14

Are Azure "tenant" and "directory" different things, or different names for the same thing?

According to the documentation, a tenant is a container within Azure associated with a company or group of people, and a directory is a container; all directories are mutually exclusive, i.e. what you do in one directory does not affect any other.

So is there any difference or are they the same thing?

I look forward to some clarification.

Thanks in advance!

Jerome Smith
  • 141
  • 1
  • 1
  • 3
  • 1
    Neither term appears in the glossary https://docs.microsoft.com/en-us/azure/azure-glossary-cloud-terminology – Kirsten Sep 23 '19 at 04:05
  • And where from Azure AD accounts fit into this? I can have the same Microsoft account (email + password) associated with multiple tenants and just switch between different directories in the portal after login. – Igor Aug 22 '22 at 14:32

5 Answers5

9

Overview:

How to create a new directory and tenant:

  1. To create a new directory in your tennant, go to "Create a resource" -> "Azure Active Directory".
  2. Next fill out the form to create the new directory and press the create button.
    This will create a new directory and a new tenant.
  3. Switch to the new directory by using the switch directory link in the directory switcher: How to switch directories

Term Clarification:

  • Multi-Tenant: A resource configuration where resources can access multiple tenants. E.g. users can exist in multiple tenants
  • Single tenant: A resource configuration where the operation is isolated to the current tenant and has no external dependencies.
  • Customer: A customer is a single entity that pays for one or more subscriptions/Enterprise Agreements. They can control more than one tenant/directory. E.G. Contoso Ltd., Fabrikam, Inc., WingDing Toys, etc.
Elliot Huffman
  • 1,169
  • 1
  • 10
  • 22
3

This quick start says

A tenant is a representation of an organization. It's a dedicated instance of Azure AD that an organization or app developer receives when the organization or app developer creates a relationship with Microsoft-- like signing up for Azure, Microsoft Intune, or Microsoft 365.

The docs here say

An Azure subscription has a trust relationship with Azure Active Directory (Azure AD), which means that the subscription trusts Azure AD to authenticate users, services, and devices. Multiple subscriptions can trust the same Azure AD directory, but each subscription can only trust a single directory.

The terminology link in Elliot's answer explains

Azure tenant
A dedicated and trusted instance of Azure AD that's automatically created when your organization signs up for a Microsoft cloud service subscription, such as Microsoft Azure, Microsoft Intune, or Office 365. An Azure tenant represents a single organization.

and

Azure AD directory
Each Azure tenant has a dedicated and trusted Azure AD directory. The Azure AD directory includes the tenant's users, groups, and apps and is used to perform identity and access management functions for tenant resources.

Kirsten
  • 185
  • 4
  • 20
  • 1
    A subscription is something that can be available for more than one account since you can have an IT department running under a single subscription. Check out RBAC for more information: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview – Elliot Huffman Sep 23 '19 at 22:24
  • It seems like you are starting to get stuck in the RBAC hole. Without a proper understanding of how RBAC works, it can get confusing how everything relates to each other. There is a separation between Azure and Azure AD. – Elliot Huffman Sep 23 '19 at 22:26
  • 1
    That is true, the picture you put on this answer is starting to go into RBAC with the subscription relationships to accounts. If you open a new question, I can draw the relationships for you and give you an overview on RBAC. – Elliot Huffman Sep 23 '19 at 22:40
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/99020/discussion-between-elliot-labs-llc-and-kirsten-g). – Elliot Huffman Sep 23 '19 at 22:46
  • I deleted my comments as they were just confusing things. – Kirsten Sep 24 '19 at 01:22
  • https://serverfault.com/questions/985365/when-does-a-tenant-become-a-multi-tenant – Kirsten Sep 24 '19 at 02:05
2

A tenant is a dedicated instance of an Azure AD directory that your organization receives when it signs up for a Microsoft cloud service such as Azure or Office 365. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis

Some people think it's the samt thing and others don't. I think that the tenant is a digital identity provided by the service Azure AD, basically your company.onmicrosoft.com .

The directory is the component which stores all you users, groups, apps and so on.

But they are either the same thing or extremely closely connected depending on how you wanna see it.

Jarnstrom
  • 705
  • 4
  • 9
0

I hope its not too late, A tenant in Microsoft Azure cloud service represents the organization created in Azure Active Directory. Azure Active Directory organizes all the users and applications into a group, and these groups are called as tenants. App developer receives the tenant as a dedicated instance of Azure Active Directory to generate a relationship with Microsoft cloud service. This tenant id can be used to sign-in credentials to Azure, Microsoft 365 or Microsoft Intune as each Azure AD tenant has a unique identity and app registration. Check this link for more information

Dennis Kabugua
  • 1
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community May 28 '22 at 15:12
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/521197) – Dave M May 29 '22 at 11:46
0

Those can be used interchangeably.

4c74356b41
  • 628
  • 5
  • 10
  • In some cases they can, but it is technically not correct. see my answer for more details. – Elliot Huffman Sep 30 '20 at 16:49
  • i dont see how your answer clarifies that, a tenant and azure ad directory is a 1 to 1 mapping, so they can be used interchangeably – 4c74356b41 Sep 30 '20 at 17:10
  • They are a 1 to 1 map. So is the Tenant Root Management Group, the Office 365 tenant substrate, AIP RMS instance and many other things but you do not call those the tenant. You call them other things. Azure AD is an identity provider in a tenant. – Elliot Huffman Sep 30 '20 at 18:47
  • exactly, thats why they can be used interchangeably, you cant have 2 azure ad in a single tenant – 4c74356b41 Oct 01 '20 at 04:06
  • 1
    Correlation is not causation. You can also have AAD B2C and B2B instances in your tenant but don't say that you have more tenants. Using your logic, the MG TRG in the tenant is also called the tenant, which it is not. AAD is just an identity service. Just like you can only provision one Bastion service on a vnet, you don't call the bastion a vnet. You call it a bastion. Kristen's answer has the definitions. – Elliot Huffman Oct 01 '20 at 12:56
  • thats just work juggling, in realirty, most of people use azure ad and tenant interchangeably, because thats what they actually mean. – 4c74356b41 Oct 01 '20 at 13:23