What is the difference between an Azure tenant and Azure subscription?

I am struggling to distinguish how an Azure Subscription and an Azure tenant are different? I have tried figuring it out using examples but each time I come to the conclusion that they are the same thing in a way? If a tenant is a dedicated instance of the Azure AD service that an organization receives and owns when it signs up for a Microsoft cloud service, then is that not what a subscription is too?

Basic understanding:

• a tenant is associated with a single identity (person, company, or organization) and can own one or several subscriptions
• a subscription is linked to a payment setup and each subscription will result in a separate bill
• in every subscription, you can add virtual resources (VM, storage, network, ...)

Additionally:

• Every tenant is linked to a single Azure AD instance, which is shared with all tenant's subscriptions

• Resources from one subscription are isolated from resources in other subscriptions

• An owner of a tenant can decide to have multiple subscriptions:

  • when Subscriptions limits are reached
  • to use different payment methods
  • to isolate resources between different departments, projects, regional offices, and so on.

Example 1:

Contoso decides to have a tenant with 2 subscriptions:

• one subscription for the Prod department with Credit Card A
• one subscription for the Dev department with Credit Card B
  (but could also be the same Credit Card as the one of another subscription)

In this example, the two departments share the same Azure AD database. However, resources are isolated between departments, and budgets can be separated too.

Example 2:

A holding company decides to have 2 tenants:

• one tenant for subsidiary Contoso with one subscription for Dev and Prod
• one tenant for subsidiary Fabrikam with one subscription for Dev and another subscription for Prod

In this example, both companies have a different Azure AD database.

Example 3:

You have a tenant for your personal training.
In this tenant, you can have:

• one free Azure subscription (linked to a credit card but not charged, and can be converted to a Pay-As-You-Go subscription after the free trial)
• one or several Pay-As-You-Go subscriptions (linked to different credit cards)
• one or several Azure Pass Sponsorship subscriptions, not linked to any credit card because these subscriptions are obtained during Microsoft trainings
• one Visual Studio subscription (linked to a credit card) and with different quotas (of free resources) than the free subscription

Despite all those subscriptions have isolated resources (per subscription), and some are free while you have to pay for others, all subscriptions share the same Azure AD database.

Azure tenant is a directory. Azure subscription is an object that represents a "folder" that you can put resources in. Subscriptions are tied to tenants. so 1 tenant can have many subscriptions, but not vice versa.

Link:
https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits

It helps to take a scenario:

Let's say you logged into portal.azure.com for the first time and created a free tier account.

When you login to Azure, you have a single tenant ID associated with your account which will not change unless you ask Microsoft to delete your account(this is not your Azure domain user, this is your Microsoft subscription account - eg. [email protected]).

You will only have 1 subscription unless you've purchased or manage other subscriptions (by using the 'transfer billing ownership' function), then they will all be listed under subscriptions.

You will have FULL access to all "resources" associated with your tenant ID. These resources can be part of your own Azure 'directory' or from another domain that someone has given you access to.

You can create up to 20 directories, and you can belong to up to 500 directories.

When you own the subscription (eg. a free account) you'll have full rights up to the 'root' of the subscription - eg. if you click on your name in the top right corner and select "... > your permissions" you see something like: Your account '[email protected]' has been assigned the role 'User Access Administrator' (type BuiltInRole) and has access to scope /.

Your resources have Role Based Access controls that you, the subscription owner, can assign to other users in your Azure Active Directory (or other trusted directories).

By default, for a new subscription, the Account Administrator is assigned the "Service Administrator" privilege. This is 'above' the RBAC roles - there can only be one service administrator per subscription. In RBAC terms this is an 'owner'.

More points:

A single tenant can have multiple AD directories, but a single directory can only have 1 tenant.

*It is recommended to maintain only a single tenant and manage all of your AD domains from that single tenant, otherwise the user experience between domains will not be a seamless.

