. This one-to-many relationship is a common exam point.
Assign RBAC Roles via the Tenant
Once the tenant has users and the subscription is linked, you can assign Azure RBAC roles. In the Azure portal, go to the subscription (or resource group) > Access control (IAM) > Add role assignment. Select a role (e.g., Contributor, Reader) and choose a user or group from the tenant. The user’s identity is resolved from the tenant’s directory. Behind the scenes, Azure RBAC uses Azure AD as the source of truth. When the user attempts to access the resource, Azure AD issues a token with the user’s group memberships, and the resource’s authorization layer checks if the token has a role that allows the action. This entire process happens in milliseconds. If a user is removed from the tenant, they automatically lose access to all resources across all subscriptions under that tenant.
Scenario 1: Enterprise with Multiple Subscriptions and Departments
A large enterprise like Contoso has 10,000 employees, 4 Azure subscriptions (dev, test, prod, shared services), and multiple departments (HR, Finance, Engineering). The IT team manages all identities in a single Azure AD tenant. They create security groups for each department (e.g., HR-Group, Finance-Group) and assign RBAC roles at the subscription level. For example, HR-Group gets Reader access to the prod subscription, while Engineering-Group gets Contributor access to the dev subscription. When an employee moves from Finance to Engineering, the IT team simply updates their group membership—no need to touch permissions on individual subscriptions. This saves hundreds of hours per year and reduces security risks from stale permissions.
What goes wrong? If the tenant is accidentally deleted (which requires special permissions and confirmation), all users and groups are lost, and all subscriptions become orphaned—they cannot be accessed until a new tenant is associated. Recovery is extremely complex. Therefore, Microsoft requires at least two Global Administrators per tenant and recommends using Privileged Identity Management (PIM) for just-in-time access.
Scenario 2: SaaS Application Integration with Azure AD
A mid-size company, Fabrikam, uses Salesforce, Slack, and a custom expense application. They want employees to sign in once with their corporate credentials. Fabrikam registers each SaaS application in their Azure AD tenant as an Enterprise Application. They configure SAML-based SSO between Azure AD and Salesforce. When an employee logs into the Azure portal, they see a tile for Salesforce. Clicking it triggers a SAML authentication flow: Azure AD issues a SAML assertion, which the employee’s browser posts to Salesforce. Salesforce validates the assertion using a certificate from Azure AD and logs the user in. No separate username/password for Salesforce is needed.
Cost consideration: Azure AD Free supports up to 10 enterprise applications per user. For more apps or advanced features like Conditional Access, they need Azure AD Premium P1. If they skip licensing, users may face MFA prompts every time, or the SSO integration may not work for all apps.
Scenario 3: Merger and Acquisition (Multiple Tenants)
Company A acquires Company B. Both have separate Azure AD tenants. To collaborate, they can use Azure AD B2B collaboration to invite users from Tenant B into Tenant A as guest users. This allows Tenant A users to share resources (like a storage account) with Tenant B users without requiring Tenant B to migrate. However, guest users have limited permissions by default (e.g., they cannot browse the tenant directory). If the companies eventually merge their IT systems, they can migrate identities from Tenant B to Tenant A using Azure AD tenant-to-tenant migration tools. This is a complex project that involves re-creating users, groups, and RBAC assignments. A common mistake is to assume guest access is sufficient for long-term collaboration, but guest users cannot be assigned Azure roles that require directory-level permissions (like Global Admin).
Exactly What AZ-900 Tests
Objective 2.1: Describe the core architectural components of Azure. This includes understanding the relationship between tenants, subscriptions, and resource groups. The exam will ask you to differentiate between an Azure AD tenant and an Azure subscription. You must know that a tenant is an instance of Azure AD, and it is the identity boundary. A subscription is a billing and resource management boundary. They are not the same thing.
Common Wrong Answers and Why Candidates Choose Them
"A tenant is the same as a subscription." Candidates choose this because both are created when you sign up for Azure. But the tenant is the directory of users, while the subscription is the container for resources. The exam tests this distinction directly.
