What is a Windows Azure AD tenant?
Published: July 1, 2012
Updated: April 11, 2013
Applies To: Office 365, Windows Azure, Windows Intune
|This topic provides online help content for cloud services, such as Windows Intune and Office 365, which rely on Windows Azure Active Directory for identity and directory services.|
In the physical workplace, the word tenant can be defined as a group or company that occupies a building. For instance, your organization may own office space in a building. This building may be on a street with several other organizations. Your organization would be considered a tenant of that building. This building is an asset of your organization and provides security and ensures that you can conduct business safely. It also is separated from the other businesses on your street. This ensures that your organization and the assets therein are isolated from other organizations.
In the cloud-enabled workplace, a tenant can be defined as a client or organization that owns and manages a specific instance of that cloud service. With the identity platform provided by Windows Azure, a tenant is simply a dedicated instance of Windows Azure Active Directory (Windows Azure AD) in the cloud that your organization receives and owns when it signs up for one of Microsoft's cloud services.
Each Windows Azure AD tenant is distinct and separate from other Windows Azure AD tenants in the cloud. Just like a corporate office building is a secure asset specific to only your organization, a Windows Azure AD tenant was also designed to be a secure asset for use by only your organization. The Windows Azure AD architecture isolates customer data and identity information from co-mingling. This means that a tenant cannot accidentally or maliciously access another tenant's data.
You can get a Windows Azure AD tenant by either signing up for a Microsoft cloud service that you want to start using or evaluating or by creating one with your Windows Azure subscription.
|Once you’ve signed up for your first service, we recommend you continue using the same tenant administrator account associated with your organization that you received when signing up.|
The first time you sign up for a Microsoft cloud service such as Windows Azure Active Directory, Microsoft Office 365, Windows Intune, or sign-up for Windows Azure as an organization, you are prompted to provide details about your organization and your organization’s Internet domain name registration. This information is then used to create a new tenant for your organization in Windows Azure Active Directory (Windows Azure AD). You only need to sign up for a Windows Azure AD tenant one time and then you can sign-in to that same tenant when you want to subscribe to multiple Microsoft cloud services.
If you have a Windows Azure account that you access with a Microsoft ID (formerly live.com) and have not signed up for a Microsoft cloud service, you can create a Windows Azure Active Directory tenant directly in the portal. See Create a Windows Azure AD tenant by signing up for a service as an organization
For more information about user IDs, see What is my user ID and why do I need it?.
By using your organization’s tenant in this way, any additional services that you might decide to subscribe to in the future can fully leverage the existing user accounts, policies, settings or on-premise directory integration you may have already configured previously to help improve efficiencies between your organizations identity infrastructure on-premises and Windows Azure AD.
For example, if you originally signed up for a Windows Intune subscription and completed the steps necessary to further integrate your on-premises Active Directory with your Windows Azure AD tenant by deploying directory synchronization and/or single sign-on servers, you can sign up for another Microsoft cloud service such as Office 365 which can also leverage the same directory integration benefits you now use with Windows Intune.
For more information about integrating your on-premises directory with Windows Azure AD, see Directory integration.
|Please be aware that it is not possible to delete a Windows Azure Active Directory tenant once it has been created. It is possible to delete and remove users from the tenant.|
If you currently have an Office 365 or Windows Intune subscription and you want to associate this with a new Windows Azure subscription you can. Sign in to the Windows Azure Portal using your organizational account. Remember to select Office 365 users: sign in with your organizational account. The Windows Azure Portal will say that it was unable to find any subscriptions for that account. Select the Sign Up For Windows Azure. Once you have completed that, your Windows Azure AD tenant will be available for administration from the Windows Azure portal.
For a video on associating your Windows Azure AD tenant, as well as common usage questions, see Windows Azure Active Directory - Common Sign-up, sign-in and usage questions
If you don’t yet have a subscription to a Microsoft cloud service, use one of the links below to help you sign up today. The act of signing up for your first service will create a Windows Azure AD tenant automatically.
You can create a Windows Azure AD tenant directly in the Windows Azure Management Portal if you use a Microsoft account to sign in to the portal. Simply select the Active Directory node on the left.
For additional information on creating a Windows Azure AD tenant with a Windows Azure subscription and a Microsoft account see Administering your Windows Azure AD tenant.
Currently when you sign up for either Windows Intune or Office 365 services you have the ability to assign service-specific licenses to users in that services account portal. This means that if you were to eventually add both services to the same tenant at some point, you will need to go to the Windows Intune account portal to manage Windows Intune licenses and Office 365 licenses will need to be managed separately within the Office 365 account portal.
In some situations, you may not be able to delete any user account that had been previously assigned a license from within the context of a different service. To delete user accounts in this case, you would need to sign out of the account portal you were using at the time of the deletion attempt, sign in to the appropriate account portal where the license was first assigned, remove the associated licenses, and then try to delete the user again.