Manage Learn to apply best practices and optimize your operations.

How to set up and manage Azure subscriptions

Subscriptions are not as black and white as they seem. Review the concepts, roles and challenges involved when planning and managing subscriptions for Azure.

Subscriptions are a fundamental part of every IT service, providing a link between a person or organization, the...

resources used and payment. In Microsoft Azure, subscriptions are tied to a particular account, with access to usage reporting and billing.

Like subscriptions for other infrastructure-as-a-service offerings, Azure subscriptions establish the set of resources available to a user. For example, some subscriptions only include the use VMs, storage and SQL databases, or only the Mobile Apps services.

Azure subscriptions establish three parameters: a unique subscriber ID, a billing location and a set of available resources. For an individual developer, that would include one Microsoft account ID, a credit card number and the full suite of Azure services -- although, Microsoft enforces consumption limits, depending on the subscription type.

Subscriptions get more complicated, however, in enterprises that use consolidated billing and have central controls over accounts, subscription creation and resource usage.

Azure subscriptions with a Microsoft EA

Azure subscriptions establish three parameters: a unique subscriber ID, a billing location and a set of available resources.

Many organizations have Microsoft Enterprise Agreements (EAs) that cover licensing and support for their entire portfolio of Microsoft applications and services. These EAs provide discounts on Azure pricing and allow users to migrate software licenses from on-premises servers to Azure. Users with an EA also have access to the Azure Enterprise Portal, which provides billing and subscription management features.

For organizations with an EA, Azure subscriptions follow a four-level hierarchy: enterprise enrollment administrator, department administrator, account owner and service administrator. Enterprise administrators onboard their organization to Azure and can do the following:

  • Add accounts or associate existing accounts to an enrollment. An enrollment is a master account associated with an organization's EA, to which all other Azure subscriptions and bills are tied. When EA users sign up for Azure, they receive an enrollment number and access key that allows them to access the Azure EA Portal and perform admin tasks.
  • View usage data across all accounts.
  • View billing information, including the cash balance of an enrollment.
  • Grant account owners the right to view charges.

There are no limits on the number of enterprise administrators per enrollment.

What does an Azure department administrator do?

Enterprise administrators can create department administrators with authority over defined groups. Department administrators can:

  • Add accounts and track usage within their workgroup or billing code;
  • Add and remove other department admins;
  • Add accounts to the enrollment and their departments;
  • Remove accounts from their departments; and
  • View department charges, if the enterprise administrator allows.

Each account can have one or more Azure subscriptions, and the service administrators can manage individual subscriptions. Account owners can add any available subscriptions to their accounts and -- if the enterprise administrator allows it -- view usage statistics and charges. Account owners do not have access to an enrollment's overall financial balance or commitment.

IT teams define these four roles in the Azure Active Directory (AD). Organizations often connect their private AD to Azure to eliminate duplicate user and group identities, as well as security policies. Each enrollment and subscription only trusts a single directory, so for organizations using their own AD, various administrative roles typically correspond to an AD group.

Breaking down the Azure enrollment and subscription structure
Breaking down the Azure enrollment and subscription structure.

Designing a consolidated Azure enrollment and subscription structure requires planning. Here are five steps to get started:

1. Choose a subscription type.

Due to price discounts and license flexibility, organizations with an EA should incorporate Azure into their overall Microsoft licensing and service bundle. Organizations without an EA must choose between pay-as-you-go or prepaid plans. However, for major Azure projects, where you expect to spend at least $6,000, the prepaid option -- which offers a 5% discount and end-of-term refund of any unused balance -- is the better option.

 2. Decide on a management hierarchy.

Azure's hierarchical structure allows organizations to partition service control, spending and reporting based on department, account and service administrative roles. There are several logical ways to do this. For example, you could divide departments based on function -- such as research and development, IT or accounting -- on business unit or geography. Account owners, who are responsible for adding subscriptions, can be either an individual or a group within an organization.

 3. Determine whether to link your enterprise AD to Azure.

Integrating and synchronizing AD with Azure is well-supported, but there can be issues when delineating roles and responsibilities between subscription and directory management. Azure subscription administrators and Azure AD administrators are two separate roles. Azure subscription administrators can manage Azure resources and view the AD extension in the Azure portal, while AD administrators manage properties in the directory. While the same person can assume both roles, it isn't necessary. It's best to use existing AD groups to control membership of account and service administrator roles.

4. Establish a naming convention for Azure subscriptions and departments.

Organizations should align the naming conventions of their Azure accounts and subscriptions to their billing requirements. This makes it easier to create billing reports, allowing admins to download Azure reports into Excel and create a pivot table.

5. Define service boundaries, usage quotas and limits for account types.

Azure has default limits on active resources, but because billing is tied to a subscription, organizations should establish different limits, depending on the application, workgroup or other factors. Azure Resource Groups provide a way to combine related services into a container, around which admins can define a uniform set of usage and security policies.

Most of these management tasks, such as naming resources and establishing resource groups, are done through the Azure Resource Manager (ARM). However, organizations perform enterprise enrollment and set up department administrators through a separate EA portal. ARM tasks can also be scripted using PowerShell or the Azure command-line interface, but don't start with ARM until you address the issues above and develop repeatable policies.

Next Steps

Discover top tips for managing Azure

Azure bridges public, private cloud gap with Azure Stack

Test your Azure cloud knowledge

Dig Deeper on Managed Kubernetes and container services

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What obstacles have you encountered while managing an Azure subscription?
I am having problems understanding the EA Azure terminology, fro example: Account - is it a specific person or a department, how does it fit into the scheme of things?  Department?  What does it denote?  I am used to AD but this terminology does not seem to relate to the same things.

Any advice?