Overview of Azure Active Directory, Subscriptions, Accounts & Role based access control

So in the beginning there was nothing!

Venturing in Azure these days, you might lose the overview you once had and now with the introduction of Azure RBAC  and having multiple subscriptions, probably many Azure Active Directories, mixing Microsoft and Work accounts it might be confusing how it all blends together. So therefore I decided to write this post to perhaps enlighten any confusion that people might have.

Before I go ahead and describe the different scenarios there are some key roles and names you should be aware of

Microsoft Account : An account associated with Microsoft, this can for instance be a Outlook, Hotmail, Xbox Live, MSDN  or any other  purpose created account with Microsoft.

Work Account: An user account associated with Azure Active Directory object, this can for instance be accounts sourced from Office365, Intune or synchronized user accounts from an on-premises Active Directory. User which sign it with an work account will be authenticated either directly to Azure Active Directory on with federated access to an on-premises Active Directory.

Azure subscription: An active agreement with Microsoft which is needed to provision resources in Microsoft Azure. Every subscriptions also has a trust relationship with an Azure AD instance. This means that it trusts that directory to authenticate users, services and devices. An subscription will only trust one directory, but we can have multiple subscriptions trust the same directory.

Read the entire article here, Overview of Azure Active Directory, Subscriptions, Accounts & Role based access control