Understanding Tenants, Subscriptions, Regions and Geographies in Azure

If you are getting started working with Azure you might come across a few key terms that it’s important to have a good understanding of. In this post I’m going to cover what I think are four of the key ones.


A Tenant, as it relates to Azure, refers to a single instance of Azure Active Directory, or, as it is often called “Azure AD”. Azure AD is a key piece of Microsoft’s cloud platform as it provides a single place to manage users, groups and the permissions they hold in relation to applications published in Azure AD.

Key Microsoft applications that Azure AD provides access to include Office 365, Dynamics 365 and Azure. Yes, you read that right, Azure is treated as an ‘application’. You can also use Azure AD to control access to many other third-party applications such as Salesforce and even the AWS admin console. As an application developer you can register your own applications in Azure AD for the purpose of allowing users access.

Azure AD Tenants are globally unique and are scoped using a domain that ends with ‘onmicrosoft.com’ (i.e. myazuread.onmicrosoft.com) and each has a ‘Tenant ID’ in the form of an UUID/GUID. Some customers choose to connect their internal Active Directory environment to Azure AD to allow single or same sign-on for their staff and will also use a custom domain instead of the default ‘onmicrosoft.com’.

When you access the Azure Portal, or leverage one of the command-line tools to manage Azure resources in a Subscription, you will always be authenticated at some point via the Azure AD Tenant associated with the Subscription you want to access. The actions you can take will depend on the Role you have been assigned in the target Subscription.

Finally, Azure AD Tenants can be associated with multiple Subscriptions (typically in larger organisations), but a Subscription can only ever be associated with a single Azure AD Tenant at any time.

Dev Tip: if you want to develop an application that uses Azure AD but don’t have permissions to register applications in your company’s Azure AD Tenant (or you want a ‘developer’ Azure AD Tenant) you can choose to create a new Azure AD Tenant in the Azure Portal. Make sure in your application that you can easily change Azure AD Tenant details to allow you to redeploy as required. Azure AD has a free tier that should be suitable for most development purposes.

IT Pro Tip: you can change the display name for your Tenant – something I strongly recommend, particularly as Azure AD B2B will mean others will see your Directory name if they are invited and may be confused if the display name is something unclear. Note that you are not able to change the default onmicrosoft.com domain.


A Subscription in Azure is a logical container into which any number of resources (Virtual Machines, Web Apps, Storage Accounts, etc) can be deployed. It can also be used for coarse-grained access control to these resources, though the correct approach these days is to leverage Role Based Access Control (RBAC) or Management Groups. All incurred costs of the resources contained in the Subscription will also roll-up at this level (see a sample below).

Subscription costs view

As noted above, a Subscription is only ever associated with a single Azure AD Tenant at any time, though it is possible to grant users outside of this Tenant access. You can also choose to change the Azure AD Tenant for a Subscription. This feature is useful if you wish to transfer, say, a Pay-As-You-Go (PAYG) Subscription into an existing Enterprise Enrolment. Subscriptions have both a display name (which you can change) and a Subscription ID (UUID/GUID) which you can’t change.

Subscriptions are not tied to an Azure Region and as a result can contain resources from any number of Regions. This doesn’t mean that you will have access to all Regions, as some Geographies and Regions are restricted from use – we’ll talk more about this next.

Resources contained in a Subscription, but deployed to different Regions will still incur cross-Region costs (where applicable) for the resource.

People sometimes use the word ‘Tenant’ instead of ‘Subscription’ or vice-versa. Hopefully you can now see what the difference is between the two.

Regions and Geographies

Azure differs from the other major cloud providers in its approach to providing services close to the customer. As a result, and at time of writing (August 2018), Azure offers 42 operational Regions with 12 more announced or under development.

A Region is a grouping of data centres that together form a deployment location for workloads. Apart from geo-deployed services like Azure AD or Azure Traffic Manager you will always be asked what Region you wish to deploy a workload to.

Regions are named based on a general geography rather than after exactly where the data centres are. So, for example, in Australia we have four Regions – Australia East, Australia Southeast, Australia Central 1 and Australia Central 2.

A Geography, as it relates to Azure, can be used to describe a specific market – typically a country (Australia), though sometimes a geographic region (Asia, Europe). Normally within a Geography you will find two Regions which will be paired to provide customers with high availability options. Can anyone spot the one Region that doesn’t have its pair in the same Geography?

There are a few special Regions that aren’t open to everyone – US Government Regions, the entire German Geography and China. In Australia, in order to access Australia Central 1 and 2 you must undergo a white listing process to gain access.

When you replicate data or services between Regions you will pay an increased charge for either data transfer between Regions and / or duplicated hosting costs in the secondary Region. Some services such as Azure Storage and Azure SQL Database provide geo-redundant options where you pay an incremental cost to have your data replicated to the secondary Region. In other cases you will need to design your own replication approach based on your application and its hosting infrastructure.

