Azure Active Directory
When a new Azure Subscription is created, it comes associated with a new Azure AD instance.
Active Directory
Simplifying a lot, Azure AD could be seen as a typical “dbo.User” table that one may find in a commercial product.
Multi-Tenant
A tenant is a representation of an organization. It’s a dedicated instance of Azure AD that an organization or app developer receives when the organization or app developer creates a relationship with Microsoft — like signing up for Azure, Microsoft Intune, or Microsoft 365.
A tenant is a collection of users, groups or devices and it is identified with a URI. On Azure in the form of “https://<companyname>.onmicrosoft.com”.
A user can be authenticated by any registered tenant.
Azure AD
In the Azure portal, the Azure AD may be found in the left sidebar:
When clicking on it for the first time one will be surprised to notice that oppositely to what happens for other resources there won’t be a list of instances available to choose from.
From:
An Azure subscription has a trust relationship with Azure Active Directory (Azure AD), which means that the subscription trusts Azure AD to authenticate users, services, and devices. Multiple subscriptions can trust the same Azure AD directory, but each subscription can only trust a single directory.
Or put it as an image:
It is possible to transfer the ownership of a subscription to another tenant. In that scenario, all the role-based access control assignments will be removed.
It is possible also to transfer billing to a different user.
Summary
Azure Active Directory is central in handling the Authentication and Authorization of users in Azure. While offering security, it allows to easily connecting tenants and resources.
