az account show --output jsonTenant scope
Tenant scope is the highest Azure Resource Manager deployment and governance context tied to a Microsoft Entra tenant.
Source: Microsoft Learn - Deploy resources to tenant with ARM templates Reviewed 2026-05-27
- Exam trap
- Using tenant scope for ordinary application infrastructure that belongs in a subscription or resource group.
- Production check
- Check az account show before a tenant-scope command and compare tenantId with the approved change record.
Article details and learning context
- Aliases
- Tenant scope, tenant scope, Azure Tenant scope, tenant level scope, ARM tenant scope, targetScope tenant
- Difficulty
- fundamentals
- CLI mappings
- 5
- Last verified
- 2026-05-27
- Review level
- field-manual-complete
- Article depth
- field-manual-complete
Understand the concept
In plain English
Tenant scope means the Azure operation is aimed at the top boundary of a Microsoft Entra tenant, not a single subscription or resource group. It is the broadest ARM scope an operator usually deals with. Tenant scope is relevant when creating management groups, assigning certain roles, deploying tenant-level templates, or reasoning about inherited governance. For everyday workload changes, it is usually too broad. For platform foundations, it is sometimes exactly the right scope because the change needs to apply above all subscriptions.
Why it matters
Tenant scope matters because scope is the boundary that determines who can change something, who inherits it, and how far mistakes travel. A command that is harmless at resource-group scope can become dangerous at tenant scope. Conversely, trying to automate tenant-wide foundations from a lower scope can create brittle workarounds and partial governance. Understanding tenant scope helps engineers choose the right deployment command, RBAC assignment, policy target, and approval path. It also reduces confusion between tenant, tenant root group, management group, subscription, and resource group. That clarity is vital during audits, incidents, landing-zone rollouts, and cross-tenant operations. That clarity prevents broad Azure changes from becoming hidden operational debt.
Official wording and source
Tenant scope is the top Azure Resource Manager scope tied to a Microsoft Entra tenant. It is used for tenant-level deployments, role assignments, and governance operations that sit above management groups, subscriptions, and resource groups. for Tenant scope operations. for Tenant scope operations.
Technical context
Tenant scope sits at the top of the Azure Resource Manager scope hierarchy, above management groups, subscriptions, resource groups, and resources. ARM templates and Bicep files can target it with tenant-level deployment commands and targetScope tenant. Scope functions can then route modules to management groups, subscriptions, or resource groups. It is a control-plane context, not an application data plane. Permissions are evaluated at the requested scope and at every target resource scope. Tenant scope often appears in RBAC, policy, template deployment, management group, and governance automation work.
Exam context
Compare with
Where it is used
Where you see it
- Bicep files that declare targetScope tenant, or ARM templates using the tenant deployment schema, indicate that deployment evaluation begins at tenant scope. during Tenant scope operational review.
- Azure CLI commands such as az deployment tenant and az account tenant list expose tenant-scope deployment records, tenant context, and high-level automation boundaries. during Tenant scope operational review.
- Role assignment, policy, and management group evidence may show a slash root scope or tenant-level target that sits above subscriptions and resource groups. during Tenant scope operational review.
Common situations
- Choose tenant-scope deployment when creating organization-wide management group foundations from infrastructure as code.
- Verify a role assignment or policy target is intentionally above subscriptions before approving a broad security change.
- Troubleshoot inherited governance by separating tenant scope, tenant root group scope, and child management group scope.
- Build CI/CD preflight checks that stop deployment if the active tenant or scope is wrong.
- Standardize subscription vending and landing-zone automation from a single controlled tenant-level context.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Retail chain standardizes subscription vending scope Scenario, objectives, solution, measured impact, and takeaway.
A national retail chain opened many pop-up store projects and created Azure subscriptions through several manual paths. Some subscriptions missed baseline policies because automation ran at subscription scope after the fact.
- Run subscription vending from a controlled tenant-level context.
- Place new subscriptions under the correct management group within one hour.
- Apply baseline governance before workload teams deploy resources.
- Reduce manual platform tickets during seasonal expansion.
The platform team redesigned the vending workflow around tenant scope. A tenant-scope Bicep deployment orchestrated management group placement modules and emitted outputs for downstream subscription setup. CLI preflight checked tenant ID and what-if output before approval. Workload-specific resources still deployed later at subscription and resource group scopes. The team documented the difference between tenant scope and tenant root group so operators knew where the deployment started and where policies inherited from. The team also documented how Tenant scope would be checked during the next release and who owned the rollback decision.
