Azure account vs tenant (and maybe vs management group)

Question

I'm having some difficulty seeing the differences between an Azure account, management group, and tenant. They seem to have in common that all can contain multiple subscriptions. I get the idea of the subscription-- a billing unit, all charged to the same credit card, each subscription generating a different bill. A subscription appears to be a child entity to an account, a management group, and a tenant. So here's what I understand so far, although if you asked me to clearly delineate the differences between these I couldn't do it.

A tenant:

• Is associated with a certain identity, such as a person, company, etc
• Can contain multiple subscriptions
• Has a single Azure AD instance across all subscriptions within it

A management group:

• Can contain multiple subscriptions or other management groups
• Is, or is under, a root management group that has no "parent" management group and is alone at the top.
• Seems to be most relevant when interested in cascading (inherited) policies and permissions, but I'm not sure that this is a defining element

An account:

• Can contain multiple subscriptions
• Seems to be used within a single company, but I'm not sure that this is a defining element

So, there seems to be lots of overlap, and if you showed me a grouping I'm not sure whether I could tell which one I'm looking at, nor what questions I'd have to ask to figure it out. I think I'm a little clearer on tenants than the others, but even that's hazy. Thank you in advance.

Answer 1

Below is my current best working understanding. I also have a lot of confusion about this, so if anyone can post a better explanation, I would appreciate it.

Abbreviation: Azure AD := Azure Active Directory

Main points:

1. [Azure AD] is its own, completely separate and distinct, product compared to both "Active Directory" and "Azure".
2. It is best to avoid the term "Azure account" when possible, because it is often used ambiguously to refer interchangeably to any of at least four distinct concepts, at least three of which, (a) "identity / user", (b) "[Azure AD] directory/instance/tenant/organization", (c) "(Azure) subscription", have their own dedicated, precise (unambiguous) terms.
3. There is neither a many-to-one, nor a one-to-many, relationship between "identities/users" and "[Azure AD] directories/instances/tenants/organizations". Instead they are best thought of as a bipartite graph. In particular, note that the term "Azure account" can often be used to refer confusingly to either of these two distinct concepts, despite them lacking any hierarchical relationship with one another. In other words, tenants have a "quasi-independent" existence of the "identities/users" that belong to them.
4. There is a one-to-many (treelike) hierarchy that extends downwards from "tenant" or "root management group", compare e.g. this comment. (↕ denotes a one-to-one correspondence. ↓↓↓ is meant to denote a 'one-to-many' relationship, where each entity below is associated to a unique/[exactly one] instance of the entity above, whereas each entity above is associated to 0 or possibly more of the entities below.)

[Organization/Tenant/Azure AD Instance/Azure AD Directory]  
↕  
[Root Management Group] 
↓↓↓  
[(0 or more) Management Group]   
↓↓↓   
[(0 or more) Management Group] OR [Subscription]   
↓↓↓  
[Resource Group]   
↓↓↓   
[Resource]

Terms/Definitions:

• "identity / user / account" Basically any set of credentials/information that allow one to login/authenticate for interacting with Microsoft online products. I believe that there are at least two possible kinds.
  • Microsoft accounts The simplest to understand kind correspond to Microsoft accounts, because these accounts exist completely independently of any [Azure AD] tenants/instances. Even if a Microsoft account "user" creates an [Azure AD] instance in the course of their activities, under the correct circumstances they can even delete the instance. Such users are also sometimes able to create new [Azure AD] instances. Hence they can be associated with 0 or more tenants.
  • "work or school accounts" These are created within (or "by") an [Azure AD] tenant/instance, and hence in many ways actually cannot exist independently of the creating tenant/instance, cf. these Microsoft help pages (1)(2). Hence these have to be associated with 1 or more tenants, with a unique "home tenant".
• [Azure AD] Again, Azure Active Directory is best thought of as a completely distinct product from both Active Directory and from Azure. Each instance of the product is called an "instance", a "tenant", a "directory", or an "organization". Each instance is associated to/given a globally unique domain name, <globally_unique_name>.onmicrosoft.com>. Instances of [Azure AD] have at least two main tasks:
  • Act as boundaries or containers for organizing zero or more subscriptions to Microsoft products (such as "Azure" or "Office 365"),
  • Manage permissions/access of users for interacting with (i) the tenant/instance itself, (ii) the (groups of) subscriptions to Microsoft products possessed by the tenants.
• Azure subscription Every one of these must be associated to a unique (exactly one) [Azure AD] tenant/instance. An [Azure AD] tenant/instance however can have 0 or more Azure subscriptions (say if it only has an Office 365 subscription, or had an Azure subscription which was then deleted). Users with the correct [Azure RBAC] permissions can transfer these between different tenants, but at any given time any given subscription depends on exactly one tenant.
• 4th meaning of "Azure Account" This corresponds to the level of "root (Azure) management group" and below in an [Azure AD] tenant (basically all groups of Azure subscriptions belonging to the tenant), and is the same as the level of scope of the [Azure RBAC] system for managing "Azure roles". Any user with the "User Access Administrator" "[Azure AD] role" (remember that "Azure" and "[Azure AD]" are distinct products, hence "Azure roles" and "Azure AD roles" are distinct) has complete control over the [Azure RBAC] system for administering "Azure roles". Cf. these Microsoft help pages (1)(2)(3)(4).

