Explore your Microsoft 365 cloud environment

  • 10 minutes

Creating a path to an organization's digital transformation with Microsoft 365 cloud computing requires a firm foundation. The organization's workers can rely on that foundation for productivity, collaboration, performance, privacy, compliance, and security. Correct configuration of an organization's Microsoft 365 subscription and Microsoft Entra tenant provides that foundation.

Important

Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.

Microsoft 365 subscriptions and plans

When people discuss Microsoft 365 subscriptions, they often use the terms "plan" and "subscription" interchangeably. However, they actually refer to slightly different aspects of the offering.

In the context of Microsoft 365, a "plan" typically refers to a specific set of features and services included in a subscription. Microsoft offers various plans or editions of Microsoft 365, such as E3 or E5, each with different capabilities and pricing structures. These plans determine the specific features and applications available to users, and any other services or benefits included.

On the other hand, a "subscription" generally refers to the act of acquiring access to a particular Microsoft 365 plan. It involves paying a recurring fee to Microsoft in exchange for the right to use the selected plan's features and services for a specified period of time. The subscription is typically associated with a user or an organization and usually includes multiple licenses to cover multiple users.

So, while "plan" refers to the specific set of features and services offered by Microsoft, "subscription" refers to the ongoing access to those features and services, typically tied to a payment arrangement. In everyday conversations, however, people often use the terms "plan" and "subscription" interchangeably to refer to the overall Microsoft 365 offering.

Build your cloud-computing foundation on a Microsoft 365 subscription and a Microsoft Entra tenant

To build your cloud-computing foundation, you must first understand the relationship between a Microsoft 365 subscription and a Microsoft Entra tenant. A Microsoft 365 plan provides access to various Microsoft products like Word, Excel, PowerPoint, and Outlook, along with cloud services for storage, collaboration, and communication. For example, Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and more. When an organization subscribes to a Microsoft 365 plan, it can create user accounts, assign licenses to those accounts, and manage the subscription settings.

When an organization purchases a subscription to a Microsoft 365 plan, such as Microsoft 365 E3 or E5, Microsoft creates a Microsoft Entra tenant that supports those Microsoft 365 services. This Microsoft Entra tenant is the underlying foundation that enables user authentication, authorization, and other identity-related functionalities for the Microsoft 365 services such as Office applications, Exchange Online, SharePoint, Teams, and more. This single tenant environment allows for seamless integration and management of Microsoft 365 and Azure services within an organization.

People sometimes refer to their tenant as a "Microsoft 365 tenant." Technically, it's a Microsoft Entra tenant. People commonly use the term "Microsoft 365 tenant" because Microsoft creates the Microsoft Entra tenant when an organization purchases a subscription to a Microsoft 365 plan, along with the fact that the tenant primarily manages user identities and access across the Microsoft 365 suite of services.

In summary, a Microsoft 365 subscription is the paid plan that gives an organization access to the Microsoft cloud services. A Microsoft Entra tenant is the container that holds all of the resources associated with that subscription. The tenant determines the URL for the organization's services. It's also the place where the organization's Microsoft 365 Administrator can manage the company's global settings, such as branding and security policies.

Microsoft 365 plans that don't create a Microsoft Entra tenant

Organizations can purchase multiple plans from Microsoft in a single subscription. For example, Microsoft 365 E5 and Enterprise Mobility + Security (EMS) E5. In these situations, Microsoft still only creates a single Microsoft Entra tenant for the subscription because some Microsoft 365 plans don't create a Microsoft Entra tenant. These plans provide limited Microsoft Entra functionality and don't include the full Microsoft Entra tenant creation.

Some of the more common Microsoft 365 plans that don't create a Microsoft Entra tenant include:

