When you use Azure with a single subscription and the standard default tenant, you are probably unaware of any complexity regarding the hierarchy backing this construction.

In a way, this means the UX designer of the Azure portal did a terrific job keeping this complexity away from you as a user, but when the need arises to add components you could find yourself unprepared for the journey.

The perceived complexity probably comes from mixing in the tenant with resource and subscription hierarchy. When you leave the tenant out of the equation, the picture is pretty clear as visualized below:

Strategie voor toepassingscategorieƫn
Source: Microsoft Docs
  • A management group can contain multiple subscriptions and a subscription can contain multiple resources
  • A resource has exactly one subscription
  • A subscription can have zero or one management group

But how does the tenant fit into this picture? Well frankly, it does not. This structure helps grouping resources and subscriptions to make them more manageable from both a maintainability as well as a compliance standpoint.

A tenant, or sometimes referred to as a directory, is a representation of an organization. It’s a dedicated instance of Azure Active Directory (AAD) and has a direct relationship with the subscription. One tenant has one subscription, but a subscription can contain multiple tenants.

A tenant is mainly used for identity and access management (IAM) but handles app registrations as well and provides many other great features regarding security and governance.