Enterprise Agreement enrollment and Azure Active Directory tenants

The Azure service presents a range of active subscription offers, and customers can use these offers at the same time to gain flexible billing options. Example subscriptions include Enterprise Agreement Support, Microsoft Customer Agreement, Cloud Service Provider, and others.

Diagram that shows Azure scopes within one Azure Active Directory (Azure AD) tenant with various billing offers and subscriptions.

Enterprise-scale architecture supports subscriptions from any Azure offer. Subscriptions should exist within one Azure Active Directory (Azure AD) tenant to then relocate into the management group hierarchy within that tenant. They can then be managed by the various controls with enterprise-scale platforms like Azure Policy and role-based access control (RBAC).

Note

Enterprise-scale architecture is only scoped and deployed to one Azure AD tenant; however, billing options can span across multiple Azure AD tenants. For example, an Enterprise Agreement enrollment supports Azure subscriptions across different Azure AD tenants.

Plan for Enterprise Agreement enrollment

Enterprise Agreement enrollment represents the commercial relationship between Microsoft and how your organization uses Azure. It provides billing foundation for your subscriptions and how your digital estate is administered. The Azure enterprise portal helps you to manage your Enterprise Agreement enrollment. An enrollment often represents an organization's hierarchy, including departments, accounts, and subscriptions. This hierarchy represents cost centers within an organization.

Diagram that shows Azure Enterprise Agreement hierarchies.

  • Departments help to segment costs into logical groupings and set a budget or quota at the department level. The quota isn't firmly enforced; it's used for reporting purposes.

  • Accounts are organizational units in the Azure enterprise portal. They can be used to manage subscriptions and access reports.

  • Subscriptions are the smallest units in the Azure enterprise portal. They're containers for Azure services that are managed by a service administrator. This is where your organization deploys Azure services.

  • Enterprise Agreement enrollment roles link users with their functional role. These roles are:

    • Enterprise administrator
    • Department administrator
    • Account owner
    • Service administrator
    • Notification contact

How an Enterprise Agreement enrollment relates to Azure AD and Azure RBAC

When your organization uses an Enterprise Agreement enrollment for Azure subscriptions, it's important to understand the various authentication and authorization boundaries and the relationship between these boundaries.

There is an inherent trust relationship between Azure subscriptions and an Azure AD tenant, which is described further in Associate or add an Azure subscription to your Azure AD tenant. An Enterprise Agreement enrollment can also use an Azure AD tenant as an identity provider, depending on the authentication level set on the enrollment and which option was selected when the enrollment account owner was created. However, apart from the account owner, Enterprise Agreement enrollment roles don't provide access to Azure AD or the Azure subscriptions within that enrollment.

For example, a finance user is granted an enterprise administrator role on the Enterprise Agreement enrollment. They're a standard user without elevated permissions or roles assigned to them in Azure AD or on any Azure management group, subscription, resource group, or resource. The finance user can only perform the roles listed at Managing Azure Enterprise Agreement roles and can't access the Azure subscriptions on the enrollment. The only Enterprise Agreement role with access to Azure subscriptions is the account owner because this permission was granted when the subscription was created.

Diagram that shows Azure Enterprise Agreement relationship with Azure AD and RBAC.

Design considerations:

  • The enrollment provides a hierarchical organizational structure to govern how subscriptions are managed. See Managing Azure Enterprise Agreement roles.

  • A range of administrators can be assigned to a single enrollment.

  • Each subscription should have a designated account owner.

  • Each account owner is a subscription owner for any subscriptions provisioned under that account.

  • A subscription can belong to only one account at a time.

  • A specific set of criteria can be used to determine if a subscription should be suspended.

  • Departments and accounts can filter enrollment billing and usage reports.

  • Review Programmatically create Azure Enterprise Agreement subscriptions with the latest APIs for more information about Enterprise Agreement subscription limitations.

Design recommendations:

  • Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account (MSA) account type.

  • Set up a Notification Contact email address to ensure notifications are sent to an appropriate group mailbox.

  • An organization can have various structures, including functional, divisional, geographic, matrix, or team structures. Using departments and accounts to map your organization's structure to your enrollment hierarchy can help with separating billing.

  • Use Azure Cost Management reports and views, which can use Azure metadata (for example, tags and location) to explore and analyze your organization's costs.

  • Restrict and minimize the number of account owners within the enrollment to limit administrator access to subscriptions and associated Azure resources.

  • Assign a budget for each department and account, and establish an alert associated with the budget.

  • Create a new department for IT if business domains have independent IT capabilities.

  • If you use multiple Azure AD tenants, verify that the account owner is associated with the same tenant as where subscriptions for the account are provisioned.

  • For development/testing (dev/test) workloads, use the Enterprise Dev/Test offer, where available. Ensure you comply with the terms of use.

  • Don't ignore notification emails sent to the notification account email address. Microsoft sends important Enterprise Agreement prompts to this account.

  • Don't move or rename an Enterprise Agreement account in Azure AD.

  • Periodically audit the Azure enterprise portal to review who has access, and when possible, avoid using a Microsoft account.

  • Enable both DA View Charges and AO View Charges on every Enterprise Agreement enrollment to allow users with the correct permissions to view Azure cost management data.