  • Enterprise Mobility + Security (EMS) E5. The EMS E5 plan provides advanced security and management capabilities for mobile devices and cloud-based applications. While organizations can purchase EMS and Microsoft 365 plans separately, they often combine them to provide a comprehensive suite of productivity, collaboration, security, and management tools. By combining EMS E5 with a Microsoft 365 plan, you can access both advanced security features and the suite of Microsoft 365 services within a single Microsoft Entra tenant.
  • Microsoft 365 Business Basic. This plan primarily focuses on cloud-based productivity and collaboration tools. It includes web versions of popular Microsoft Office applications such as Word, Excel, and PowerPoint. It also provides Exchange Online for email hosting (with a 50-GB mailbox per user), SharePoint Online for team sites and file storage, and Microsoft Teams for communication and collaboration.
  • Microsoft 365 Business Standard. This plan includes all the features of Microsoft 365 Business Basic and adds the ability to install the full desktop versions of Office applications (Word, Excel, PowerPoint, Outlook, Publisher, and Access) on up to five devices per user. Given this functionality, users can work offline and take advantage of more advanced features available in the desktop versions.
  • Microsoft 365 Apps. This plan provides the full desktop versions of the Microsoft Office applications for organizations. Microsoft tailored this plan for businesses that require the power and functionality of the Office suite installed on users' devices.
  • Office 365 F3. Microsoft designed this plan for frontline workers who don't require the full suite of advanced Office applications but still need essential productivity tools and collaboration capabilities to perform their job duties effectively. It includes web and mobile versions of Office apps, email, and file storage.
  • Microsoft 365 F1. Microsoft also designed this plan for frontline workers. It includes Office Online apps, email, and file storage. Microsoft 365 F1 provides a more comprehensive feature set than Office 365 F3, including enhanced security and compliance features, and more tools for automation and custom application development.

It's worth noting that while these plans don't create a Microsoft Entra tenant, they can still have limited Microsoft Entra functionality for user management and authentication purposes. However, for more advanced Microsoft Entra ID capabilities and features, such as advanced identity protection, Conditional Access, and device management, you would typically need to consider higher-tier plans like Microsoft 365 E3 or E5, which do create a Microsoft Entra tenant.

Licenses

When you subscribe to a Microsoft 365 plan, the number of licenses that you purchase for the plan are typically based on the number of users or seats you need for your organization. Here's the general process:

  1. Select the right Microsoft 365 plan for your organization. Microsoft offers various plans with different features and services. Each plan has its own set of capabilities and applications. You choose the plan that best suits your needs, based on the features you require.
  2. Purchase a Microsoft 365 plan with the appropriate number of licenses for your organization. When you subscribe to a Microsoft 365 plan, you purchase a specific number of users or seats for that plan. For example, if you have 50 employees, you would purchase a subscription for 50 user licenses for your selected plan.
  3. Allocate your licenses. Once you have purchased your subscription, you can allocate the licenses for your Microsoft 365 plan to individual users within your organization. You manage this process through the Microsoft 365 admin center. You can assign licenses to specific users, granting them access to the features and services included in the plan.
  4. Manage your licenses. As your organization's needs change, you can add or remove licenses as required. You can purchase more licenses for your plan to accommodate new users. You can also remove licenses for users who leave the organization or no longer require access. This flexibility enables you to scale your licensing based on your organization's size and requirements.

Important

The specific details of license allocation and management can vary depending on the Microsoft 365 plan you choose and any other services or add-ons you opt for. Microsoft provides tools and resources to help you manage licenses effectively, ensuring that you have the right number of licenses for your organization's users while maintaining compliance with the licensing terms.

Organizations with multiple Microsoft Entra tenants

When you purchase a Microsoft 365 subscription, Microsoft creates a Microsoft Entra tenant. The tenant supports and provides the identity and access management infrastructure for the Microsoft 365 plan you subscribed to. By having a single tenant for Microsoft 365 and Microsoft Entra ID, you can streamline administration, simplify user management, and establish consistent security and access controls across both platforms. It provides a cohesive environment for managing your organization's cloud services and resources.

An organization can have multiple Microsoft Entra tenants, where Microsoft sets up each tenant with a separate Microsoft Entra or Microsoft 365 subscription. Each Microsoft Entra or Microsoft 365 subscription is associated with its own dedicated Microsoft Entra tenant.

Large enterprise organizations often opt for multiple Microsoft 365 subscriptions to cater to the diverse needs of different user groups within the organization. They can tailor these subscriptions to specific roles or departments, providing the appropriate set of services and features required for each group. The following diagram shows an example of a Microsoft 365 subscription plan with a dedicated Microsoft Entra tenant.

There are several reasons why large enterprises choose to have multiple Microsoft 365 subscriptions:

  • Different user requirements. Different departments or teams within an enterprise can have varying needs when it comes to productivity tools, collaboration features, and security controls. When an organization purchases multiple Microsoft 365 subscriptions, it can customize the offerings based on the specific requirements of each user group.
  • Licensing flexibility. Large enterprises can have a mix of full-time employees, part-time employees, contractors, and external collaborators. By having multiple subscriptions, organizations can choose the appropriate licensing model (user-based or device-based) and license types (for example, Microsoft 365 E3, E5, or F1) to suit the needs and usage patterns of different user categories.
  • Compliance and security considerations. Some industries or regulatory frameworks require specific security and compliance measures. Large enterprises sometimes opt for multiple subscriptions that provide advanced security and compliance features to meet these requirements while ensuring data protection and governance.
  • Mergers and acquisitions. An organization involved in a merger or an acquisition can end up with multiple legacy systems or existing Microsoft 365 environments. Consolidation of these systems into a single subscription can take time, and during the transition period, they must maintain multiple subscriptions.