- Subscriptions missing baseline governance fell from 14 per quarter to one exception.
- Average subscription readiness time dropped from 18 hours to 42 minutes.
- Seasonal platform tickets fell by 57%.
- Every vending run produced tenant-scope deployment evidence for audit.
Tenant scope is useful when the workflow must start above subscriptions but still delegate workload control to lower scopes.
Scenario 02 Biotech prevents overbroad research access Scenario, objectives, solution, measured impact, and takeaway.
A biotech research organization used shared Azure environments for lab pipelines. A proposed access script would have assigned a research group at tenant scope instead of the intended project management group.
- Detect overbroad scope before role assignments were created.
- Give researchers access only to approved project subscriptions.
- Create a reusable review step for privileged access scripts.
- Avoid delaying a genomics analysis deadline.
The identity team added a CLI validation stage that parsed role assignment scope values before execution. The script ran az account show, listed management groups, and rejected any assignment whose scope was tenant-level unless a security exception existed. Reviewers compared the intended management group ID with the tenant ID and caught the error in the pull request. The corrected script assigned the group at the research project management group, and inherited access reached only the required subscriptions. The team also documented how Tenant scope would be checked during the next release and who owned the rollback decision.
- The overbroad role assignment was blocked before any production access changed.
- Access approval time stayed under four hours for the genomics deadline.
- Privileged script reviews found three additional scope typos that quarter.
- Security reduced emergency access exceptions by 46%.
Tenant scope must be explicit in access automation because one misplaced scope string can turn project access into estate-wide access.
Scenario 03 Public agency clarifies governance evidence Scenario, objectives, solution, measured impact, and takeaway.
A public-sector agency faced an audit finding that teams could not explain whether controls were assigned at tenant scope, root management group, or child management groups. Evidence was inconsistent across screenshots and exports.
- Create a single evidence trail for high-scope governance.
- Distinguish tenant-scope deployments from root-group policy assignments.
- Reduce audit clarification meetings by at least 50%.
- Train platform teams on scope selection before future releases.
The agency created a scope evidence workbook fed by Azure CLI exports. For each high-scope change, operators captured tenant ID, deployment scope, deployment operations, management group path, role assignments, and policy assignment scope. Tenant-scope deployments were labeled separately from tenant root group assignments. The release checklist required teams to state why tenant scope was necessary or choose a lower scope. Auditors received JSON evidence and diagrams rather than manually annotated portal screenshots. The team also documented how Tenant scope would be checked during the next release and who owned the rollback decision.
- Audit clarification meetings fell from nine to three in the next review cycle.
- High-scope changes with complete evidence rose from 52% to 97%.
- Two proposed tenant-scope deployments were redesigned for management group scope.
- Platform onboarding training time dropped by one full day.
Tenant scope becomes safer when teams can prove exactly which boundary was used and why a narrower one was not enough.
Azure CLI
Azure CLI is useful for tenant scope because scope mistakes are easier to see in command text than in portal navigation. I want to see az deployment tenant, az account tenant, management group IDs, role assignment scopes, and JSON output before approving broad changes. CLI also lets platform teams build preflight checks that stop a pipeline when the active tenant or intended scope is wrong. After ten years of Azure work, I trust repeatable scope evidence more than someone saying they clicked the right blade. Tenant scope needs that discipline because the blast radius is organizational. This keeps automation reviewable when ownership changes or incidents happen.
Useful for
- Run az account tenant list and az account show to confirm tenant context before any high-scope operation.
- Run az deployment tenant what-if to review planned tenant-scope changes without creating resources.
- List management groups and role assignments to understand what lower scopes inherit from tenant-level decisions.
- Capture tenant-scope deployment output as JSON evidence for audit, rollback, and platform release notes.
Before you run a command
- Confirm the tenant ID, account, and intended scope before running any command that includes tenant, root, or slash-level targets.
- Verify permissions separately from visibility; seeing a tenant or root group does not mean you can safely change it.
- Treat tenant-scope create, update, role assignment, and policy commands as security-impacting until proven otherwise.
- Use what-if, read-only listing, and JSON output first so reviewers can inspect planned scope transitions before mutation.
What the output tells you
- Tenant-list output shows which Microsoft Entra tenants the signed-in account can access and which tenant ID each entry uses.