"One subscription can be associated with multiple tenants." This is false. A subscription is associated with exactly one tenant. However, a tenant can have multiple subscriptions. Candidates often reverse this relationship.
"Azure AD is the same as on-premises Active Directory." While both are directory services, Azure AD is cloud-native, uses REST APIs, and does not support computer objects or GPOs. The exam expects you to know they are different.
"You can have multiple Azure AD directories per subscription." No. Each subscription belongs to one directory. You can, however, have multiple tenants (directories) in your Azure account, but each subscription is tied to only one.
Specific Terms and Values That Appear Verbatim
Tenant ID: A globally unique GUID that identifies your Azure AD instance. You can find it in Azure AD > Properties.
Initial domain: contoso.onmicrosoft.com – this is the default domain for a new tenant.
Custom domain: A verified domain you add (e.g., contoso.com).
Azure AD Connect: The tool to sync on-premises AD to Azure AD.
RBAC: Role-Based Access Control – assigns permissions to users/groups at scope (subscription, resource group, resource).
Global Administrator: The highest-level admin role in Azure AD. There must be at least two.
Edge Cases and Tricky Distinctions
Guest users vs. member users: Guest users (B2B) have limited directory permissions. They cannot browse the tenant directory or be assigned certain Azure roles. The exam may ask which roles a guest can be assigned—they can be assigned Azure RBAC roles on resources (e.g., Contributor on a VM) but not Azure AD roles like Global Administrator.
Service principals vs. user accounts: A service principal is an identity for an application. It has no password but uses certificates or client secrets. The exam may ask how an automated script authenticates—answer: service principal.
Tenant deletion: Deleting a tenant is irreversible and requires confirmation. It removes all users, groups, and app registrations. Subscriptions become orphaned.
Memory Trick / Decision Tree
When you see a question about where identities are stored, ask yourself: "Is this about who can access resources?" If yes, the answer is Azure AD (tenant). If the question is about billing or resource limits, it's the subscription. Use this mnemonic: "Tenant = Team Roster; Subscription = Budget Bucket." The team roster (tenant) lists all players; the budget bucket (subscription) holds the money for resources. You need both to play the game (access Azure).
An Azure tenant is a dedicated instance of Azure Active Directory that serves as the identity boundary for an organization.
Every Azure subscription is associated with exactly one Azure AD tenant; a tenant can have multiple subscriptions.
Azure AD is not the same as on-premises Active Directory; it uses modern protocols (OAuth, OpenID Connect) and does not support computer objects or GPOs.
Custom domains (e.g., contoso.com) must be verified via DNS records before they can be used for user sign-in.
Azure AD Free edition is included with any Azure subscription and provides basic identity management and SSO.
Azure AD Premium P1 adds Conditional Access, dynamic groups, and advanced administration; P2 adds Identity Protection and Privileged Identity Management.
RBAC permissions are assigned to users or groups from the tenant at a scope (subscription, resource group, or resource).
Guest users (B2B collaboration) can access shared resources but have limited directory permissions and cannot be assigned Azure AD admin roles.
The Global Administrator role is the highest-level admin role; at least two should be assigned to prevent lockout.
Azure AD Connect is the tool to synchronize on-premises AD users and groups to Azure AD for hybrid identity.
These come up on the exam all the time. Here's how to tell them apart.
Azure AD Tenant
Identity boundary: stores users, groups, and app registrations.
One tenant can have many subscriptions.
Provides authentication and authorization services.
Has a globally unique Tenant ID (GUID).
Can be created independently of subscriptions (e.g., via Microsoft 365).
Azure Subscription
Billing and resource management boundary.
One subscription belongs to exactly one tenant.
Contains resources like VMs, storage, and databases.
Has a Subscription ID (GUID) and is associated with an offer type (e.g., Pay-As-You-Go).
