Hi, I’m Makoto, a freelance engineer.
In this article, I’ll explain the relationship between subscriptions and Microsoft Entra tenant. Personally, I think this is a very confusing point.
I’ll explain it as clearly as possible with diagrams, so please read to the end.
If you’re wondering about this, please refer to this article.
Now, let’s get started!
What is Microsoft Entra ID?
Microsoft Entra ID (formerly Azure AD) is a cloud-based service that provides identity and access management. While it’s explained in detail in this article, let’s review the concept again.
When you sign up for Microsoft cloud services such as Azure, Microsoft 365, Dynamics 365, etc., you will inevitably use Microsoft Entra ID.
Subscriptions and Entra tenant Relationship
Microsoft Entra tenant, where users including the Azure contract administrator account are registered, is not included in the subscription. Misunderstanding this point can lead to various problems.
Subscriptions and Microsoft Entra tenant are separate elements that are associated with each other. Imagine two boxes connected by a line. This association is referred to as a trust relationship.
As shown in the diagram above, you can associate multiple Azure subscriptions with a single Microsoft Entra tenant. In addition, you can later change the associated Microsoft Entra tenant to a different one.
In addition, when you use other Microsoft cloud services, such as Microsoft 365, they are also associated with a Microsoft Entra tenant.
Reference:
While it’s possible to create a new Microsoft Entra tenant and associate it one-to-one with a subscription, this approach is not recommended. Depending on your system requirements, it’s generally preferable to centralize management using a single Microsoft Entra tenant.
Summary
In this article, we have explained the relationship between subscriptions and Microsoft Entra tenant.
Users are managed by Microsoft Entra ID separately from subscriptions. This system is unique to Azure and different from AWS or GCP, so it may be a confusing point even for those who have experience with other cloud providers.
Subscriptions and Microsoft Entra tenant have the following relationship (one-to-one or one-to-many). Let’s make sure to understand this point well for AZ-900 exam preparation!
- Each subscription must be associated with a single Microsoft Entra tenant
- A subscription cannot be associated with more than one Microsoft Entra tenant
- Multiple subscriptions can be associated with a single Microsoft Entra tenant
- The Microsoft Entra tenant associated with a subscription can be changed later