Cuir in eagar

Comhroinn trí


Understand how multiple Microsoft Entra tenant organizations interact

In Microsoft Entra ID, part of Microsoft Entra, each Microsoft Entra organization is fully independent: a peer that is logically independent from the other Microsoft Entra organizations that you manage. This independence between organizations includes resource independence, administrative independence, and synchronization independence. There's no parent-child relationship between organizations.

Resource independence

  • If you create or delete a Microsoft Entra resource in one organization, it has no effect on any resource in another organization, with the partial exception of external users.
  • If you register one of your domain names with one organization, you can't use it for any other organization.

Administrative independence

If a non-administrative user of organization 'Contoso' creates a test organization 'Test,' then:

  • By default, the user who creates an organization is added as an external user to that new organization, and assigned the Global Administrator role.
  • The administrators of organization 'Contoso' have no direct administrative privileges to organization 'Test,' unless an administrator of 'Test' specifically grants them these privileges.
  • If you add or remove a Microsoft Entra role for a user in one organization, the change doesn't affect other roles. For example, roles that the user assigns in any other Microsoft Entra organization.

Synchronization independence

You can configure each Microsoft Entra organization independently to get data synchronized from different AD forests, using the Microsoft Entra Connect tool. See topologies for Microsoft Entra Connect for more information on supported topologies when there are multiple Microsoft Entra tenants.

Add a Microsoft Entra organization

  1. Sign in to the Microsoft Entra admin center as at least a Tenant Creator.
  2. Browse to Identity > Overview.
  3. Select Manage tenants.
  4. Choose Create.
  5. Select Workforce and provide the requested information. Microsoft Entra ID creates a new organization and appears in the list of organizations.

Note

Unlike other Azure resources, your Microsoft Entra organizations are not child resources of an Azure subscription. If your Azure subscription is canceled or expired, you can still access your Microsoft Entra organization's data using Azure PowerShell, the Microsoft Graph API, or the Microsoft 365 admin center. You can also associate another subscription with the organization.

Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.

Next steps

For Microsoft Entra ID licensing considerations and best practices, see What is Microsoft Entra ID licensing?.