I'm having some difficulty seeing the differences between an Azure account, management group, and tenant. They seem to have in common that all can contain multiple subscriptions. I get the idea of the subscription-- a billing unit, all charged to the same credit card, each subscription generating a different bill. A subscription appears to be a child entity to an account, a management group, and a tenant. So here's what I understand so far, although if you asked me to clearly delineate the differences between these I couldn't do it.
A tenant:
- Is associated with a certain identity, such as a person, company, etc
- Can contain multiple subscriptions
- Has a single Azure AD instance across all subscriptions within it
A management group:
- Can contain multiple subscriptions or other management groups
- Is, or is under, a root management group that has no "parent" management group and is alone at the top.
- Seems to be most relevant when interested in cascading (inherited) policies and permissions, but I'm not sure that this is a defining element
An account:
- Can contain multiple subscriptions
- Seems to be used within a single company, but I'm not sure that this is a defining element
So, there seems to be lots of overlap, and if you showed me a grouping I'm not sure whether I could tell which one I'm looking at, nor what questions I'd have to ask to figure it out. I think I'm a little clearer on tenants than the others, but even that's hazy. Thank you in advance.
Below is my current best working understanding. I also have a lot of confusion about this, so if anyone can post a better explanation, I would appreciate it.
Abbreviation:
Azure AD := Azure Active Directory
Main points:
↕
denotes a one-to-one correspondence.↓↓↓
is meant to denote a 'one-to-many' relationship, where each entity below is associated to a unique/[exactly one] instance of the entity above, whereas each entity above is associated to 0 or possibly more of the entities below.)Terms/Definitions:
<globally_unique_name>.onmicrosoft.com>
. Instances of [Azure AD] have at least two main tasks:Comments:
X
belongs to a uniqueZ
", even whenZ
is more than one level aboveX
in the hierarchy, for example "every resource belongs to a unique subscription" or "every subscription belongs to a unique tenant". This seems to be (de facto) shorthand for either "everyX
belongs indirectly toZ
" or "everyX
belongs (directly) to a uniqueY
, which in turns belongs (directly) to a unique ...Z
".Helpful discussion
I've read so many Microsoft help pages and StackOverflow questions about this and related issues (at least 40) that I don't even remember anymore which ones were most relevant to shedding light on confusions I had related to this question. So please feel free to edit this answer, or comment, to add more links to such relevant information.