Forum Discussion
Relationship between Azure Active Directory and Directory (Tenant?)
Hi Blakemar ,
I understand your confusion. I agree there are several "terms" in Azure that seem to overlap or could be synonyms. In addition, you might see these terms used inconsistently in the Portal UI or documentation.
I always try to approach it from the practical point of view, for example:
- Can I create a new Azure AD tenant and if yes, how is it related to my existing environment?
- Can I create several directories under that tenant?
- Can I have several domains under my tenant?
I like to use this article written for AAD developers as a reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant#use-an-existing-tenant
I saw some confusing or even wrong replies in the "linked" topic like someone claiming you can have several directories under one AAD tenant.
I see it this way: Azure AD tenant = directory, and there is a strict 1:1 relationship between them (you cannot create several directories under a tenant). Each tenant has it's globally unique 'tenant ID' (in some places in the Portal referred as 'directory ID', but the ID is the same.
When you use 'Switch directories' option in the Portal, you are authenticating to a different AAD tenant (your account was invited as a guest there via Azure AD B2B Collaboration), so you will see different subscriptions and resources, and have different permissions, when you do so. Since most organizations have one production tenant (but some like ISVs can have more), you are switching to a different "company". That's how I see it.
You can, however, have several domains under one tenant / directory. You always get a default one {something}.onmicrosoft.com, but you can onboard custom domains (like contoso.com) upon proving you own that domain.
Hi Blakemar ,
I understand your confusion. I agree there are several "terms" in Azure that seem to overlap or could be synonyms. In addition, you might see these terms used inconsistently in the Portal UI or documentation.
I always try to approach it from the practical point of view, for example:
- Can I create a new Azure AD tenant and if yes, how is it related to my existing environment?
- Can I create several directories under that tenant?
- Can I have several domains under my tenant?
I like to use this article written for AAD developers as a reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant#use-an-existing-tenant
I saw some confusing or even wrong replies in the "linked" topic like someone claiming you can have several directories under one AAD tenant.
I see it this way: Azure AD tenant = directory, and there is a strict 1:1 relationship between them (you cannot create several directories under a tenant). Each tenant has it's globally unique 'tenant ID' (in some places in the Portal referred as 'directory ID', but the ID is the same.
When you use 'Switch directories' option in the Portal, you are authenticating to a different AAD tenant (your account was invited as a guest there via Azure AD B2B Collaboration), so you will see different subscriptions and resources, and have different permissions, when you do so. Since most organizations have one production tenant (but some like ISVs can have more), you are switching to a different "company". That's how I see it.
You can, however, have several domains under one tenant / directory. You always get a default one {something}.onmicrosoft.com, but you can onboard custom domains (like contoso.com) upon proving you own that domain.
- Can you describe the relationship when it comes to B2C tenant? Is that a different animal? My 1st tenant shows my B2C tenant as a *resource*, which is very confusing. Is there a heirarchy here, where the one tenant 'owns' another tenant? They both have their own AD and resources like you describe above, but the fact that the one tenant is a resource for another is weird, and I've never seen a good description of it.
Hi buzzripper,
Azure AD B2C is indeed a different animal :).
It is meant for building consumer-facing apps that support different external IdPs like social accounts (FB, Twitter, etc.).
I do agree this sounds confusing, especially if you check the tutorial for creating a new B2C tenant. You must have a regular AAD tenant with an Azure subscription attached to it first before you can create a new B2C tenant like any other Azure resource. Once you create it however, you don't manage it like other resources but you need to switch to that directory and manage it separately.
Also, when you create your B2C tenant, it is empty, so there is no overlap of identities (users, groups) that exist in your AAD tenant (sometimes also reffered to as AAD B2E, Business-to-Enterprise).
Your applications (e.g. web apps) that are leveraging B2C functionality, can be deployed to any Azure subscription or even on-prem or Third Party clouds, as long as you register your app to that B2C tenant.
Thanks for that reponse, that clarifies things a lot.
One other thing I'm confused about with B2C is: is B2C also the token server? Does it provide both the id_token and the access_token? If I understand things right, you designate what which of the user's AD values go into the id_token via those XML files. But I'm unclear on how you get/populate an access_token - these values usually come from the application, so not sure how that's accomplished.