Cannot exist without a tenant; must be linked to a directory.
Mistake
An Azure tenant is the same as an Azure subscription.
Correct
An Azure tenant is an instance of Azure Active Directory that stores identities. An Azure subscription is a billing and resource management container. A tenant can have multiple subscriptions; a subscription belongs to exactly one tenant.
Mistake
Azure AD is just Active Directory in the cloud.
Correct
Azure AD is a completely different service from on-premises Active Directory Domain Services (AD DS). Azure AD uses REST APIs, OAuth, and OpenID Connect, while AD DS uses Kerberos and LDAP. Azure AD does not support computer objects, group policies, or NTLM.
Mistake
You can have multiple Azure AD directories in one subscription.
Correct
Each subscription is associated with exactly one Azure AD directory (tenant). However, you can have multiple subscriptions under the same directory, or you can create multiple directories (tenants) in your Azure account, but each subscription is tied to only one directory.
Mistake
A guest user has the same permissions as a member user.
Correct
Guest users have restricted directory permissions. They cannot browse the tenant directory or be assigned Azure AD administrative roles (e.g., Global Administrator). However, they can be assigned Azure RBAC roles on resources (e.g., Contributor on a resource group).
Mistake
Deleting a tenant is easily reversible.
Correct
Deleting a tenant is a permanent action that requires confirmation and cannot be undone. It removes all users, groups, app registrations, and the directory itself. Subscriptions associated with that tenant become orphaned and inaccessible until a new tenant is linked.
An Azure tenant is a dedicated instance of Azure Active Directory that stores user identities, groups, and application registrations. It is the identity boundary. An Azure subscription is a billing and resource management container that holds Azure resources like VMs and databases. A tenant can have multiple subscriptions, but each subscription belongs to exactly one tenant. Think of the tenant as the team roster and the subscription as the budget bucket.
Yes, you can create multiple Azure AD tenants (directories) under a single Azure account. Each tenant is completely isolated from the others. However, each Azure subscription can only be associated with one tenant. You can switch the tenant associated with a subscription, but it requires a transfer process. Multiple tenants are common in scenarios like mergers, acquisitions, or when you need strict isolation between environments.
Go to Azure Portal > Azure Active Directory > Custom domain names > Add custom domain. Enter your domain (e.g., contoso.com) and click Add. Azure AD will generate a DNS TXT or MX record that you must add at your domain registrar. Once the record is propagated, Azure verifies it, and the domain becomes available for user UPNs and applications. You can add up to 500 custom domains per tenant.
Azure AD Connect is a tool that synchronizes users, groups, and passwords from your on-premises Active Directory to Azure AD. It enables a hybrid identity model where users can use the same credentials for on-premises and cloud resources. You need it if your organization has an existing on-premises AD and wants to extend it to Azure. It supports password hash synchronization, pass-through authentication, and federation with AD FS.
Yes, guest users can be assigned Azure RBAC roles (e.g., Contributor, Reader) on specific resources, resource groups, or subscriptions. However, they cannot be assigned Azure AD administrative roles (like Global Administrator) unless they are converted to member users. Guest users also have limited directory permissions—they cannot browse the tenant directory or see other users by default.
Deleting an Azure AD tenant is a permanent action that removes all users, groups, application registrations, and the directory itself. Any Azure subscriptions associated with that tenant become orphaned—they still exist but cannot be accessed until a new tenant is associated. To delete a tenant, you must have Global Administrator permissions and go through a multi-step confirmation process. Microsoft strongly recommends against deletion.
Azure AD Free, included with any Azure subscription, provides user and group management, SSO, and basic security reports. Premium P1 adds Conditional Access, dynamic groups, self-service password reset, and advanced administration. Premium P2 adds Identity Protection (risk-based policies) and Privileged Identity Management (just-in-time admin access). For most enterprises, P1 is sufficient; P2 is used for highly regulated environments.
You've just covered Azure Tenants and Directories — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?