Comments:

• Sometimes you will see people say things like "every X belongs to a unique Z", even when Z is more than one level above X in the hierarchy, for example "every resource belongs to a unique subscription" or "every subscription belongs to a unique tenant". This seems to be (de facto) shorthand for either "every X belongs indirectly to Z" or "every X belongs (directly) to a unique Y, which in turns belongs (directly) to a unique ... Z".
• The recommended best practice is to use Microsoft services in a way that there is a one-to-one correspondence between "[Azure AD] tenants" and "real-world/physical organizations", hence why "[Azure AD] tenants" are often referred to as "organizations" even in the Microsoft documentation. However such a correspondence is not a technical requirement, making the terminology confusing. Perhaps thinking of "Azure AD tenant" as an abstraction analogous to "workspace" in Slack or "workplace" in Google is more helpful.
• There may be minor technical distinction(s) (if any) between "tenants", "organizations", "Azure AD instances", and "Azure AD directories", but have come to my belief that they are necessarily in one-to-one correspondence in part due to the discussion on these related SO questions: (1) (2) (3). This also appears to be the easiest way to interpret Microsoft documentation. Cf. for example the page Microsoft intro to Azure AD (notice the inconsistent usage/switching between "tenant", "organization", and "directory").
• As far as I understand, "management groups" are an optional level of hierarchy between "tenants" and "subscriptions", which allows administrators to have more granular control or flexibility in changing settings of multiple subscriptions at once.
• Each non-root management group must have the "root management group" or another management group as its unique parent node, and must have another management group or a subscription as child nodes. Subscriptions have to be leaves in the resulting tree. "Empty" (i.e. no subscriptions) management groups might also be possible leaves as well.
• If there are no (non-root) management groups, then the root management group is not necessarily instantiated and the hierarchy might go directly from tenants to subscriptions. Cf. the figure in this other Microsoft help page. This is the case when someone using a Microsoft account as an identity creates an "Azure subscription" for the first time.
• Notice that in the common use-case of someone using a Microsoft account as an "identity/user" to create a (personal) Azure subscription for the first time, an "[Azure AD] instance/tenant" is automatically created that has that "user" as the unique user and global administrator for the "tenant", the "tenant" has no intermediate levels between the "tenant" and the "Azure subscription", the unique user is also the unique owner of the Azure subscription, and the unique user is also the unique User Access Administrator for [Azure RBAC]/[root management group]. In other words, all four possible distinct meanings of "Azure account" are in one-to-one correspondence in this use-case, and thus effectively "collapse". Cf. this comment on the Microsoft forums. This is probably why there is so much confusion.
• Each tenant/instance must have at least one associated user, at least one of which must be a global administrator of the tenant. However, the tenant can have more than one global administrator. (One or more, i.e. not zero, global administrators are assured because global administrators are prevented from removing their own global administrator status, and every tenant is created with a designated global administrator.) So, except possibly in the case where there is a unique global administrator, there is never really any strong sense in which tenants "belong" to any particular user.
• With the caveat that "Owner" is an "Azure role" [Azure RBAC], and not an "[Azure AD] role" (I think), the following analogy is helpful
  • Global Administrator :: [Azure AD] tenant/instance
  • User Access Administrator :: Azure RBAC scope (4th meaning of "Azure account")
  • Owner :: "Azure subscription"
• An Azure AD instance is guaranteed to always have at least one global administrator, and a global administrator can always create permissions, and/or create/add/invite users to have necessary permissions, while every Azure AD tenant requires at least one global administrator, I think it is possible (albeit not recommended) for an Azure RBAC scope to have only 0 User Access Administrators, and for an Azure subscription to have only 0 owners, so the above analogy is not perfect. That being said, if one can distinguish between these three different kinds of user roles clearly, then one should also be able to distinguish clearly between these three different possible meanings of "Azure" account.

Helpful discussion

I've read so many Microsoft help pages and StackOverflow questions about this and related issues (at least 40) that I don't even remember anymore which ones were most relevant to shedding light on confusions I had related to this question. So please feel free to edit this answer, or comment, to add more links to such relevant information.