*A tenant is directly associated with an AD resource - if you mouse over your username in the top right corner you'll see the AD domain you're connected to and a long alphanumeric string - that's the same string in AD > properties.

*If you switch to another directory (assuming you have one) your subscription name ([email protected]) doesn't change, but the tenant ID will be different.

References:

https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

https://marckean.com/2016/06/01/azure-vs-azure-ad-accounts-tenants-subscriptions/

https://blogit.create.pt/miguelisidoro/2019/01/07/pros-and-cons-of-single-tenant-vs-multiple-tenants-in-office-365/

This MS doc has explained everything very nicely - Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings

Multiple Microsoft cloud offering subscriptions can use the same Azure AD tenant that acts as a common identity provider. A central Azure AD tenant that contains the synchronized accounts of your on-premises AD DS provides cloud-based Identity as a Service (IDaaS) for your organization.

Quoting from the documentation:

Summary of the hierarchy

An organization can have multiple subscriptions
 
 - A subscription can have multiple licenses
 - Licenses can be assigned to individual user accounts
 - User accounts are stored in an Azure AD tenant

Let us try to understand all this with the help of an example. Let's assume that I'm the owner of a company named foobar which manufactures software products. Now here is what I'll do to setup Azure infrastructure for my company:

1. I'll crete an Azure account using my email id.
2. I'll create two Azure Active Directories (AAD aka tenant) in my account. I'll name them PermanentAad and AdhocAad. User account of all permanent employees will be added into PermanentAad and all temporary or contractual employees will be added into AdhocAad
3. Now I want to manage the billing of all the adhoc employees and permanent employees separately. So I'll create two subscriptions namely PermanenetSub and AdhocSub. I'll setup trust relationship between PermanentAad and PermanentSub. Similarly for AdhocAad and AdhocSub. So when any permanent employee create any resource e.g. a VM then the costing of that VM will get added to PermanentSub subscription.
4. Now comes the licenses part. Licenses empower a user to do things in Azure e.g. creating resources, VMs etc. I can give Enterprise Mobility + Security E5 license to a permanent employee so that he can create VMs

So to summarize:

• If you want to work in Azure you need an Azure account. To create an Azure account you need an active email id.

• If you want to add people/employees or machines/devices who would be part of your IT infrastructure you need a tenant/AAD. You get one tenant/AAD by default when you create an Azure account. You can create more if you require. Azure active directory service is a global service spanning across all locations in Azure which manages all of our Azure AD (AAD) instances. AAD is also known as Azure Active Directory, AAD, an Azure AD instance, an AAD Instance, an Azure AD Tenant, an AAD tenant, simply tenant or an organization, etc. They all mean the same. So:

  Organization == Tenant == Directory

• If you want logical separation of billing for users of your Azure account then you need subscriptions. You get one subscription by default when you create a new Azure account. Subscription can be of four types as below:

  1. Free
  2. Pay-as-you-go
  3. Enterprise agreement
  4. Cloud Solution Provider

• If you want users to be able to do things then you give them license to do something e.g. license to be able to create VM or Azure app service. Also remember that license and role based access control (RBAC) are not same although both enable you to do something. But they've different nuances which you can explore on your own.

So, all the user accounts and machines of an organization reside in a common Azure AD tenant/instance.

Simply put, an instance of Azure AD is what an organization receives when the organization creates a relationship with Microsoft such as signing up for Azure, Microsoft Intune, or Microsoft 365.

A tenant is similar to a forest in an on-premise environment.

An Active Directory forest (AD forest) is the topmost logical container in an Active Directory configuration that contains domains, users, computers, and group policies

Adding more to existing answers Tenant is a domain, If these are email addresses of a certain company, [email protected] [email protected]

The tenant can be recognized as "exampledomain", in a practical scenario you create a tenant against a company or a client.

Subscriptions are like another logical high-level grouping. For example, you can create a subscription for each environment you work with in the same tenant. as an example, exampledomain.com tenant can have Development, QA, and Production subscriptions. Those will be billed separately according to the plans you take in