Azure subscription vs tenant - varoonsahgal/tf-az-wt GitHub Wiki

🏒 Azure Tenant (Azure AD Tenant)

Think: Identity + Directory

  • An Azure tenant represents a dedicated instance of Azure Active Directory (AAD).

  • It contains:

    • Users and groups

    • App registrations

    • Enterprise applications

    • Role-based access control (RBAC) identities

  • It’s tied to your organization’s domain (like yourcompany.com).

  • It is free, and you get one automatically when you sign up for Azure with an organizational account.

πŸ“Œ Analogy: A tenant is like the organization’s security and identity office.

πŸ’³ Azure Subscription

Think: Billing + Resource Container

  • A subscription is an agreement with Microsoft that lets you use Azure services and be billed for them.

  • It contains:

    • Resource groups

    • Virtual machines, databases, storage, networks, etc.

    • Usage and cost data

  • You can have multiple subscriptions under one tenant to separate environments (dev/test/prod), departments, or projects.

πŸ“Œ Analogy: A subscription is like a project budget account with spending limits and resource access.

🧱 Relationship

Azure AD Tenant (Identity)
β”‚
β”œβ”€β”€ Subscription A (Dev)
β”œβ”€β”€ Subscription B (Prod)
└── Subscription C (Sandbox)

  • All subscriptions can share the same tenant β€” meaning users from the same directory can access multiple subscriptions.

  • Subscriptions can also be moved between tenants, though it’s an advanced process with limitations.

πŸ”‘ Key Differences

Feature Azure Tenant Azure Subscription
Purpose Identity, authentication, directory Billing, resource management
Contains Users, groups, apps, policies Resource groups, VMs, databases, etc.
Unique ID Tenant ID (GUID) Subscription ID (GUID)
Billing ❌ Not directly tied to billing βœ… Bills usage to a payment method
Scope of Access Directory-wide (auth/authz) Resource access (via RBAC)
Limits 1 tenant per org (typically) Many subscriptions per tenant possible

πŸ‘©β€πŸ’Ό Example Use Case

Let’s say your company is contoso.com:

  • You have an Azure AD tenant: contoso.onmicrosoft.com

  • You create:

    • Subscription 1: Dev environment

    • Subscription 2: Production workloads

  • Your IT admins manage users and groups in the tenant, while your DevOps teams deploy resources in subscriptions.

⚠️ **GitHub.com Fallback** ⚠️