Azure 15 Oct 2025

Azure IDs Explained. Tenant, Subscription, Resource, Application (client) & Object IDs

When working with Azure, you will encounter various types of IDs in the form of GUIDs (Globally Unique Identifiers). Understanding these IDs is crucial for managing resources, configuring access, and using the Azure CLI (az) effectively.

We’ll explore these IDs (terms in backticks match the Azure portal labels):

Tenant ID — identifies your Microsoft Entra ID directory; used for authentication and identity management.
Subscription ID — identifies a subscription; used for billing and scoping resource operations.
Resource GUID — an internal GUID assigned to a resource instance; helpful for cross-referencing resources.
Resource ID — the full ARM path showing where a resource lives; used in ARM templates and API calls.
Application (Client) ID — the client identifier (appId) for a registered application; used in OAuth flows.
Object ID — a tenant-scoped identifier for directory objects like users and service principals.

Tenant ID

The Tenant ID uniquely identifies your Microsoft Entra ID tenant (directory). A tenant is the top-level identity boundary in Azure and can contain management groups and subscriptions.

Where to find it

Azure Portal: Tenant properties → Tenant ID
Azure Portal: App registrations → Click on any app registration → Overview → Directory (tenant) ID

Pay attention to the different names used for the same ID:

The Tenant ID in Azure

The Directory tenant ID in Azure

Azure CLI

Use the following commands to get tenant information via the Azure CLI:

# Get current Tenant ID for the signed-in account
az account show --query tenantId --output tsv

# List tenants your account is a member of
az account tenant list --query "[].{tenantId:tenantId, displayName:displayName}" --output table

Subscription ID

The Subscription ID uniquely identifies an Azure subscription. Each subscription belongs to a single tenant.

Where to find it

Azure Portal: Subscriptions → Select a subscription → Overview → Subscription ID
Azure Portal: Any resource → Overview → Subscription ID

The Subscription ID in Azure

Azure CLI

# Get the current subscription ID
az account show --query id --output tsv

# List subscriptions available to the signed-in account
az account list --query "[].{name:name, id:id, state:state}" --output table

Resource GUID

The Resource GUID is a GUID property assigned to many resource instances. Do not confuse it with the Resource ID.

Where to find it

Azure Portal: Resource → Properties → Resource GUID

The Resource GUID of a resource in Azure

Azure CLI

In the Azure CLI, the resourceGuid property may appear on the resource object (or under properties.resourceGuid for some resource types). This GUID can be particularly useful when:

Tracking resources across deployments or subscriptions
Correlating resources in monitoring and logging systems
Identifying resources that have been moved between resource groups

# Find resources in the current subscription with a given resource GUID
az resource list --query "[?resourceGuid=='<resource-guid>' || properties.resourceGuid=='<resource-guid>'].[id,name,type,resourceGroup]" --output table

Resource ID

The Resource ID provides the complete hierarchical path to your resource. It follows the format:

/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/{resource-provider}/{resource-type}/{resource-name}

Where to find it

Azure Portal: Resource → Properties → Resource ID

Azure CLI

In the Azure CLI, the Resource ID is stored inside the id property.

# Get resource ID for a specific resource
az resource show --name <resource-name> --resource-group <resource-group-name> --resource-type <resource-type> --query id --output tsv

Note: Resource IDs are case-insensitive, but it’s best practice to maintain the casing shown in the Azure Portal for consistency.

Application (Client) ID

The Application ID, also known as the Application (client) ID, is the client identifier for a registered application (app registration). This ID is the cross-tenant client identifier used in OAuth flows and when requesting tokens.

The app registration (application object) is different from the service principal (enterprise application) object created in a tenant.

Where to find it

Azure Portal: App registrations → Select an app → Overview → Application (client) ID
Azure Portal: Enterprise applications → Select an enterprise application → Overview → Application ID

Note the different names used for the same ID:

The Application Client ID of an App Registration in Azure

The Application ID of an Enterprise Application in Azure

Azure CLI

In the Azure CLI the Application ID is accessed through the appId property on the application object.

# Get the application object (shows application object id and client/appId)
az ad app show --id <application-client-id> --query "{applicationObjectId:id, appId:appId, displayName:displayName}" --output json

# Find application client/appId by display name (first match)
az ad app list --display-name "<app-name>" --query "[0].{name:displayName, appId:appId}" --output table

Object ID

The Object ID is a tenant-scoped identifier for directory objects such as users, groups, application objects, and service principals.

Object IDs are unique within a tenant; the same logical application in different tenants will have different object IDs.

Where to find it

Azure Portal: App registrations → Select app → Overview → Object ID (application object)
Azure Portal: Enterprise applications → Select app → Overview → Object ID (service principal object)
Azure Portal: Users → Select user → Overview → Object ID

The Object ID of a User in Azure

Azure CLI

# Service principal (Enterprise application) object ID using the Application (client) ID
az ad sp show --id <application-id> --query id --output tsv

# Application (App registration) object ID
az ad app show --id <application-id> --query id --output tsv

# User object ID
az ad user show --id [email protected] --query id --output tsv

# Group object ID
az ad group show --group "<group-name>" --query id --output tsv

Practical rule: use appId when you need the cross-tenant client identifier, and use the appropriate id (application object id or service principal id) when you need to reference or assign roles to an object inside a tenant.

Conclusion

Common relationships and clarifications:

Application (client) ID ≠ Object ID - the Application (client) ID identifies the application across tenants; the Object ID identifies the application object in a specific tenant.
Enterprise Application Object ID ≠ Application Object ID - enterprise applications are tenant-scoped representations of the app and have their own Object ID in each tenant.
A single Application (client) ID can have multiple enterprise applications (one per tenant) referencing the same app across tenants.
Resource ID is the canonical, ARM-style identifier used to locate resources; it includes subscription and resource group context and is used by ARM APIs.
Object ID is unique within a tenant (not global across tenants).

Understanding these distinctions helps avoid confusion when working with the portal, Azure CLI, role assignments, and automation.