Export (0) Print
Expand All

What is an Azure AD directory?

Published: July 1, 2012

Updated: July 7, 2014

Applies To: Azure, Office 365, Windows Intune

noteNote
This topic provides online help content for cloud services, such as Windows Intune and Office 365, which rely on Microsoft Azure Active Directory for identity and directory services.

This topic explains important concepts and tasks related to managing Azure AD directories, and it includes the following sections:

In the physical workplace, the word tenant can be defined as a group or company that occupies a building. For instance, your organization may own office space in a building. This building may be on a street with several other organizations. Your organization would be considered a tenant of that building. This building is an asset of your organization and provides security and ensures that you can conduct business safely. It also is separated from the other businesses on your street. This ensures that your organization and the assets therein are isolated from other organizations.

In the cloud-enabled workplace, a tenant can be defined as a client or organization that owns and manages a specific instance of that cloud service. With the identity platform provided by Microsoft Azure, a tenant is simply a dedicated instance of Azure Active Directory (Azure AD) that your organization receives and owns when it signs up for a Microsoft cloud service such as Azure or Office 365.

Each Azure AD directory is distinct and separate from other Azure AD directories. Just like a corporate office building is a secure asset specific to only your organization, an Azure AD directory was also designed to be a secure asset for use by only your organization. The Azure AD architecture isolates customer data and identity information from co-mingling. This means that users and administrators of one Azure AD directory cannot accidentally or maliciously access data in another directory.

Azure AD Tenant

You will get an Azure AD directory when you sign up for a Microsoft cloud service. You can create additional directories as needed. For example, you might maintain your first directory as a production directory and then create another directory for testing or staging.

noteNote
After you sign up for your first service, we recommend that you use the same administrator account associated with your organization when you sign up for other Microsoft cloud services. For more information about user IDs, see What is my user ID and why do I need it?.

The first time you sign up for a Microsoft cloud service such as Azure, Microsoft Office 365, or Windows Intune, you are prompted to provide details about your organization and your organization’s Internet domain name registration. This information is then used to create a new Azure AD directory instance for your organization. That same directory is used to authenticate sign in attempts when you subscribe to multiple Microsoft cloud services.

The additional services fully leverage any existing user accounts, policies, settings or on-premise directory integration you configure to help improve efficiencies between your organizations identity infrastructure on-premises and Azure AD.

For example, if you originally signed up for a Windows Intune subscription and completed the steps necessary to further integrate your on-premises Active Directory with your Azure AD directory by deploying directory synchronization and/or single sign-on servers, you can sign up for another Microsoft cloud service such as Office 365 which can also leverage the same directory integration benefits you now use with Windows Intune.

For more information about integrating your on-premises directory with Azure AD, see Directory integration.

You can associate a new Azure subscription with the same directory that authenticates sign in for an existing Office 365 or Windows Intune subscription. Sign in to the Azure Management Portal using your organizational account. The Azure Management Portal returns a message that it was unable to find any subscriptions for that account. Select Sign Up For Azure, and your directory will be available for administration within the Azure Management Portal. For more information, see Manage the directory for your Office 365 subscription in Azure.

Associate Account 2

For a video about common usage questions for Azure AD, see Azure Active Directory - Common Sign-up, sign-in and usage questions.

If you don’t yet have a subscription to a Microsoft cloud service, use one of the links below to sign up. The act of signing up for your first service will create an Azure AD directory automatically.

In some cases, Azure may have provisioned a Default directory for you after you signed up. In other words, you may have had a Default directory “backfilled” for your account. Your subscription was then associated with that Default directory. This was done, for example, if you originally signed up for Azure before the current system where a directory is automatically provisioned as part of the sign up process.

Backfilling of directories was done in October 2013 as part of an overall improvement to the security model for Azure. It helps offer organizational identity features to all Azure customers and ensures that all Azure resources are accessed in the context of a user in directory. You cannot use Azure without a directory. To achieve that, any user who was signed up prior to July 7, 2013 but did not have a directory had to have one created. If you had already created a directory, then your subscription was associated with that directory.

