What is Azure Active Directory?

Azure Active Directory (Azure AD) is a cloud-based identity and access management service. This service helps your employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications. Azure Active Directory also helps them access internal resources like apps on your corporate intranet network, along with any cloud apps developed for your own organization. For more information about creating a tenant for your organization, see Quickstart: Create a new tenant in Azure Active Directory.

To learn the differences between Active Directory and Azure Active Directory, see Compare Active Directory to Azure Active Directory. You can also refer Microsoft Cloud for Enterprise Architects Series posters to better understand the core identity services in Azure like Azure AD and Microsoft-365.

Who uses Azure AD?

Azure AD is intended for:

  • IT admins: As an IT admin, use Azure AD to control access to your apps and your app resources, based on your business requirements. For example, you can use Azure AD to require multi-factor authentication when accessing important organizational resources. You can also use Azure AD to automate user provisioning between your existing Windows Server AD and your cloud apps, including Microsoft 365. Finally, Azure AD gives you powerful tools to automatically help protect user identities and credentials and to meet your access governance requirements. To get started, sign up for a Azure Active Directory Premium trial.

  • App developers: As an app developer, you can use Azure AD as a standards-based approach for adding single sign-on (SSO) to your app, allowing it to work with a user's pre-existing credentials. Azure AD also provides APIs that can help you build personalized app experiences using existing organizational data. To get started, sign up for a Azure Active Directory Premium trial. For more information, you can also see Azure Active Directory for developers.

  • Microsoft 365, Office 365, Azure, or Dynamics CRM Online subscribers: As a subscriber, you're already using Azure AD. Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is automatically an Azure AD tenant. You can immediately start to manage access to your integrated cloud apps.

What are the Azure AD licenses?

Microsoft Online business services, such as Microsoft 365 or Azure, require Azure AD for sign-in. If you subscribe to any Microsoft Online business service, you automatically get Azure AD with access to all the free features.

To enhance your Azure AD implementation, you can also add paid capabilities by upgrading to Azure Active Directory Premium P1 or Premium P2 licenses. Azure AD paid licenses are built on top of your existing free directory. The licenses provide self-service, enhanced monitoring, security reporting, and secure access for your mobile users.


For the pricing options of these licenses, see Azure Active Directory Pricing.

For more information about Azure AD pricing, contact the Azure Active Directory Forum.

  • Azure Active Directory Free. Provides user and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps.

  • Azure Active Directory Premium P1. In addition to the Free features, P1 also lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities, which allow self-service password reset for your on-premises users.

  • Azure Active Directory Premium P2. In addition to the Free and P1 features, P2 also offers Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.

  • "Pay as you go" feature licenses. You can also get additional feature licenses, such as Azure Active Directory Business-to-Customer (B2C). B2C can help you provide identity and access management solutions for your customer-facing apps. For more information, see Azure Active Directory B2C documentation.

For more information about associating an Azure subscription to Azure AD, see Associate or add an Azure subscription to Azure Active Directory. For more information about assigning licenses to your users, see How to: Assign or remove Azure Active Directory licenses.


To better understand Azure AD and its documentation, we recommend reviewing the following terms.

Term or concept Description
Identity A thing that can get authenticated. An identity can be a user with a username and password. Identities also include applications or other servers that might require authentication through secret keys or certificates.
Account An identity that has data associated with it. You can’t have an account without an identity.
Azure AD account An identity created through Azure AD or another Azure cloud service, such as Microsoft 365. Identities are stored in Azure AD and accessible to your organization's cloud service subscriptions. This account is also sometimes called a Work or school account.
Account Administrator This classic subscription administrator role is conceptually the billing owner of a subscription. This role enables you to manage all subscriptions in an account. For more information, see Classic subscription administrator roles, Azure roles, and Azure AD administrator roles.
Service Administrator This classic subscription administrator role enables you to manage all Azure resources, including access. This role has the equivalent access of a user who is assigned the Owner role at the subscription scope. For more information, see Classic subscription administrator roles, Azure roles, and Azure AD administrator roles.
Owner This role helps you manage all Azure resources, including access. This role is built on a newer authorization system called Azure role-based access control (Azure RBAC) that provides fine-grained access management to Azure resources. For more information, see Classic subscription administrator roles, Azure roles, and Azure AD administrator roles.
Azure AD Global administrator This administrator role is automatically assigned to whomever created the Azure AD tenant. You can have multiple Global administrators, but only Global administrators can assign administrator roles (including assigning other Global administrators) to users. For more information about the various administrator roles, see Administrator role permissions in Azure Active Directory.
Azure subscription Used to pay for Azure cloud services. You can have many subscriptions and they're linked to a credit card.
Azure tenant A dedicated and trusted instance of Azure AD. The tenant is automatically created when your organization signs up for a Azure cloud service subscription. These subscriptions include Azure, Microsoft Intune, or Microsoft 365. An Azure tenant represents a single organization.
Single tenant Azure tenants that access other services in a dedicated environment are considered single tenant.
Multi-tenant Azure tenants that access other services in a shared environment, across multiple organizations, are considered multi-tenant.
Azure AD directory Each Azure tenant has a dedicated and trusted Azure AD directory. The Azure AD directory includes the tenant's users, groups, and apps and is used to perform identity and access management functions for tenant resources.
Custom domain Every new Azure AD directory comes with an initial domain name, for example domainname.partner.onmschina.cn. In addition to that initial name, you can also add your organization's domain names. Your organization's domain names include the names you use to do business and your users use to access your organization's resources, to the list. Adding custom domain names helps you to create user names that are familiar to your users, such as alain@contoso.com.

Next steps