Introduction to Azure Active Directory Tenants

As an educational institution, you can sign up for a free trial of Microsoft 365 Education and complete an eligibility verification wizard to purchase subscriptions at academic prices.

Creating an Azure Active Directory Tenant

When you sign up for a paid or trial subscription of Microsoft 365 Education, an Azure Active Directory (Azure AD) tenant is created as part of the underlying Office 365 services. Likewise, an Azure AD tenant is created when you sign up for Azure. You can also manually create an Azure AD tenant through the Azure portal and add Office 365 services at a later time.

Important

When creating an Azure AD tenant, you must specify a logical region that will determine the location of the data center. This must be chosen very carefully because it cannot be changed after creation.

For more information, see the Microsoft 365 Education deployment guide.

What is an Azure AD tenant?

An Azure AD tenant provides identity and access management (IAM) capabilities to applications and resources used by your organization. An identity is a directory object that can be authenticated and authorized for access to a resource. Identity objects exist for human identities such as students and teachers, and non-human identities like classroom and student devices, applications, and service principles.

The Azure AD tenant is an identity security boundary that is under the control of your organization’s IT department. Within this security boundary, administration of objects (such as user objects) and configuration of tenant-wide settings are controlled by your IT administrators.

Resources in a tenant

Azure AD is used to grant objects representing identities access to resources like applications and their underlying Azure resources, which might include databases, and Learning management Systems (LMS).

Access to apps that use Azure AD

Identities can be granted access to many types of applications, including but not limited to:

• Microsoft productivity services such as Exchange Online, Microsoft Teams, and SharePoint Online

• Microsoft IT services such as Azure Sentinel, Microsoft Intune, and Microsoft Defender ATP

• Microsoft Developer tools such as Azure DevOps

• Third-party applications such as Learning Management Systems (LMS)

• On-premises applications integrated with hybrid access capabilities such as Azure AD Application Proxy

• Custom in-house developed applications

Applications that use Azure AD require directory objects to be configured and managed in the trusted Azure AD tenant. Examples of directory objects include application registrations, service principals, groups, and schema attribute extensions.

While some applications can have multiple instances per tenant, for example a test instance and a production instance, some Microsoft Services such as Exchange Online can only have one instance per tenant.

Access to Directory Objects

Identities, resources, and their relationships are represented in an Azure AD tenant as directory objects. Examples of directory objects include users, groups, service principals, and app registrations.

When objects are in an Azure AD tenant, the following occurs:

• Visibility. Identities can discover or enumerate resources, users, groups, and access usage reporting and audit logs if they have the right permissions. For example, a member of the directory can discover users in the directory with default user permissions.

• Applications can affect objects. Applications can manipulate directory objects through Microsoft Graph as part of their business logic. Typical examples include reading or setting user attributes, updating user’s calendar, and sending emails on behalf of the user. Consent is necessary to allow applications to affect the tenant. Administrators can consent for all users. For more information, see Permissions and consent in the Microsoft identity platform.

  Note

  Use caution when using application permissions. For example, with Exchange Online, you should scope application permissions to specific mailboxes and permissions.

• Throttling and service limits. Runtime behavior of a resource might trigger throttling to prevent overuse or service degradation. Throttling can occur at the application, tenant, or entire service level. Most commonly it occurs when an application has a large number of requests within or across tenants.

Every tenant has a total object limit. By default, a tenant is limited to 50,000 total objects. After a custom domain is added, the limit increases to 300,000. You can increase this object limit further by contacting the EDU Customer Success Team team. We recommended that a single Azure AD tenant not exceed 1 million users, which usually equates to approximately 3 million total objects. For more information about service limits in Azure AD, see Azure AD service limits and restrictions.

Configuration in a tenant

Policies and settings in Azure AD impact resources in the Azure AD tenant through targeted, or tenant-wide configurations.

Examples of tenant-wide policies and settings include:

• External identities. Global administrators for the tenant identify and control the external identities that can be provisioned in the tenant.

  • Whether to allow external identities in the tenant

  • From which domain(s) external identities can be added

  • Whether users can invite users from other tenants

• Named Locations. Global administrators can create named locations, which can then be used to:

  • Block sign in from specific locations.

  • Trigger conditional access policies such as MFA.

• Allowed authentication methods. Global administrators set the authentication methods allowed for the tenant.