Caution

Managing multiple subscriptions can bring some complexity in terms of license management, user provisioning, and administration. However, large enterprise organizations often have dedicated IT teams or administrators who handle these tasks efficiently. Ultimately, the decision to purchase multiple Microsoft 365 subscriptions is based on the organization's unique requirements, the size and structure of the enterprise, and the need for customization and flexibility across different user groups.

Tenant information

During the sign-up process for a Microsoft 365 plan, Microsoft asks the organization to provide some basic information, such as its business name, country/region, and domain name. Microsoft then uses this information when it creates the new Microsoft Entra tenant for the organization. Microsoft bases the tenant URL that it creates on the domain name provided by the organization during sign-up. It typically looks something like this: https://contoso.onmicrosoft.com.

Once Microsoft creates an organization's tenant, the organization's Microsoft 365 Administrator can sign in to the Microsoft 365 admin center to manage the subscription and its associated resources. The admin center provides a web-based interface for managing users, licenses, domains, and more. The Microsoft 365 admin center provides an organization with complete control over its Microsoft 365 environment.

A Microsoft Entra tenant unified with a Microsoft 365 subscription provides a dedicated instance of Microsoft 365 services and an organization's data. Microsoft stores this information within a Microsoft datacenter in a specific default location, such as Europe or North America. Microsoft determines the location of the Microsoft datacenter assigned to the tenant when it creates the tenant for an organization. Each Microsoft Entra tenant is distinct, unique, and separate from all other Microsoft Entra tenants.

With a Microsoft 365 subscription, you can add up to 900 domains to a single tenant. An organization can use each domain to create email addresses for the users in those domains.

An organization can't have more than one tenant within a single Microsoft 365 subscription. However, as previously noted, it can have multiple tenants by purchasing multiple Microsoft 365 subscriptions. Each subscription comes with its own tenant, which can have its own set of users, domains, and other settings.

Attributes of a well-designed Microsoft Entra tenant

Beyond the correct name and location for an organization's tenant, there are other elements that an organization must plan, deploy, and manage. An organization that properly designs and manages these elements ensures that its user experiences with cloud productivity apps—such as Microsoft Teams and Exchange Online—are effective, secure, and performant.

An organization must properly configure and manage the following elements for their Microsoft Entra tenant:

  • The correct set of products (subscriptions) and licenses.
    • The set of products match its business, IT, and security needs.
    • There's an adequate number of licenses for its workers and anticipated changes in staffing.
  • For networking:
    • It configured the correct DNS domain names.
    • For enterprise networks, it optimized network traffic to the Microsoft network for onsite workers.
    • It optimized network traffic for remote workers who use a VPN client.
  • If it has an on-premises Active Directory Domain Service (AD DS), it synchronized accounts, groups, and other objects:
    • It mapped its Microsoft Entra tenant accounts to Exchange Online mailboxes with the correct DNS domains for email addresses.
    • It assigned its user accounts the correct licenses from the correct purchased products (such as Microsoft 365 E3 or E5).
  • It configured strong identity and access management.
    • It requires secure user sign-in with passwordless or multifactor authentication (MFA).
    • It created Conditional Access policies that enforce sign-in requirements and restrictions for higher levels of security.
  • It either migrated on-premises Office servers and their data to cloud apps, or it deployed that data in a hybrid configuration.
  • It performs device management with Intune or Basic Mobility and Security built into Microsoft 365.
    • It enrolls and manages organization-owned devices.
    • It manages apps for personal devices.

The following diagram displays an example of a Microsoft Entra tenant with all these elements in place to support a Microsoft 365 subscription.

Diagram showing an example of a Microsoft 365 subscription with a Microsoft Entra tenant.

In this illustration, the Microsoft Entra tenant includes:

  • Products and licenses for Microsoft 365 E5 and Enterprise Mobility. + Security E5.
  • Microsoft 365 productivity apps.
  • Intune with enrolled devices and device and application policies.
  • A Microsoft Entra tenant with synchronized user accounts, domains, and Conditional Access policies. The diagram doesn't display groups and other directory objects.