This post is part of a mini-series that explains how Microsoft Customers, Azure AD Tenants, Azure Subscriptions and Cloud Solution Providers all work together.
It is aimed at anyone who wishes to purchase Azure resources from a Cloud Solution Provider (CSP) such as NewOrbit, as well as Microsoft Partners who wish to understand the relationship between CSPs and Customers better.
This is an immensely confusing topic that often stumps people who have spent years working with Azure - even as Partners.
I focus on explaining the concepts rather than being 100% technically correct. This means some of the detail is glossed over or simplified.
This series focuses on Partners providing Azure to Customers, but the Microsoft 365 side is inherently linked to this so there will be some straying into that area as well.
This post gives an overview of the key concepts, specifically Microsoft Customers, Tenants, Azure Subscriptions and Billing Relationships. Future posts will build on this to explain more about where Cloud Solution Providers fit in to this picture.
Microsoft Customers and Tenants
Every organization that buys anything from Microsoft gets a Customer record in Microsoft’s systems. The Customer will also automatically get a Tenant with the same ID. As a Partner, you can usually treat the “Microsoft Customer ID” and the “Tenant ID” as interchangeable.
It is possible for a Customer to have multiple Tenants. Microsoft are clear that you should avoid doing this, but there are scenarios - usually for enterprises - where it makes sense. In any case, I am not going to cover multi-tenants in this series. For the rest of this series, I will treat Microsoft Customers and Tenants as being the same thing.
Some partners may create a new Customer record for an organisation, even though they already have one. Historically there were good reasons for this, but it is now considered bad practice. If you are a Partner and you are doing this, you should stop. If you are a Customer and you think your Partner is doing this, you should ask them to stop.
So, what is a Tenant?
The easiest way to think of a Tenant is to think of it as being the same as your Azure Active Directory.
Okay, so what is my Azure Active Directory? At its simplest, it is the database of all your users and groups that can use Microsoft 365 and Azure. It’s where your M365 email accounts are stored.
As soon as you buy Microsoft 365 or Azure, you get an Azure Active Directory automatically.
When you go to the Microsoft 365 Admin Center, you are looking (at least in part) at your Azure Active Directory.
When you are assigning users access rights to your Azure subscription, you are looking at the list of users from your Azure Active Directory.
An interesting effect of this is that, even if you have only bought Microsoft 365, you can still log in to the Azure Portal and see your Azure Active Directory.
Similarly, if you have only bought Azure, you can still log in the to Microsoft 365 Admin Center and see your Azure Active Directory.
The two portals work in tandem and are managing the same Azure Active Directory. Certain things can only be done in one portal or the other so expect to use both, even if you only purchase either Microsoft 365 or Azure.
In other words, the Tenant is the root of everything you do with Microsoft, your users, your Microsoft 365, your Azure etc.
What are Azure Subscriptions?
An Azure Subscription is how you buy and use Azure resources, such as Virtual Machines etc. A Subscription belongs to a Tenant - but only loosely.
- Users in the Tenant do not automatically get access to anything in the subscription.
- It is possible to have access to the subscription without having any access to the Tenant (in fact, this series mostly deals with that kind of access).
- Billing for an Azure Subscription does not have to be linked to the Tenant - at least not directly.
An Azure Subscription is primarily a bucket that you can put Azure resources into. The linked Tenant/Azure Active Directory provides a user database: You can assign users from that Tenant access to the Subscription or to specific resources within the subscription. In a sense, the Tenant is an Identity Provider for the Azure Subscription.
You can have as many Azure Subscriptions as you like: They are just logical groupings for Billing and Security purposes. It is fairly easy to move resources between different subscriptions and there is no extra cost per subscription, so don’t hesitate to experiment.
There are many ways you can buy an Azure Subscription, for example Pay-as-you-Go on a credit card (PAYG), Microsoft Customer Agreement (MCA), Enterprise Agreement (EA), through a Cloud Solution Provider (CSP) such as NewOrbit - and several other options.
You can mix and match all these ways of buying Azure. The key concept here is Billing Relationships. Each Azure Subscription must belong to a single Billing Relationship and each Billing Relationship is of one particular type.
For example, you could have the following, all at the same time.
- A PAYG Billing Relationship with two subscriptions being paid on a Credit Card.
- A CSP relationship with one Microsoft Partner providing you three Azure Subscriptions.
- A CSP relationship with another Microsoft Partner providing you yet another subscription.
- A Microsoft Customer Agreement with four subscriptions.
In addition to all this, you can have other Billing Relationships for things like Microsoft 365, Dynamics and so on.
It is possible to move subscriptions between some, but not all, types of Billing Relationships. Even when you can’t move the whole subscription, you can always move the resources themselves between subscriptions, irrespective of their billing relationships.
Getting access to a subscription
When a user in a Tenant creates a new Azure Subscription, that user is automatically given the Owner permission for the whole subscription.
However, by default, that user is the only user who can access the subscription - unless they explicitly grant access to other users. Not even Global Administrators in the Tenant have access to the subscription by default!
This can lead to obvious problems, so there is an override option for that. A Global Administrator can go into Azure Active Directory in the Azure Portal and, under Properties, select “Access management for Azure resources”. This will give that administrator user management permissions for all subscriptions linked to the Tenant.
As far as partner access is concerned, there is a lot more detail on that coming up in later posts in this series.
I mentioned above that Subscriptions are only loosely coupled to the Tenant they belong to. A good example of this is Azure Key Vault. It is possible for an Azure Key Vault to belong to a different Tenant than the one the subscription belongs to. You can’t see this directly in the portal but you can see and manage this through PowerShell.
Similarly, it is possible - in certain scenarios - to move Subscriptions between Tenants. This is not something you can do yourself, but it is possible to request this from Microsoft Support.
- You can broadly treat “Microsoft Customer”, “Tenant” and “Azure Active Directory” as the same thing for everyday purposes.
- Azure Subscriptions are loosely coupled to the Tenant they belong to.
- Billing for Azure Subscriptions can be separate from the Tenant they belong to.
If you would like to talk to someone to understand this better, then we are always happy to talk at NewOrbit.
Additional posts are following this one, which explores the different relationships in much more detail.