- Deployment output shows tenant-scope provisioning state, location, correlation ID, and any modules routed to lower scopes.
- Role and policy output reveals whether assignments are scoped at tenant, management group, subscription, or resource group boundaries.
- Management group output helps confirm whether governance is being inherited from root or applied at a narrower child scope.
Mapped commands
Tenant-scope discovery and deployment commands
directaz account tenant list --output jsonaz deployment tenant what-if --location <region> --template-file main.bicep --parameters @main.bicepparamaz role assignment list --scope / --output jsonaz account management-group list --output tableArchitecture context
Architecturally, tenant scope is the boundary for platform-level decisions that sit above subscription ownership. It is where you reason about the tenant as an estate: identity boundary, management hierarchy, global governance, and deployment orchestration. I do not put application-specific choices there unless the application is itself a tenant-wide platform service. The architecture should show how tenant scope relates to tenant root group, child management groups, subscription vending, RBAC, policy initiatives, and pipeline identities. A mature design uses tenant scope deliberately, then delegates most ongoing control to lower scopes where ownership and blast radius are clearer. That ownership line should be visible in every platform review.
- Security
- Security impact is direct because tenant scope can grant, deny, or configure access above individual subscriptions. A role assignment at this level or a tenant-scope deployment that creates assignments can affect a wide set of resources. Access should be limited, monitored, and preferably activated just in time. Security reviews must distinguish tenant scope from tenant root group scope and confirm the exact scope string used in templates or CLI. Avoid storing secrets in tenant deployment parameters or outputs. Always verify which principal runs the operation and whether its permissions are intentionally broad or accidentally inherited. Record the approval path and verify the boundary after the change.
- Cost
- Tenant scope has no meter, but tenant-scope decisions can set cost posture across the estate. Policies and deployments at this level can require diagnostics, allowed regions, security plans, storage redundancy, tags, or SKU constraints for many subscriptions. These controls can prevent waste, but they can also create unplanned spend if retention, monitoring, or premium defaults are too aggressive. FinOps should review tenant-scope governance before rollout and make sure cost owners understand inherited requirements. Tenant scope is also useful for standardizing tags and hierarchy that power chargeback, showback, and cross-subscription cost reporting. Review the financial impact before making the change permanent.
- Reliability
- Reliability impact is about blast radius and deployment correctness. Tenant-scope mistakes can affect management group hierarchy, inherited roles, policy assignments, and downstream modules across many subscriptions. Reliable operators validate and what-if tenant-scope templates before create, test policies lower in the hierarchy, and use small releases. They also verify scope transitions in Bicep modules so a subscription or resource group target is not accidentally pointed elsewhere. Recovery may require compensating deployments rather than simple resource rollback. Treat tenant-scope changes as foundation changes with clear maintenance windows, evidence, and post-change checks. Post-change verification should prove inherited behavior still works as intended. Save the verification result with deployment evidence.
- Performance
- Tenant scope does not sit in the application request path, so it rarely affects runtime latency directly. Its performance effect is on deployment, governance evaluation, and operational speed. A well-designed tenant-scope foundation can make subscription vending, policy rollout, and audit response faster. A messy one slows every team with confusing inherited rules and approval bottlenecks. Large tenant deployments with many nested modules can also take longer to validate and execute. Keep tenant-scope templates modular, use what-if, and push workload-specific performance settings down to subscriptions or resource groups where teams can tune them safely. Measure before and after so tuning claims stay testable.
- Operations
- Operators work with tenant scope when checking account context, listing tenants, creating tenant deployments, reviewing management group structure, assigning roles at high scope, and investigating inherited policy behavior. Good operations start with read-only discovery: az account show, az account tenant list, management-group list, role assignment list, and what-if output. Change runbooks should define approval, command safety, output capture, rollback strategy, and post-change verification. Because tenant scope sits above many teams, communication matters. Notify affected subscription owners before broad governance changes and publish evidence after the deployment completes. Keep this evidence attached to the incident, release, or audit ticket. Add owner, timestamp, and scope to the runbook.
Common mistakes
- Using tenant scope for ordinary application infrastructure that belongs in a subscription or resource group.
- Confusing tenant scope with tenant root group, then assigning policy or RBAC at the wrong boundary.
- Forgetting that tenant-scope deployments still need a metadata location even for global resources.
- Skipping what-if because the template is small, then discovering it targeted every subscription through inheritance.