When Should a New Entra ID Tenant Be Created?


This document is intended for IT professionals who are leveraging Microsoft cloud-based technologies. It addresses the question: when should a new Entra ID tenant be created?

Orientation and Terminology

Entra ID provides a variety of capabilities that include authentication & credential management, collaboration & application management, device management, information security, and enable cloud-based solutions. If you are familiar with Active Directory, Entra ID is the cloud-based, infrastructure-as-a-service (IaaS) version, providing many of the same kinds of capabilities, but with all the benefits of a cloud-based solution. If you make use of Azure, you will be familiar with the term subscription. It's the Azure customer "account" which ties together the various Azure services you are using. Here at the UW, you should get one via the Azure Subscription service as it provides contractual protections, and manages the Microsoft billing to UW budget process for you. The primary purpose of a subscription is to provide a common billing paradigm for use of Azure services. A subscription might have one or more tenants, directories, and domains associated with it. A tenant is the organization that owns and manages a specific instance of Microsoft cloud services. It's most often used in a inexact manner to refer to the set of Entra ID and Office 365 services for an organization, e.g. "we've configured our tenant in this way." A given organization might have many tenants (the UW does), and when this is the case, the name of core domain of the tenant is usually used to remove any ambiguity. The name of the core domain comes in the form *.onmicrosoft.com, where the * varies. A tenant may have many subscriptions, exactly one directory, and one or more domains associated with it. There are multiple vendors which use the term "tenant" in slightly different ways, and there are even several Microsoft products using the term tenant. For the purposes of this guidance, we only mean an Entra ID or Office 365 tenant. To be explicit: Microsoft Windows Virtual Desktop tenants and Azure AD B2C tenants are not covered or restricted by this guidance. A directory is the Entra ID service. Each directory has one or more domains. A directory can have many subscriptions associated with it, but only one tenant. A domain (or accepted domain) is a DNS zone for which a tenant has proven ownership (by creating an arbitrarily named DNS record as requested by Microsoft). It represents the possible domain suffixes (or namespace) which directory objects can use. Each tenant has a core domain (onmicrosoft.com) and a default domain (which by default is the core domain, but which can be changed). Neither of these are necessarily the primary domain used by the tenant. The primary Entra ID tenant used at the UW is uwnetid.onmicrosoft.com. It has a default domain of cloud.washington.edu. The primary domain used by this tenant is uw.edu. There are several other domains associated with this tenant like washington.edu and u.washington.edu.

Discussion

From an institutional point of view, using a single Entra ID tenant has the following benefits: However, there are a number of specific scenarios where those benefits are not significant and for which a new Azure AD tenant may be recommended. The scenarios where this may be the case include: There are also implications to having more than one Entra ID tenant. If you had a separate Entra ID tenant, among the implications are: Among the most significant of those implications are contractual data protections as well as increased licensing costs for the UW, but all of them are worth consideration.

Guidance Summary

For most scenarios, you must not create a new Entra ID tenant, but instead leverage the primary UW Entra ID tenant. If you do have a scenario which you think falls into the scenarios noted above, you must discuss it with UW-IT first. UW-IT will help you analyze whether there is a way to use the primary UW Entra ID tenant. If not, we'll explore whether UW-IT should manage your Entra ID tenant or if you should manage the tenant. We can also explore whether it is possible to add your Entra ID tenant to the UW Enterprise agreement. Microsoft Windows Virtual Desktop tenants and Azure AD B2C tenants are not covered or restricted by this guidance. Send an email to help@uw.edu with "New Entra ID tenant" as the subject to start a conversation. NOTE: Upon direction from the UW Provost and UW CIO, UW-IT will discover any Entra ID tenants provisioned under the uw.edu or washington.edu DNS domain and may take control of that tenant to protect the interests of the University of Washington.

Further Reading