Direct Inward Dialing: +1 408 916 9892
A tenant is a dedicated, isolated instance of the Microsoft Entra ID service (previously Azure Active Directory, or Azure AD) that represents a single organization. Your organization receives a tenant automatically when it subscribes to any Microsoft cloud service, whether that's Microsoft 365, Azure, or Dynamics 365.
Each tenant has a globally unique tenant ID (a GUID) and a default domain in the format yourorg.onmicrosoft.com. You can add custom domains, but the default domain always stays as a fallback.
Think of the tenant as the trust boundary for your organization. Authentication, authorization, and policy enforcement all happen within it. Users in Tenant A can't access resources in Tenant B unless you explicitly configure cross-tenant collaboration through B2B guest access.
That isolation is architectural, not just a policy setting. Each tenant runs as a logically separate instance of the Entra ID service with its own directory partition.
| Component | What it is |
|---|---|
| Directory | The container within the tenant that stores identity objects: users, groups, service principals, and devices |
| Users | Human identities (employees, contractors) and guest users invited through B2B collaboration |
| Groups | Security groups and Microsoft 365 groups used for access management |
| Applications | Registered and enterprise applications with OAuth 2.0, SAML, or OpenID Connect integrations |
| Devices | Endpoints that are registered, joined, or hybrid-joined to the tenant |
| Roles | Built-in and custom Microsoft Entra ID roles that control administrative permissions |
| Conditional Access policies | Rules that enforce MFA, device compliance, location restrictions, and sign-in risk controls |
| Subscriptions | Billing containers linked to the tenant. One tenant can have multiple Azure subscriptions. |
These three terms trip up administrators constantly, and the distinction matters for both architecture and security.
Your tenant is the organizational identity boundary, the dedicated instance of Microsoft Entra ID that your organization controls. The directory is the identity object store within that tenant, containing your users, groups, applications, and devices.
In practice, Microsoft documentation often uses "tenant" and "directory" interchangeably because every tenant has exactly one directory and the two are created together.
A subscription is something else entirely. It's a billing and resource management container for Azure services. One tenant can hold multiple subscriptions (say, separate ones for development, staging, and production), but each subscription belongs to exactly one tenant.
| Concept | What it controls | Relationship to tenant |
|---|---|---|
| Tenant | Identity and security boundary | Is the tenant |
| Directory | Users, groups, apps, devices | One directory per tenant |
| Subscription | Azure resource billing and access | Many subscriptions per tenant |
When a user enters their credentials, the Microsoft Entra ID tenant validates the identity, issues tokens, and the target application grants access based on the claims in those tokens. The tenant is where policy gets enforced. Conditional Access policies, MFA requirements, and role-based access controls are all scoped to the tenant and evaluated at sign-in time.
In hybrid environments, organizations running on-premises Active Directory alongside Microsoft Entra ID use Microsoft Entra Connect (previously Azure AD Connect) to synchronize identities between the two. The tenant becomes the bridge between your on-premises directory and cloud identity, so users authenticate against whichever identity source the request requires.
In multi-tenant scenarios, SaaS applications can serve users from multiple tenants at once. Each tenant's data stays logically isolated within the application. This is the architecture behind Microsoft 365, Salesforce, and most enterprise SaaS products.
| Aspect | On-premises Active Directory | Microsoft Entra ID tenant |
|---|---|---|
| Location | Runs on domain controllers in your data center | Runs in Microsoft's cloud infrastructure |
| Authentication protocol | Kerberos, NTLM | OAuth 2.0, SAML, OpenID Connect |
| Device management | Group Policy | Intune, Conditional Access |
| Identity boundary | Forest | Tenant |
| Hybrid integration | Is the source identity store | Microsoft Entra Connect syncs from on-premises AD |
Tenant misconfigurations and overlooked hygiene gaps give attackers reliable entry points into your cloud environment. The risks below are specific to tenant architecture and worth monitoring deliberately.
Consent phishing and illicit consent grants. Attackers create malicious OAuth applications and trick users into granting consent. Once a user approves the application's permission request, the attacker's app can read email, access files, and query profile data, all without ever needing the user's password. Microsoft's own documentation identifies illicit consent grants as a distinct attack pattern and provides an investigation playbook for it.
Overprivileged role assignments. Global Administrator is the most powerful role in a tenant. Organizations that assign this role broadly create unnecessary exposure. Only Global Administrator and Privileged Role Administrator can assign or remove directory roles; any other role, including User Administrator, lacks that permission.
When too many accounts hold Global Administrator, a single compromised credential gives an attacker unrestricted control over the entire tenant.
Stale and inactive accounts. Former employees, expired contractor accounts, and forgotten test accounts that remain enabled in the tenant become targets for credential stuffing and account takeover. These accounts often have no owner watching their sign-in activity, making them ideal for quiet compromise.
Cross-tenant lateral movement via B2B. If an attacker compromises a guest account with B2B access, they can try to pivot from the compromised tenant into partner tenants where the guest identity has permissions. The attack surface grows with every B2B trust relationship your organization maintains.
Conditional Access bypass. Misconfigured Conditional Access policies leave gaps that attackers exploit. Legacy authentication protocols (SMTP, IMAP, POP3) don't support MFA, so any policy that leaves legacy authentication enabled provides a bypass path. Trusted locations set too broadly can weaken the intended controls similarly.
Expired domain tenant takeover. If your organization's custom domain registration lapses, an attacker can re-register it and potentially intercept password reset emails or authentication redirects that reference the custom domain. Microsoft has documented this risk vector in its domain security guidance.
