Each tenant has its own set of users; therefore, if you have more than one tenant, you would have distinctly separate user databases.

A tenant, therefore, defines your administrative boundaries, and Azure subscriptions can only belong to one single tenant, although a single tenant can contain multiplesubscriptions, as we can see in the following diagram:

Figure 3.5 – Azure AD tenants

A single tenant is generally sufficient for corporate systems whereby only internal people require access. However, there are scenarios whereby you may want to build applications that support users from different companies.

Software-as-a-Service (SaaS) products such as Microsoft Dynamics CRM are a classic example. This is built as a single saleable system; however, it is multi-tenant in that because it is made for external users and not just Microsoft employees, it must be able to support sign-on from other organizations.

Another scenario to consider is whether you want to separate your users into development and production tenants. For some, a single tenant that houses the same user accounts for development and production systems is acceptable. In such cases, production and development may instead be covered in separate subscriptions, or even just different resource groups within a subscription.

However, having a single tenant makes it harder to test new identity policies, for example, and therefore a separate tenant may be required. While it is possible to move Azure subscriptions between tenants, because each tenant has a unique user database, doing so essentially resets any roles and permissions you have set.

As you can see, it is essential to define your tenant strategy early on to prevent problems later.

Azure AD editions

Azure AD provides a range of management tools; however, each user must be licensed, and depending on the type of license, this will determine which tools are available.

Out of the box, Azure provides a free tier known as Azure AD Free.

The free tier provides user and group management, on-premises synchronization, basic reports, and self-service password change facilities for cloud users. In other words, it gives you the absolute basics you need to provide your cloud-based access.

For more advanced scenarios, you can purchase AD Premium P1 licenses. Over and above the free tier, P1 lets your hybrid users—those with synchronized accounts between on-premises and cloud—to access both on-premises and cloud resources seamlessly.

It also provides more advanced administration tooling and reporting, such as dynamic groups, self-service group management, Microsoft Identity Manager (MIM), and cloud writebacks for password changes; that is, if a user changes their password through the cloud-based self-service tool, this change will write back to the on-premises account as well.

AD Premium P2 gives everything in basic and P1 licenses but adds on Azure AD Identity Protection and Privileged Identity Management (PIM). We will cover each of these in detail later, but for now, it’s essential for the exam to understand you’ll need a P2 license to use these advanced features.

Finally, you can also get additional Pay As You Go licenses for Azure AD Business-to-Consumer (B2C) services. These can help you provide identity and access management solutions for customer-facing apps.

In this section, we have looked at how AD and Azure AD differ, how we can provide services for external users, and what the different editions provide. Next, we will consider how we integrate an existing on-premises directory with the cloud.