Subscriptions are a fundamental part of every IT service, providing a link between a person or organization, the...
resources used and payment. In Microsoft Azure, subscriptions are tied to a particular Azure account, with access to usage reporting and billing.
Like subscriptions for other IaaS offerings, Azure subscriptions establish the set of resources available to a user. For example, some subscriptions only include the use of virtual machines, storage and SQL databases, or only the Mobile Apps services.
Azure subscriptions establish three parameters:
- a unique subscriber ID
- a billing location
- a set of available resources
For an individual developer, that would include one Microsoft account ID, a credit card number and the full suite of Azure services. Although, Microsoft enforces consumption limits, depending on the subscription type.
Azure subscription management can get more complicated for enterprises that use consolidated billing and have central controls over accounts, subscription creation and resource usage.
Azure subscriptions with a Microsoft EA
Many organizations have Microsoft Enterprise Agreements (EAs) that cover licensing and support for their entire portfolio of Microsoft applications and services. These EAs provide discounts on Azure pricing and enable users to migrate software licenses from on-premises servers to Azure. Users with an EA also have access to the Azure Enterprise Portal, which provides billing and subscription management features for Azure environments.
For organizations with an EA, Azure subscriptions follow a four-level hierarchy: enterprise enrollment administrator, department administrator, account owner and service administrator. Enterprise administrators onboard their organization to Azure and can do the following:
- Add accounts or associate existing accounts to an enrollment. An enrollment is a master account associated with an organization's EA, to which all other Azure subscriptions and bills are tied. When EA users sign up for Azure, they're assigned an enrollment number and access key that allows them to access the Azure EA Portal and perform admin tasks.
- View usage data across all accounts.
- View billing information, including the cash balance of an enrollment.
- Grant account owners permissions to view charges.
There are no limits on the number of enterprise administrators per enrollment.
What does an Azure department administrator do?
Enterprise administrators can create department administrators with authority over defined groups. These administrators can:
- add Azure accounts and track usage within their workgroup or billing code;
- add and remove other department admins;
- add accounts to the enrollment and their departments;
- remove accounts from their departments; and
- view department charges, if the enterprise administrator allows.
Each account can have one or more subscriptions, and an administrator can manage individual subscriptions. Account owners can add any available subscriptions to their accounts and -- if the enterprise administrator allows it -- view usage statistics and charges. Account owners do not have access to an enrollment's overall financial balance or commitment.
IT teams define these four roles in the Azure Active Directory (AD). Organizations often connect their private AD to Azure to eliminate duplicate user and group identities, as well as security policies. Each enrollment and subscription only trusts a single directory, so for organizations using their own AD, various administrative roles typically correspond to an AD group.
Designing a consolidated Azure enrollment and subscription structure requires planning. Here are five steps to get started and develop best practices for Azure subscription management:
1. Choose a subscription type.
Due to price discounts and license flexibility, organizations with an EA should incorporate Azure into their overall Microsoft licensing and service bundle. Organizations without an EA must choose between pay-as-you-go or prepaid plans. However, for major Azure projects, where you expect to spend at least $6,000, the prepaid option -- which offers a 5% discount and end-of-term refund of any unused balance -- is the better option.
2. Decide on a management hierarchy.
Azure's hierarchical structure enables organizations to partition service control, spending and reporting based on department, account and service administrative roles. There are several logical ways to do this. For example, you could divide departments based on function -- such as research and development, IT or accounting -- on business unit or geography. Azure account owners who are responsible for adding subscriptions, can be either an individual or a group within an organization.
Subscriptions are useful to organize resources and manage usage, so Azure subscription management and planning is particularly useful for larger organizations. Some subscription design patterns for different scenarios include:
- single subscription
- workload separation pattern
- application category pattern
- subscriptions based on business function, unit or geography
The Azure Cost Management service, derived from the Cloudyn acquisition, includes prebuilt reports for spending by subscription, tag and other parameters and enables enterprises to combine costs into comprehensive summaries.
When users have multiple subscriptions available, Azure offers subscription filtering to simplify selection. This can be done either locally, within the user's browser or globally via an ARM blade.
3. Determine whether to link your enterprise AD to Azure.
Integrating and synchronizing AD with Azure is well-supported, but there can be issues when delineating roles and responsibilities between subscription and directory management. Azure subscription administrators and Azure AD administrators are two separate roles. Azure subscription administrators can manage Azure resources and view the AD extension in the Azure portal, while AD administrators manage properties in the directory. While the same person can assume both roles, it isn't necessary. It's best to use existing AD groups to control membership of account and service administrator roles.
4. Establish a naming convention for Azure subscriptions and departments.
Organizations should align the naming conventions of their Azure accounts and subscriptions to their billing requirements. This makes it easier to create billing reports, allowing admins to download Azure reports into Excel and create a pivot table.
5. Define service boundaries, usage quotas and limits for account types.
Azure has default limits on active resources, but because billing is tied to a subscription, organizations should establish different limits, depending on the application, workgroup or other factors. Azure Resource Groups provide a way to combine related services into a container, around which admins can define a uniform set of deployment and security policies.
Most of these management tasks, such as naming resources and establishing resource groups, are done through the Azure Resource Manager (ARM). However, organizations perform enterprise enrollment and set up department administrators through a separate EA portal. ARM tasks can also be scripted in Azure using PowerShell or the Azure CLI, but don't start with ARM until you address the issues above and develop repeatable policies.