ADAudit Plus detects risky cloud configurations across Azure, AWS, and GCP through its Attack Surface Analyzer. It also monitors Entra ID sign-in activity, including sign-ins from anonymized IP addresses, impossible travel scenarios, and leaked credentials, through its Risk Detection reports.
The Microsoft Entra ID admin center provides sign-in and audit logs, but the native toolset has practical limits that affect how quickly you can detect and respond to threats.
Sign-in logs are retained for 30 days on Entra ID Free and P1 plans. If you need longer retention, you have to export logs to Azure Monitor, a SIEM, or a storage account. That export pipeline requires separate configuration and ongoing maintenance.
The admin center doesn't generate real-time alerts on tenant changes out of the box. If someone assigns the Global Administrator role, modifies a Conditional Access policy, or grants OAuth consent to a new application, no native notification fires unless you've separately configured Azure Monitor alert rules or Logic Apps workflows.
Automated incident response isn't available from the admin center alone. When a suspicious sign-in is detected, an administrator has to manually investigate and decide on a response. There's no built-in mechanism to automatically disable an account, revoke a session, or create a support ticket based on a detected anomaly.
Hybrid environments face a visibility gap. On-premises AD events and Entra ID events live in separate consoles with no native single-pane view. Correlating a suspicious on-premises logon with a risky cloud sign-in means switching between two toolsets and piecing the picture together yourself.
Compliance teams can't schedule recurring tenant activity reports for email delivery from the admin center without third-party tooling or custom Power Automate flows. Audit log queries in Azure Monitor require Kusto Query Language (KQL), which adds a learning curve for administrators who don't have analytics experience.
ADAudit Plus covers Entra ID activity through pre-built reports in the Cloud Directory tab. Each report category below maps to a specific area of tenant security.
Sign-in monitoring: Logon Activity, Logon Failures, Logon Failure due to bad password, Logon Activity by Legacy Authentication, Logon Activity by IP Address, Hybrid Logon Activity, and Logon Activity by Applications. These reports capture geo-location, device information, MFA status, and Conditional Access evaluation results for every sign-in event.
Risk detection: Risky Logon Activity, Login by Anonymized IP Address, Login by PasswordSpray Account, Impossible travel to atypical locations, Login with leaked credentials, and Login by Malicious IP Address. These reports surface sign-in events flagged by Entra ID Identity Protection so you can investigate without switching consoles.
User management: Recently Created Users, Recently Deleted Users, Recently Updated Users, Recently Enabled Users, Recently Disabled Users, Recently Password Changed Users, and Recently Password Reset Users. Each report includes the caller identity so you can trace who made the change.
Role management: Recently Added Member to Role and Recently Removed Member from Role. These reports track every Entra ID role assignment and removal, giving you visibility into privilege changes across the tenant.
Group management: Recently Created Groups, Recently Added Members to Groups, and Recently Removed Members from Groups.
Application management: Recently Added Application, Recently Added OAuth2.0 Permission, Recently Consent to Application, and Recently Revoke Consent Application. These reports are your primary defense against illicit consent grants because they surface every OAuth permission change in a dedicated view.
Conditional Access policy changes: Add Conditional Policy, Update Conditional Policy, and Delete Conditional Policy.
MFA monitoring: Login with MFA disabled account, Login with MFA enabled account, Logon Failure due to MFA failed, and Logon based on MFA method.
| Capability | Native Entra ID admin center | ADAudit Plus |
|---|---|---|
| Sign-in log retention | 30 days (Free/P1) without Azure Monitor export | Long-term archival with configurable retention |
| Real-time alerts on role changes | Requires Azure Monitor and Logic Apps configuration | Built-in alert profiles with email and SMS delivery |
| Hybrid AD and Entra ID correlation | Separate consoles for on-premises and cloud | Single console for on-premises and cloud events |
| Automated incident response | Manual investigation only | Alert triggers create tickets and notify response teams |
| Scheduled compliance reports | Not available natively | Automated report scheduling (daily, weekly, monthly) with email delivery |
| User behavior analytics | Entra ID Identity Protection (P2 license required) | UBA with machine learning baselines included |
| Application consent monitoring | Audit logs requiring manual filtering | Dedicated reports for OAuth permission grants and consent events |
Try ADAudit Plus free for 30 days. No credit card required.
A tenant is a dedicated instance of the Microsoft Entra ID service that represents your organization. A directory is the identity object store within that tenant, containing users, groups, applications, and devices.
In practice, Microsoft documentation often uses the two terms interchangeably because each tenant has exactly one directory. The tenant is the security boundary; the directory is the data container inside it.
A tenant is an identity and security boundary. A subscription is a billing container for Azure resources. One tenant can have multiple subscriptions (for example, separate subscriptions for development, staging, and production environments), but each subscription belongs to exactly one tenant.
Sign in to the Microsoft Entra admin center. Navigate to Identity > Overview.
Your tenant ID (a GUID) and primary domain appear on the overview page. You can also retrieve it using PowerShell: run Connect-MgGraph followed by Get-MgOrganization | Select-Object Id.
Every organization that signs up for a Microsoft cloud service (Microsoft 365, Azure, Dynamics 365) receives a tenant at no additional cost. Entra ID Free is included with every tenant. Paid tiers (P1, P2) add features like Conditional Access, Identity Protection, and extended sign-in log retention.
No. Each tenant has exactly one directory. The tenant and its directory are created together and have a one-to-one relationship.
If you need a separate directory for a subsidiary or test environment, you create a separate tenant.
