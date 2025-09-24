When and how to create a Microsoft Entra ID tenant.
Learn why you may want to create a new or additional Microsoft Entra ID (Azure Active Directory) tenant. What questions do you need to answer before creating one? Do you go down the ‘Microsoft Entra ID’ route or ‘Azure AD B2C’? What are the implications of each? Read my article to get answers to all of your questions.
An Entra ID tenant is a cloud-based directory service from Microsoft. It is a dedicated instance that an organization or an application developer uses to house and manage their users, identities, apps, and various security services. Many organizations can operate easily with a single tenant. However, there are multi-tenant scenarios – I’ll describe some reasons below.
Each tenant comes with a unique tenant ID – which is used to authenticate the subscription’s users, services, devices, and applications. (You can locate your tenant ID in the Microsoft Entra admin center…)
If you already have a tenant, why would you want to create additional tenants? Here are the most prevalent reasons.
A nice quickstart or step-by-step guide wouldn’t be complete if I didn’t include the steps to create a new Entra ID tenant, right? Let me give you a high-level overview. Use the following steps to get started.
Another quick note – when you create a new Microsoft Entra ID tenant, you become the first user of that tenant. This account is assigned the Global Administrator role. Be sure to validate this account and secure its password.
Above, I walked you through a specific scenario of tenant creation with Microsoft Entra ID. What I haven’t pointed out yet is that there are some different paths you can take, including the starting portal. I’d like to give you some explanation as to your choices, why it makes more sense to start in a specific portal, and why it makes sense to choose a specific top-level choice based on your intentions for the future. The type of users you’re managing, the type of tenant, and information security requirements are all criteria for how to proceed.
There are a few prerequisites or requirements you should be aware of before proceeding and planning. First, you will need an Azure account to start. Don’t worry if you’re only testing or managing development resources – you can easily create a free account to begin your testing. Also, if you’re not using an account with Global Administrator rights, you will at least need an account with the Tenant Creator role.
When you start this process from the ‘traditional’ Azure Portal, your first choice will be choosing between Microsoft Entra ID or Azure AD B2C. You will want to choose the first, Microsoft Entra ID, if you intend to perform these functions:
In case it’s not clear, this is the choice for managing all the aspects of user management – first name, last name, password, and other user settings.
However, for that first decision, you will want to choose Azure AD B2C if you need to:
Special Note: Azure AD B2C cannot secure access to Office 365, Azure subscriptions, or other Microsoft services!
Yes, you certainly can. The vast majority of organizations will have existing tenants in Microsoft Entra ID (especially if you are utilizing Microsoft 365). Using ‘Azure AD B2C’ is as easy as accessing the administration controls in the Azure Portal.
If you are looking to build an environment for work or school accounts, or even personal Microsoft accounts (MSA), you can use an existing Microsoft Entra tenant or build a new one, especially for development purposes.
Many developers will already have a tenant through subscriptions or services they’ve previously purchased or trialed. To find out:
If you don’t have an existing tenant for your specific development purposes, go ahead and create a new one.
In summary, an Azure subscription contains your virtual resources in the cloud and the corresponding management interfaces. An Entra ID tenant is about identity and access management for your users, applications, and devices.
Here’s a table to help you understand the differences and how they are potentially related.
|Entra ID Tenant
|Azure Subscription
|Definition
|A dedicated and trusted instance of Entra ID that includes your users, groups, and applications.
|Associated with an Azure Offer (free trial for example), contains your payment information, scale limits, and any administrative boundaries, and is the container for your Azure resources.
|Association
|Associated with a single identity (person, company, or organization) and can own one or several subscriptions.
|Linked to a payment setup – each subscription will result in a separate bill.
|Resources
|Each of these tenants will have their unique users, groups, and applications separate from your other tenants.
|In every subscription, you can add virtual resources (VM, storage, network, etc.).
|Purpose
|Identity and Access Management (IAM)
|Resource usage and management.
|Relationship with each other
|Entra ID can have a 1:M relationship, but a Subscription can only trust one Entra ID tenant.
|Subscriptions rely on this relationship with Entra ID to authenticate and authorize users, groups, applications, etc.
Although there are some rather important decisions you need to make when creating a new or additional Entra ID tenant including from which portal to start, the process is relatively quick and painless. You don’t need a lot of technical expertise to go through the steps.
However, I don’t want to discount the research and planning you need to go through before completing the process. There are a few gotchas or future additions that are blocked or unavailable based on what specific steps you take. Planning is key.
I welcome any comments or questions in the form below. Thank you for reading!
To create a new Azure Active Directory (Azure AD) tenant:
After a few moments, your new Azure AD tenant will be provisioned and available for use.
An Azure AD tenant is a dedicated and trusted instance of Azure Active Directory (Entra ID) that Microsoft automatically creates when your organization signs up for a Microsoft cloud service such as Azure, Microsoft 365, or Dynamics 365.
No, non-admin users cannot create tenants.
The terms are related but distinct:
Azure AD is the service, while an Azure tenant is your organization’s instance of that service.