In Azure, subscriptions and tenants are related but distinct concepts, and they play different roles in the management and organization of Azure resources. Here’s an explanation of their relationship:
Azure Tenant
- Definition: A tenant in Azure refers to a dedicated instance of Azure Active Directory (Azure AD). It is the directory where all users, groups, and applications for an organization are stored and managed.
- Role: It provides identity and access management for resources and services in Azure.
- Unique Identifier: Each tenant has a unique Tenant ID (GUID).
- Scope:
- A tenant can include multiple subscriptions.
- A tenant is shared across all subscriptions within it.
- Example: Your organization’s Azure AD tenant might manage all employees and groups, and their authentication for access to Azure resources.
Azure Subscription
- Definition: A subscription is a logical container that groups together Azure resources (e.g., virtual machines, databases, storage accounts) and defines their billing and usage limits.
- Role: It controls how resources are billed, accessed, and managed.
- Unique Identifier: Each subscription has a unique Subscription ID (GUID).
- Scope:
- Subscriptions exist within a tenant.
- A single tenant can contain multiple subscriptions, but a subscription belongs to only one tenant.
- Example: Your organization might have separate subscriptions for production and development environments, all managed within the same Azure AD tenant.
How They Are Related
- Tenant as the Parent:
- The tenant acts as the overarching directory for identity and access management.
- Subscriptions belong to a tenant and inherit identity and access control settings from Azure AD.
- Subscription as a Resource Container:
- A subscription exists within the context of a tenant and uses the tenant’s Azure AD to manage access to its resources.
- Users, groups, or applications in the tenant can be assigned roles (via RBAC) to manage resources in the subscription.
- Cross-Tenant Access:
- Subscriptions are tied to a single tenant and cannot belong to multiple tenants at the same time.
- However, Guest Users from other tenants can be invited via Azure AD B2B to access resources in a subscription.
Example Relationship
Scenario:
- Tenant:
Contoso.onmicrosoft.com(Azure AD tenant for Contoso) - Subscriptions:
- Subscription A: Used for the Contoso production environment.
- Subscription B: Used for Contoso development resources.
- Subscription C: Used for a testing environment.
In this case:
- All subscriptions share the same tenant,
Contoso.onmicrosoft.com. - Users in the Azure AD tenant can be granted access to resources in one or more subscriptions via Role-Based Access Control (RBAC).
Key Differences
| Feature | Tenant | Subscription |
|---|---|---|
| Purpose | Identity and access management | Billing, usage, and resource grouping |
| Scope | Azure AD, users, groups, applications | Resources like VMs, storage, databases |
| Relation | Parent directory for subscriptions | Child of a tenant |
| Ownership | Represents an organization | Represents billing or project boundaries |
| Unique Identifier | Tenant ID | Subscription ID |
Summary
- A tenant is an Azure AD instance that manages identities.
- A subscription is a billing and resource container associated with a tenant.
- Relationship: Subscriptions reside within a tenant and rely on the tenant’s Azure AD for authentication and RBAC. Multiple subscriptions can share the same tenant.