Associate or add an Azure subscription to your Azure Active Directory tenant

An Azure subscription has a trust relationship with Azure Active Directory (Azure AD). A subscription trusts Azure AD to authenticate users, services, and devices.

Multiple subscriptions can trust the same Azure AD directory. Each subscription can only trust a single directory.

One or more Azure subscriptions can establish a trust relationship with an instance of Azure Active Directory (Azure AD) in order to authenticate and authorize security principals and devices against Azure services. When a subscription expires, the trusted instance of the Azure AD service remains, but the security principals lose access to Azure resources.

When a user signs up for a Azure cloud service, a new Azure AD tenant is created and the user is made a member of the Global Administrator role. However, when an owner of a subscription joins their subscription to an existing tenant, the owner isn't assigned to the Global Administrator role.

All of your users have a single home directory for authentication. Your users can also be guests in other directories. You can see both the home and guest directories for each user in Azure AD.

Screenshot that shows the trust relationship between Azure subscriptions and Azure active directories.


When you associate a subscription with a different directory, users that have roles assigned using Azure role-based access control lose their access. Classic subscription administrators, including Service Administrator and Co-Administrators, also lose access.

Moving your Azure Kubernetes Service (AKS) cluster to a different subscription, or moving the cluster-owning subscription to a new tenant, causes the cluster to lose functionality due to lost role assignments and service principal's rights. For more information about AKS, see Azure Kubernetes Service (AKS).

Before you begin

Before you can associate or add your subscription, do the following tasks:

  • Review the following list of changes that will occur after you associate or add your subscription, and how you might be affected:

    • Users that have been assigned roles using Azure RBAC will lose their access.
    • Service Administrator and Co-Administrators will lose access.
    • If you have any key vaults, they'll be inaccessible, and you'll have to fix them after association.
    • If you have any managed identities for resources such as Virtual Machines or Logic Apps, you must re-enable or recreate them after the association.
    • If you have a registered Azure Stack, you'll have to re-register it after association.
    • For more information, see Transfer an Azure subscription to a different Azure AD directory.
  • Sign in using an account that:

  • Make sure that you're not using an Azure Cloud Service Providers (CSP) subscription (MS-AZR-0145P, MS-AZR-0146P, MS-AZR-159P), a Microsoft Internal subscription (MS-AZR-0015P), or a Azure for Students Starter subscription (MS-AZR-0144P).

Post-association steps

After you associate a subscription to a different directory, you might need to do the following tasks to resume operations:

Next steps