Hopefully this is a quick answer: I'm starting some work with Azure AD and a term I'm seeing over and over is an Azure AD "tenant". It seems to be synonymous and used interchangeably with an Azure AD "directory", but is it?
I'm probably just being pedantic, and I'm guessing it's obvious to everyone else, but nothing I can find explains this plainly. This is the closest thing I've found and even that makes a jump I can't follow, switching terms from "tenant" to "directory" without explaining:
With the identity platform provided by Microsoft Azure, a tenant is simply a dedicated instance of Azure Active Directory (Azure AD) that your organization receives and owns when it signs up for a Microsoft cloud service such as Azure or Office 365.
Each Azure AD directory is distinct and separate from other Azure AD directories. Just like a corporate office building is a secure asset specific to only your organization, an Azure AD directory [...]
Can anyone just confirm the relationship between these two terms, for the record?
I don't have enough rep to comment on the other answer, but the comment "You can have multiple AAD directories assigned to a single subscription." is not correct per the documentation, rather the opposite. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-how-subscriptions-associated-directory
My understanding is that "tenant" and "directory" are basically used interchangeably in the Active Directory documentation. I think it's just more convenient to use "tenant" sometimes since the title of the service is "Active Directory" so referring to an "Active Directory directory", for example, would be confusing.
You are correct, in order to use Azure AD you must become a "tenant" within the system. So a tenant is basically just securing a .onmicrosoft.com sub-domain. At that point you would have one account registered in your Azure AD. From there, you can activate Office365, Intune or any of the Azure services.
You may find this blog post and associated diagram helpful:
The author's answer to your question seems to depend on how you obtain your Azure,
Azure tenant A dedicated and trusted instance of Azure AD that's automatically created when your organization signs up for a Microsoft cloud service subscription, such as Microsoft Azure, Microsoft Intune, or Office 365. An Azure tenant represents a single organization.
Azure AD directory Each Azure tenant has a dedicated and trusted Azure AD directory. The Azure AD directory includes the tenant's users, groups, and apps and is used to perform identity and access management functions for tenant resource
source: What is Azure AD
Simply put, an instance of Azure AD is what an organization receives when the organization creates a relationship with Microsoft such as signing up for Azure, Microsoft Intune, or Microsoft 365.
A tenant is similar to a forest in an on-premise environment.
An Active Directory forest (AD forest) is the topmost logical container in an Active Directory configuration that contains domains, users, computers, and group policies
They're the same but they're describing from different angles - from AzureAD customer's perspective, An Azure AD directory refers to the logical "container" and everything contained in the container such as users, user groups, applications and etc, essentially everything that AzureAD service knows about your organization (note, NOT including Azure resources such as subscription, account etc ), from AzureAD (or Microsoft) service's perspective, each of the customer is just one of its tenant(think about a landlord that manages many tenants in their apartment), hence each customer receives an id (i.e. tenant id).
Hence in a customer-centric context, we tend to use "directory", e.g. after you log on to Azure portal, it allows you to "Switch Directories", i.e. it lets you, as an Azure AD customer, to decide which organization you want to manage/operate. While in a specific service(e.g. Azure)'s context, it tends to use "tenant" to refer to the directory/organization that the service is associated with, as it doesn't really care about the contents within the directory/organization in such context, e.g. once you log on an Azure account or once you pick up an Azure subscription, Azure wants to know which directory/organization that your account/subscription is bound to, and it assigns a "tenant Id" property to the account/subscription for tracking purpose.
Part of the reason of having two terms, may also due to the fact that they're from different microsoft teams, hence there is no coordination on the naming, i.e, if we stick to the same directory/directory id from the beginning in every place, I don't see there would be any issue.
So there is a one-to-one mapping between an Azure AD directory and Azure AD tenant, and they're used interchangeably in different contexts.
Each customer gets an Azure AD tenant.
A single customer can have multiple tenants; but a tenant can only be mapped to a single customer. Customers can interoperate by setting up sharings and/or federations between tenants.
Each Office 365 resource (Exchange mailbox, SharePoint site) always belongs to a single Azure AD tenant.
Azure subscriptions are an exception: they are explicitly associated with a specific AAD tenant, but they can be transferred between them (with several limitations). Billing may change when this happens.
Last but not least, directory synchronization (AADConnect) can only map user accounts and groups from one or more local Active Directory to a single destination AAD.