Once you have deployed a service to a Region you are unable to move it – you have to re-provision it if you need the primary location to be somewhere else.

As a final note, while there is a Regional availability model (replication of services between Regions), Microsoft has also introduced the concept of Availability Zones. Availability Zones are still being rolled out globally, and are more than just a logical overlay over Regions. There is a great infographic on the Azure Resiliency website that covers how Regions and Availability Zones work and the value they provide.

So there we have it, a quick overview of some of the key terms you should be familiar with when getting started with Azure. As always, if anything’s unclear or you have any questions feel free to drop a comment below.


P.S. – Now you understand the basics of the Azure platform why not read about Azure Availability Sets and Availability Zones and how you use them to build highly available services?

39 thoughts on “Understanding Tenants, Subscriptions, Regions and Geographies in Azure

  1. I was having a hard time understanding the difference between a Tenant and Subscription and how the Azure AD Domain fits in but your article did a great job at explaining it. Thank you for the blog post!

  2. Can an organization which has a tenant with all infrastructure based in one region (Western Europe) create new VMs in another region (Northern Europe), which is cheaper! I don’t want to duplicate data just create new Vm’s in this region. Can I also transfer the current VM’s to a different region that is cheaper?

    1. Matt – generally speaking a Subscription can use any Region. There are a few exceptions such as Azure in China and the Gov Cloud Regions in North America, but a new Subscription will have access to the majority of Regions that are available.

      Moving VMs between Regions is possible, but it’s not a ‘click button’ experience. You would either need to use Azure Site Recovery (ASR) to duplicate to the second Region or manually move the disks between Regions and create a new VM and attach them (which is effectively what ASR is automating).

      Hope this helps.

      1. I am new to Azure and have couple of queries hoping to get answers for. By the way this is a great read to understand the basic concpets.
        (1) If a resource (Ex: VM and its data) has to be moved to another region, would moving the VM to resource group of another region suffice? I guess this shouldn’t work or not the right option.

        (2) back up the VM, delete the original VM, and recreate the VM in a different region. -> Should work however, guess it’s a time consuming process.

        Appreciate if you could answer this.

      2. Hi Pavan.

        1) Unfortunately moving VMs between Regions isn’t achievable by moving between Resource Groups. You can move between Resource Groups for logical grouping purposes but it will not actually move the underlying resource (in this case a VM).

        2) You can do this way, though Azure recently introduce cross-Region move support with Azure Site Recovery which is likely to be more straightforward to use.

        The definitive guide to moving VMs, which can be configured in a number of ways, is covered here: https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-move-overview

        Hope this helps!

    1. Thanks for the feedback Daniel, and yes, it does seem unclear why you’d consider Availability Zones (AZs) over Regions. Clearly a part of having AZs is to provide a clearly mapping to competitor constructs, but at their core Availability Zones simply provide a different way of creating solutions that are resilient to failures (or updates) to the underlying cloud hosting infrastructure. The best visualisation of the value of AZs is on the Azure Resiliency site in a PDF infographic. Hope this helps!

  3. Excellent!!!

    Thanks very much! for the detailed explanation. Your article helped me to understand Azure AD, Tenant and Subscriptions “in detail”..apart from Azure Geo & Regions with Availability Zones, as well

    Thanks again

  4. This piece of writing not only is succinctly written, but also helps make sense of terms that are not found explained so well elsewhere.

    Thank you very much Simon for this excellent write-up!!!

  5. Thanks Simon for clarifying the concept of moving VM’s between regions. Really appreciate your inputs and comments.

  6. Very good core concept explanation; and how thing are related, in such a precise manner. Thank you !

  7. Thanks a lot for this article! A lot of things are clear now.

    One thing I wanted to get more clarity is on the Azure AD application created for OAuth. I have created this app for accessing OneDrive and Mailbox data. I have assigned appropriate permissions to this app (permissions for Graph API and EWS API) . It works perfectly fine with the dev tenant I have ( I am able to get the access token from this app and able to access OneDrive Mailbox data). But the Dev tenant does not have an active subscription.

    In the field, customers will have active Office 365 / Azure subscriptions. Do I need to associate the Azure AD application with any specific subscription?

    1. Azure Active Directory (Azure AD) has a free tier which includes the features you’ve listed. Also, when you create an Office 365 subscription it includes an Azure AD free tier instance which is what stores all of your Office 365 users. This free tier is why you can do what you are doing.

      If you want to make your application work across multiple customers it needs to be registered as a multi-tenant application – see the official documentation for more guidance.

  8. Thanks a ton for the article. It did clear alot of doubts.

    I have a question though. Suppose in an organization, there are multiple subscription, say 3(one prod, preprod, and test each) How will the billing happen for all the three subscription.

    1. Hi Vivek – thanks for the feedback.

      There are few aspects to consider to answer your question. Hope the following helps.