Plan for the Microsoft Customer Agreement service

The Microsoft Customer Agreement is a recent and modern Azure service and commerce platform. It represents the commercial relationship between Microsoft and how your organization uses Azure. The agreement enables a streamlined, electronic transaction in an 11-page agreement that doesn't expire. It provides a billing foundation for your subscriptions and affects how your digital estate is administered. You can manage your agreement is managed in the Azure portal.

The Microsoft Customer Agreement often represents an organization's hierarchy, which consists of billing profiles, invoice sections, and subscriptions. This hierarchy represents cost centers within an organization.

Diagram that shows the hierarchy of a Microsoft Customer Agreement.

Important

If migrating from an Enterprise Agreement to a Microsoft Customer Agreement, please review the following articles:

Design considerations:

  • The agreement provides a hierarchical organizational structure to govern how subscriptions are managed. See Organize costs by customizing your billing account.

  • An agreement billing account is managed by a single Azure AD tenant. However, subscriptions across different Azure AD tenants are supported by a single agreement. See How tenants and subscriptions relate to billing account and Manage subscriptions under multiple tenants in a single Microsoft Customer Agreement.

  • New Azure subscriptions provisioned with an agreement are associated with the Azure AD tenant in which the agreement billing account is located.

  • Agreements use the RBAC model. Multiple users can be assigned with the required roles at the same scopes (for example, billing account, billing profile, and invoice section). These billing roles and assignments are outside of standard Azure RBAC roles and assignments. They can't be assigned at a management group or resource group scope.

  • A subscription can belong to only one invoice section at any time. Subscriptions can only be moved between invoice sections within the same billing profile.

  • An optional purchase order number can be set up on a billing profile.

  • A specific set of criteria can be used to determine if a subscription should be suspended.

  • Before you provision more billing profiles, review the potential impact to charges and reservations.

  • Use Azure Cost Management reports and views, which explore and analyze your organization's costs with Azure metadata.

Design recommendations:

  • Set up a Notification Contact email address on the agreement billing account to ensure notifications are sent to an appropriate group mailbox.

  • Assign a budget for each invoice section or billing profile, and establish an alert associated with the budget.

  • An organization can have a variety of structures, such as functional, divisional, geographic, matrix, or team. Use organizational structures to map your organization to your agreement hierarchy. Invoice sections are suitable for most scenarios.

  • If your business domain has independent IT capabilities, create a new invoice section for IT.

  • Don't ignore notifications sent to the Contact email address. Microsoft sends important prompts to this address.

  • Periodically audit the agreement billing RBAC role assignments to review who has access.

  • For development/testing (dev/test) workloads, use the Enterprise Dev/Test offer, where available. Ensure you comply with the terms of use.

Plan for the Cloud Solution Provider service

The Cloud Solution Provider (CSP) service gives Microsoft partners access to Microsoft cloud services within one platform. It supports partners to:

  • Own the customer lifecycle and end-to-end relationship.
  • Set pricing, terms, and directly bill customers.
  • Directly provision and manage subscriptions.
  • Attach services that add value.
  • Be the customer's first point of contact for support.

Azure in CSP is an Azure plan with various subscriptions that are hosted by the partner's Microsoft Partner Agreement (MPA). The MPA is similar to the Microsoft Customer Agreement; both are hosted on the modern commerce platform and use a simplified purchase agreement.

Diagram that shows an MPA hierarchy.

Important

The partner CSP completely manages an MPA.

Design considerations:

  • A CSP reseller relationship must exist between the partner and each Azure AD tenant in which the customer wants to provision a new Azure plan and CSP subscriptions.

  • Only the partner can provision an Azure plan and CSP subscriptions.

  • A specific set of criteria can be used to determine if a subscription should be suspended; a partner can also suspend a subscription.

  • The partner can allow customers to view their Azure usage fees on a per customer basis. For more information, see Enable the policy to view Azure usage charges. Partners can also use other tools to provide customers with access to their charges.

  • By default, only the partner Azure reservations can only be purchased by the partner for their customer. However, the Customer Permissions feature grants customers permission to purchase Azure reservations from their CSP.

Design recommendations:

  • Work with your CSP partner to ensure that Azure Lighthouse is used for administer on behalf of (AOBO) access for most support scenarios. See Azure Lighthouse and the Cloud Solution Provider program.

  • Work with your CSP partner to understand how to create support cases and escalation processes.

  • Discuss how to create self-service subscriptions with your CSP partner.

  • Use Azure Cost Management reports and views, which can use Azure metadata (for example, tags and location) to explore and analyze your organization's costs.

Define Azure AD tenants

An Azure AD tenant provides identity and access management, which is an important part of your security posture. An Azure AD tenant ensures that authenticated and authorized users only access the resources to which they have permissions. Azure AD provides these services to applications and services deployed in and outside of Azure (such as on-premises or third-party cloud providers).

Azure AD is also used by software as a service (SaaS) applications such as Microsoft 365 and Azure Marketplace. Organizations already using on-premises Azure AD can integrate it with their current infrastructure and extend cloud authentication. Each Azure AD directory has one or more domains. A directory can have many subscriptions associated with it but only one Azure AD tenant.

Ask basic security questions during the Azure AD design phase, such as how your organization manages credentials and how it controls human, application, and programmatic access.

Design considerations:

  • Multiple Azure AD tenants can function in the same enrollment.
  • Azure Lighthouse only supports delegation at the subscription and resource group scopes.

Design recommendations:

Next steps

Identity and access management