What is the difference between an Azure tenant and Azure subscription?
Azure tenant is a directory. Azure subscription is an object that represents a "folder" that you can put resources in. Subscriptions are tied to tenants. so 1 tenant can have many subscriptions, but not vice versa.
Link:
https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits
Basic understanding:
- a tenant is associated with a single identity (person, company, or organization) and can own one or several subscriptions
- a subscription is linked to a payment setup and each subscription will result in a separate bill
- in every subscription, you can add virtual resources (VM, storage, network, ...)
Additionally:
Every tenant is linked to a single Azure AD instance, which is shared with all tenant's subscriptions
Resources from one subscription are isolated from resources in other subscriptions
An owner of a tenant can decide to have multiple subscriptions:
- when Subscriptions limits are reached
- to use different payment methods
- to isolate resources between different departments, projects, regional offices, and so on.
Example 1:
Contoso decides to have a tenant with 2 subscriptions:
- one subscription for the Prod department with Credit Card A
- one subscription for the Dev department with Credit Card B
(but could also be the same Credit Card as the one of another subscription)
In this example, the two departments share the same Azure AD database.However, resources are isolated between departments, and budgets can be separated too.
Example 2:
A holding company decides to have 2 tenants:
- one tenant for subsidiary Contoso with one subscription for Dev and Prod
- one tenant for subsidiary Fabrikam with one subscription for Dev and another subscription for Prod
In this example, both companies have a different Azure AD database.
Example 3:
You have a tenant for your personal training.
In this tenant, you can have:
- one free Azure subscription (linked to a credit card but not charged, and can be converted to a Pay-As-You-Go subscription after the free trial)
- one or several Pay-As-You-Go subscriptions (linked to different credit cards)
- one or several Azure Pass Sponsorship subscriptions, not linked to any credit card because these subscriptions are obtained during Microsoft trainings
- one Visual Studio subscription (linked to a credit card) and with different quotas (of free resources) than the free subscription
Despite all those subscriptions have isolated resources (per subscription), and some are free while you have to pay for others, all subscriptions share the same Azure AD database.
It helps to take a scenario:
Let's say you logged into portal.azure.com for the first time and created a free tier account.
When you login to Azure, you have a single tenant ID associated with your account which will not change unless you ask Microsoft to delete your account(this is not your Azure domain user, this is your Microsoft subscription account - eg. bob@gmail.com).
You will only have 1 subscription unless you've purchased or manage other subscriptions (by using the 'transfer billing ownership' function), then they will all be listed under subscriptions.
You will have FULL access to all "resources" associated with your tenant ID. These resources can be part of your own Azure 'directory' or from another domain that someone has given you access to.
You can create up to 20 directories, and you can belong to up to 500 directories.
When you own the subscription (eg. a free account) you'll have full rights up to the 'root' of the subscription - eg. if you click on your name in the top right corner and select "... > your permissions" you see something like:Your account 'YOURACCOUNT@gmail.com' has been assigned the role 'User Access Administrator' (type BuiltInRole) and has access to scope /.
Your resources have Role Based Access controls that you, the subscription owner, can assign to other users in your Azure Active Directory (or other trusted directories).
By default, for a new subscription, the Account Administrator is assigned the "Service Administrator" privilege. This is 'above' the RBAC roles - there can only be one service administrator per subscription. In RBAC terms this is an 'owner'.
More points:
A single tenant can have multiple AD directories, but a single directory can only have 1 tenant.
*It is recommended to maintain only a single tenant and manage all of your AD domains from that single tenant, otherwise the user experience between domains will not be a seamless.
*A tenant is directly associated with an AD resource - if you mouse over your username in the top right corner you'll see the AD domain you're connected to and a long alphanumeric string - that's the same string in AD > properties.
*If you switch to another directory (assuming you have one) your subscription name (bob@gmail.com) doesn't change, but the tenant ID will be different.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
https://marckean.com/2016/06/01/azure-vs-azure-ad-accounts-tenants-subscriptions/