Define Azure AD tenants

An Azure AD tenant provides identity and access management, which is an important part of your security posture. An Azure AD tenant ensures that authenticated and authorized users only access the resources to which they have permissions. Azure AD provides these services to applications and services deployed in and outside of Azure (such as on-premises or third-party cloud providers).

Azure AD is also used by software as a service (SaaS) applications such as Microsoft 365 and Azure Marketplace. Organizations already using on-premises AD can integrate it with their current infrastructure and extend cloud authentication. Each Azure AD directory has one or more domains. A directory can have many subscriptions associated with it but only one Azure AD tenant.

Ask basic security questions during the Azure AD design phase, such as how your organization manages credentials and how it controls human, application, and programmatic access.

Tip

If you have multiple Azure Active Directory tenants, review Azure landing zones and multiple Azure Active Directory tenants and its associated content.

Design considerations:

• An Azure subscription can only trust one Azure AD tenant at a time, further information can be found at Associate or add an Azure subscription to your Azure Active Directory tenant

• Multiple Azure AD tenants can function in the same enrollment. Review Azure landing zones and multiple Azure Active Directory tenants

• Azure Lighthouse only supports delegation at the subscription and resource group scopes.

• The *.onmicrosoft.com domain name created for each Azure AD tenant must be globally unique as per the terminology section in what is Azure Active Directory?

  • The *.onmicrosoft.com domain name for each Azure AD tenant cannot be changed once created.

• Review Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services to fully understand the differences between all the options and how they relate

• Explore the authentication methods offered by Azure Active Directory as part of your Azure Active Directory tenant planning

• If using Azure Government review the guidance around Azure AD tenants in Planning identity for Azure Government applications

• If using Azure Government, Azure China 21Vianet, Azure Germany (closed on October 29, 2021) then review National clouds for further guidance around Azure AD

Design recommendations:

• Add one or more custom domains to your Azure AD tenant as per Add your custom domain name using the Azure Active Directory portal

  • Review Azure AD UserPrincipalName population if planning to or using Azure AD Connect to ensure custom domain names are reflected in your on-premises Active Directory Domain Services environment.

• Define your Azure single sign-on strategy, using Azure AD Connect, based on one of the supported topologies.

• If your organization doesn't have an identity infrastructure, start by implementing an Azure AD only identity deployment. Deployment with Azure AD Domain Services and Microsoft Enterprise Mobility + Security provides end-to-end protection for SaaS applications, enterprise applications, and devices.

• Azure AD Multi-Factor Authentication provides another layer of security and authentication. For more security, also enforce conditional access policies for all privileged accounts.

• Plan for emergency access or break-glass accounts to prevent tenant-wide account lockout.

• Use Azure AD Privileged Identity Management to manage identities and access.

• Send all Azure AD diagnostic logs to a central Azure Monitor Log Analytics workspace following the guidance here: Integrate Azure AD logs with Azure Monitor Logs

• Avoid creating multiple Azure AD tenants. For further information, see Testing approach for enterprise-scale and Cloud Adoption Framework Azure best practices guidance to standardize on a single directory and identity.

• Use Azure Lighthouse to grant third parties/partners access to Azure resources in customer Azure AD tenants and centralized access to Azure resources in multitenant Azure AD architectures.