      – If the organization has purchased their Subscriptions directly from Microsoft using, say, a credit card (sometimes called “Pay-As-You-Go” or PAYG) then the billing will happen at the Subscription level and you can view costs, etc in the Subscription view in the Azure Portal.
      – If the organization is consuming Azure via a Cloud Service Provider (CSP) then the billing will be handled by the CSP via whatever method they use (typically invoice, but may differ by country / CSP).
      – If the organization is using Azure via an Enterprise Agreement (AE) enrollment then the billing rolls up to the EA and you receive an invoice from Microsoft that includes charges for all Subscriptions held under the EA. You can filter incurred charges to determine the Subscription from which the charge originated. Read here for more: https://docs.microsoft.com/azure/cost-management-billing/manage/ea-portal-enrollment-invoices

  9. Hi Simon,
    We are located in Middle east and planning to purchase Microsort 365 licenses for our users from India and use it here(Which gives us monetary benefit.). What are the circumstances in future may arise specially issues?

    1. Unless you have a billing address and payment method based in India I don’t believe your approach is possible. Having said that, nothing stops you from assigning purchased licenses to users based in any location in the world (apart from a few restricted countries as per US regulations) regardless of which country / currency you’ve purchased then in.

      1. An Indian company based in India, is selling us license in Middle east. They agreed to do that and billing will be for Middle east. In this case wt are the precautions and complication may arise in future?

      2. Licensing isn’t my area unfortunately, especially outside of Australia. Microsoft has many arrangements globally, but I am not aware of how you buy licenses in your country / geography so I can’t really advise.

  10. Can you please clarify this? Above you say, “Azure AD Tenants can be associated with multiple Subscriptions (typically in larger organisations), but a Subscription can only ever be associated with a single Azure AD Tenant at any time.” But according to https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant: “You can create up to 20 tenants per subscription.” I am an absolute beginner at this, so it’s easy to imagine there’s some background I’m missing, or perhaps the vocabulary has different meanings in different contexts?

    1. Don – the service you are linking to is the Consumer Identity service Azure Active Directory B2C which can be used to build cloud-scale identity solutions for mobile applications and websites. The name makes it sound like Azure Active Directory, but Azure AD B2C isn’t used for Azure authentication. I can understand that the name leads to confusion! In the case of Azure AD B2C, yes you can create multiple instances in an Azure Subscription (up to 20 in fact). Hope this helps clarify things. – Simon.

  11. Simon, its a Nice Article!!

    I have two questions.

    1. With a singlle credit card can i purchase multiple subscription?
    2. Each tenant will be connected to a dedicated AD directory for trust relationship.

    1. Hi Arun,

      Here’s the answers you are looking for:

      1. There is nothing blocking you from paying for multiple subscriptions with a single payment method, including credit cards. Note that some geographies may have local restrictions on how credit cards can be used. Further information here: https://docs.microsoft.com/azure/cost-management-billing/understand/pay-bill#credit-or-debit-card

      2. I will assume you are talking about Azure Active Directory (Azure AD) here. The answer is: it depends. You can associate multiple Azure Subscriptions with a single Azure AD instance if you wish. You may also choose to have one Azure AD to one Subscription. How you set this up will depend on your scenario. If you are a business with multiple Azure Subscriptions, it is likely you will have one Azure AD connected to all your Subscriptions.

      Hope this helps.

  12. Great article Simon! Thank you very much for that! I’d love to have your thoughts on the following: Let’ say that I have built an application using various MS components (eg, cosmos, powerBI, service buses..) and I am currently running that application in a certain region: what happens if i need to serve new customers that, for data sovereignty rules, requires the application to run in their Country, in another region? If i “redeploy” the app in a new country, would my costs just double or there’s some sort of optimisation that can be achieved? Thank you for your support!

    1. Good question Giovanni – the basic answer is “yes”, but the actual answer is a little more subtle than that.

      For example, a portion of any cost associated with running a workload in the cloud is data transfer to/from the cloud, along with the cost of storing data in the cloud. As you are unlikely to have exactly the same volume of data or usage in every single region you deploy to your costs will vary. The result is you might be able to provision smaller databases or have less front-end web servers if your new deployment is not heavily used.

      What you have also touched on is why there can be regional pricing differences for SaaS or cloud services – the cost of providing those services differs (real-estate costs, electricity costs, labor costs).

      I think it’s important to understand what your fixed deployment components would like per-region (i.e must always have two web front ends and a replicated database) and then have a sliding scale for other aspects (the size of the web server and databases instances for example).

      Hope this makes sense.

      1. Hi Simon!
        Thanks a lot and it definitely makes sense. It is also a great piece of advice, to separate the fixed deployments vs the variable ones, in order to have a finer level of details in building the business model.
        Appreciate your help! 🙂
        Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s