There are no costs for using Azure AD. The directory is a free resource. There is an additional Azure Active Directory Premium tier that is licensed separately and provides additional features such as company branding and self-service password reset.

To change the display name of your directory, click the directory in the Management Portal and click Configure. As explained later in this topic, you can add a new directory or delete a directory that you no longer need. To associate your subscription with a different directory, click Settings > Subscriptions > Edit Directory. You can also create a custom domain using a DNS name that you have registered instead of the default *.onmicrosoft.com domain, which may be preferable with a service such as SharePoint Online.

For more information about how to manage your directory, Administering your Azure AD directory.

You can add an Azure AD directory in the Azure Management Portal. Select the Active Directory extension on the left and click Add.

You can manage each directory as a fully independent resource: each directory is a peer, fully-featured, and logically independent of other directories that you manage; there is no parent-child relationship between directories. This independence between directories includes resource independence, administrative independence, and synchronization independence.

  • Resource independence. If you create or delete a resource in one directory, it has no impact on any resource in another directory, with the partial exception of external users, described below. If you use a custom domain 'contoso.com' with one directory, it cannot be used with any other directory.

  • Administrative independence. If a non-administrative user of directory 'Contoso', creates a test directory 'Test' then:

    • By default, the user who creates a directory is added as an external user in that new directory, and assigned the global administrator role in that directory.

    • The administrators of directory 'Contoso' have no direct administrative privileges to directory 'Test' unless an administrator of 'Test' specifically grants them these privileges. Administrators of 'Contoso' can control access to directory 'Test' by virtue of their control of the user account which created 'Test.'

    And if you change (add or remove) an administrator role for a user in one directory, the change does not affect any administrator role that user may have in another directory.

  • Synchronization independence. You can configure each Azure AD independently to get data synchronized from a single instance of either:

    • The directory sync tool, to synchronize data with a single AD forest.

    • The Azure Active Directory Connector for Forefront Identity Manager, to synchronize data with one or more on-premises forests, and/or non-AD data sources.

Also note that unlike other Azure resources, your directories are not child resources of an Azure subscription. So if you cancel or allow your Azure subscription to expire, you can still access your directory data using Azure PowerShell, the Azure Graph API, or other interfaces such as the Office 365 Admin Center. You can also associate another subscription with the directory.

A global administrator can delete an Azure AD directory from the Azure Management Portal. When a directory is deleted, all resources contained in the directory are also deleted; so you should be sure you don’t need the directory before you delete it.

noteNote
If the user is signed in with an organizational account, the user must not be attempting to delete his or her home directory. For example, if the user is signed in with the organizational account joe@contoso.onmicrosoft.com, that user cannot delete the directory that has contoso.onmicrosoft.com as its default domain.

Azure AD requires that certain conditions are met to delete a directory. This reduces risk that deletion of a directory would negatively impact users or applications, such as the ability of users to sign in to Office 365 or access resources in Azure. For example, if a directory for a subscription became unintentionally deleted, then users could not access the Azure resources for that subscription.

The following conditions are checked:

  • The only user in the directory is the global administrator who will delete the directory. Any other users must be deleted before the directory can be deleted. If users are synchronized from on-premises, then sync will need to be turned off, and the users must be deleted in the cloud directory by using the Management Portal or the Azure module for Windows PowerShell. There is no requirement to delete groups or contacts, such as contacts added from the Office 365 Admin Center.

  • There can be no applications in the directory. Any applications must be deleted before the directory can be deleted.

  • There can be no subscriptions for any Microsoft Online Services such as Microsoft Azure, Office 365, or Azure AD Premium associated with the directory. For example, if a default directory was created for you in Azure, you cannot delete this directory if your Azure subscription still relies on this directory for authentication. Similarly, you cannot delete a directory if another user has associated a subscription with it. To associate your subscription with a different directory, click Settings -> Subscriptions -> Edit Directory. For more information about Azure subscriptions, see How Azure subscriptions are associated with Azure AD.

  • No Multi-Factor Authentication providers can be linked to the directory.

Community Additions

ADD
Show:
© 2014 Microsoft