Tenant Independence

Each Azure AD tenant is fully independent. There is no parent-child hierarchy, meaning each tenant is a peer. This independence affects three main areas:

a) Resource Independence

• Resources in one tenant do not affect resources in another tenant.

• Exception: external users (guest accounts) might have some cross-tenant relevance.

• Domain names can only be used in a single tenant.

b) Administrative Independence

• Users and administrators in one tenant do not automatically have rights in another tenant.

• Example scenario:

  • A non-admin user from Tenant ‘Contoso’ creates a test tenant called ‘Test’.

    • That user becomes a global admin in ‘Test’ as an external user.

    • Contoso admins have no rights in ‘Test’ unless granted by a ‘Test’ admin.

  • Changes to a user’s admin roles in one tenant do not carry over to another tenant.

c) Synchronization Independence

• Each tenant can be synchronized independently with on-premises systems:

  • Azure AD Connect – synchronizes from a single AD forest.

  • Azure Active Directory Connector for FIM – can synchronize from multiple on-premises forests or other data sources.

2. Adding a New Tenant

Steps to add a tenant in the Azure portal:

1. Sign in with an account that is a global administrator.

2. On the left-hand menu, select New to create the tenant.

Important Notes:

• Tenants are not child resources of subscriptions.

• Canceling or losing a subscription does not delete tenant data.

• Access to tenant data is still possible via:

  • Azure PowerShell

  • Microsoft Graph API

  • Microsoft 365 admin center

• You can associate a new subscription with an existing tenant.