Use caution when using application permissions. For more information, see Permissions and consent in the Microsoft identity platform. Administrators can consent for all users. Consent is necessary to allow applications to affect the tenant. Typical examples include reading or setting user attributes, updating user’s calendar, and sending emails on behalf of the user. Applications can manipulate directory objects through Microsoft Graph as part of their business logic. For example, a member of the directory can discover users in the directory with default user permissions.Īpplications can affect objects. Identities can discover or enumerate resources, users, groups, and access usage reporting and audit logs if they have the right permissions. When objects are in an Azure AD tenant, the following occurs: Examples of directory objects include users, groups, service principals, and app registrations. Identities, resources, and their relationships are represented in an Azure AD tenant as directory objects. While some applications can have multiple instances per tenant, for example a test instance and a production instance, some Microsoft Services such as Exchange Online can only have one instance per tenant. Examples of directory objects include application registrations, service principals, groups, and schema attribute extensions.
On-premises applications integrated with hybrid access capabilities such as Azure AD Application ProxyĪpplications that use Azure AD require directory objects to be configured and managed in the trusted Azure AD tenant. Third-party applications such as Learning Management Systems (LMS) Microsoft Developer tools such as Azure DevOps Microsoft IT services such as Azure Sentinel, Microsoft Intune, and Microsoft Defender ATP Microsoft productivity services such as Exchange Online, Microsoft Teams, and SharePoint Online Identities can be granted access to many types of applications, including but not limited to: Within this security boundary, administration of objects (such as user objects) and configuration of tenant-wide settings are controlled by your IT administrators.Īzure AD is used to grant objects representing identities access to resources like applications and their underlying Azure resources, which might include databases, and Learning management Systems (LMS). The Azure AD tenant is an identity security boundary that is under the control of your organization’s IT department. Identity objects exist for human identities such as students and teachers, and non-human identities like classroom and student devices, applications, and service principles.
An identity is a directory object that can be authenticated and authorized for access to a resource. What is an Azure AD tenant?Īn Azure AD tenant provides identity and access management (IAM) capabilities to applications and resources used by your organization. This must be chosen very carefully because it cannot be changed after creation.įor more information, see the Microsoft 365 Education deployment guide.
When creating an Azure AD tenant, you must specify a logical region that will determine the location of the data center.