• Self-service options. Global Administrators set self-service options such as self-service password reset and create Office 365 groups at the tenant level.

The implementation of some tenant-wide configurations can be scoped as long as they don't get overridden by global administration policies. For example:

• If the tenant is configured to allow external identities, a resource administrator can still exclude those identities from accessing a resource.

• If the tenant is configured to allow personal device registration, a resource administrator can exclude those devices from accessing specific resources.

• If named locations are configured, a resource administrator can configure policies either allowing or excluding access from those locations.

Administration in a tenant

Administration includes the management of identity objects and scoped implementation of tenant-wide configurations. Objects include users, groups, and devices, and service principles. You can scope the effects of tenant-wide configurations for authentication, authorization, self-serve options, and so on.

Tenant-wide administrators, or global admins, can:

• Grant access to any resource to any user

• Assign resource roles to any user

• Assign lower-scoped admin roles to any user

Administration of directory objects

Administrators manage how identity objects can access resources, and under what circumstances. They also can disable, delete, or modify directory objects based on their privileges. Identity objects include:

• Organizational identities, such as the following, are represented by user objects:

  • Administrators

  • Organizational users

  • Organizational developers

  • Test users **

• External identities represent users from outside the organization such as:

  • Partners or other educational institutions that are provisioned with accounts local to the organization environment

  • Partners or other educational institutions that are provisioned via Azure B2B collaboration

• Groups are represented by objects such as:

  • Security groups

  • Office 365 groups

• Devices are represented by objects such as:

  • Hybrid Azure AD joined devices (on-premises computers synchronized from on-premises Active Directory)

  • Azure AD joined devices

  • Azure AD registered mobile devices used by employees to access their workplace applications.

Note

In a hybrid environment, identities are typically synchronized from the on-premises Active Directory environment using Azure AD Connect.

Administration of identity services

Administrators with appropriate permissions can manage how tenant-wide policies are implemented at the level of resource groups, security groups, or applications. When considering administration of resources, keep the following in mind. Each can be a reason to keep resources together, or to isolate them.

• An identity assigned an Authentication Administrator role can require non-administrators to reregister for MFA or FIDO authentication.

• A Conditional Access (CA) Administrator can create CA policies that require users signing-in to specific apps to do so only from organization-owned devices. They can also scope configurations. For example, even if external identities are allowed in the tenant, they can exclude those identities from accessing a resource.

• A Cloud Application Administrator can consent to application permissions on behalf of all users.

• A Global Administrator can take control of a subscription.

Licensing

Microsoft paid cloud services, such as Office 365, require licenses. These licenses are assigned to each user who needs access to the services. Azure AD is the underlying infrastructure that supports identity management for all Microsoft cloud services and stores information about license assignment states for users. Traditionally, administrators would use one of the management portals (Office or Azure) and PowerShell cmdlets to manage licenses. Azure AD supports group-based licensing which enables you to assign one or more product licenses to a group of users.

Azure AD in Microsoft 365 Education scenarios

Azure AD helps students and faculty sign in and access resources and services in, including:

• Sign in and authorization to resources

  • Domains for sign in and email are configured for cloud authentication in Azure AD.

  • Most external collaboration capabilities use Azure AD B2B collaboration.

• Microsoft office 365 capabilities

  • Azure AD identities are assigned Office 365 licenses, which triggers provisioning.

  • Office 365 objects such as distribution lists, Modern Groups, contacts, and Microsoft Teams, are represented by Azure AD directory objects, and managed in Azure AD.

  • Office 365 services provide authorization using Azure AD Groups.

  • Access to Office 365 is controlled through Azure AD.

• Governance and Security

  • Management and security features such as Intune for Education rely on Azure AD users, groups, devices, and policies.

  • Privileged Identity Management to allow Just-in-Time (JIT) and Just Enough Administration (JEA) access to privileged operations.

  • Sign-in logs and audit activity reports.

  • Governance capabilities such as Access Reviews.

• Hybrid Environments

  • Azure AD provides the hybrid capabilities to synchronize from on-premises Active Directory through Azure AD Connect.

  • Azure AD Connect enables you to configure the authentication method appropriate for your organization, including password hash synchronization, pass-through authentication, or federation integration with AD FS or non-Microsoft SAML identity provider.

  • APIs to provision directory objects from SIS using School Data Sync

Next steps

• Design a multi-tenant architecture

• Design tenant configuration strategy