Enterprise Subscription Management

To administer your Microsoft Azure services under your Enrollment, there are
four distinct administrative roles: The Enterprise Administrator, The Department
Administrator, the Account Owner and the Service Administrator. The roles
complete tasks on three different Microsoft Azure portals. The Enterprise Portal,
the Account Portal and the Management Portal. Below diagram shows how this
works at an Enterprise level.
Department A
Account C

Enterprise Enrollment
Department B

Subscription 4

Account A Account B

Subscription 1 Subscription 2 Subscription 3

Enterprise Portal Enterprise Administrator -The Enterprise Administrator has the ability t
Department Administrators, add Departments, add or associate Accou
usage and charges data across all Accounts and Subscriptions, can vie
balance associated to the Enrollment. There is no limit to the number
an Enrollment. You can also add a Notifications Contact that can receiv
Department Administrator - The Department Administrator has the ab
name and cost center, manage department admins, add accounts to t
departments, remove accounts from their departments and view Depa
the Enterprise Admin
Account portal Account Owner - The Account Owner can add Subscriptions for their Ac
 Administrator and Co-Administrator for an individual Subscription, vie
and view Account charges if enabled by the Enterprise Administrator.
have visibility of the monetary commitment balance unless they also h
rights.
Management portal Service Administrator - The Service Administrator and up to 199 Co-Ad
have the ability to access and manage Subscriptions and developmen
Management Portal. The Service Administrator does not have access t
they also have one of the other two roles

Roles

Enterprise First account, Created https://ea.azure.com

Administrator at on-boarding. Full
access and visibility
into all activity and
resources of a
corporate enrolment.

Departmental Delegated by https://ea.azure.com

Administrator Enterprise
Administrator, role is
typically Cost focused
at the business unit
level. Approves rolled
up IT budgetary
requests for multiple
organizations. Can
create and have
visibility into multiple
account owners.
Consumption
information can be
rolled up and isolated
at this level.

Account Owner Delegated by https://account.windowsazur

Departmental e.com
administrator, role
typically is cost
focused at the
departmental or
project level. Role
creates the
subscriptions, and
Service administrators,
would approve
hardware and resource
requests by project.
Can create and have
visibility into multiple
 service administrators
and subscriptions.

Service Owns a subscription at https://manage.windowsazur

administrator the resource level. e.com
Manages who can https://portal.azure.com
create and use IT
resource. Is solution
and project delivery
focused. Sets roles and
responsibilities at
project level. Has
visibility into a single
subscription's
consumption.

Co-administrator A resource https://manage.windowsazur

administrator within a e.com
subscription that can https://portal.azure.com
manage provisioning
and delegation of
additional co-
administrators. Project
and resource focused.

Resource Group Manages a group of https://portal.azure.com

Administrator resources within a
subscription that
collectively provide a
service and share a
lifecycle. Single project
or service focused.

Portals

Enterprise Portal https://ea.azure.com/ Manage access

Manage accounts
Manage
subscriptions
View price sheet
View usage
summary
Manage usage &
lifecycle email
notifications
Manage
Authentication
Type
o Microsoft
Account
Only for
organization
s using only
Microsoft
Accounts
o Organization
al Account
for
organization
s which
have set up
Active
Directory in
Azure or
synchronize
d from an
on-premises
AD using
ADFS, or
Directory
Synchronizat
ion
(DirSync)
and chose to
add users
with cloud-
based AD
authenticati
on
o Organization
al Account
Cross Tenant
for
organization
s that want
to add an
Enterprise
Azure user
from an AD
tenant
outside of
their own
o Mixed
Account
for
organization
s that want
to add a
 combination
of Microsoft
Account
users and
cloud-based
AD users

Account Portal https://account.windowsazur Edit subscription

e.com details
Enroll in or enable
Preview features

Management https://manage.windowsazur Provision/de-

Portal e.com provision Azure
https://portal.azure.com services
Manage co-
administrators on
subscriptions
Open support
tickets for issues
within the
subscription
Note - any support ticket
under a Premier Azure
Support agreement
should be opened using
the Premier portal

Factors to consider
Work or School Accounts not Microsoft Accounts
Use organizational accounts to sign-up and manage Azure. Connect your Azure
AD with on-prem AD.
Resource Groups not Subscriptions
Use resource groups to segregate workloads with different access needs. Avoid
granting access to individual resources unless necessary.
Manage Access using Groups
Assign access to AD groups, manage membership of groups for on-going access
management.
Enable Multi-Factor Auth
Use Azure AD conditional access policies to enable MFA for Azure management.
Least Privilege
Pick the right role for the job. Contributor not Owner. Model on-premises roles
using resource-type specific Azure roles.
Keep a tab on Access Changes
Monitor changes to access settings. Regularly dump and review entire access
policy.

Design Guidance
In General
Minimize # of subscriptions
Identity Management
Use Customer Azure Active Directory for Azure Governance roles
Add at least one more Enterprise Administrator
Use Functional Accounts not Named Accounts for Roles. Specially for
Account Owners and Service Administrators
Security and Identity
If the subscription includes Azure Active Directory, IaaS Domain
Controllers, or connects to Domain Controllers from an on-premises active
directory, the Subscription administrators and Co-administrators are de-
facto domain owners as well.
Scale
Subscriptions form the scale unit in Azure. Many resources, from
computing cores, and storage accounts, to reserved IP addresses all have
quantity and size limitations based on the subscription.
Connectivity
The subscription is a required container to hold a virtual network, and
oftentimes networking is a shared resource within an enterprise
Administration and Connectivity are often at odds with respect to
autonomy and sharing resources
Express Route
Minimize #subscriptions (take network requirements and ER boundaries
into account) :only 10 virtual networks can be attached to a single
ExpressRoute circuit, so at most 10 subscriptions could be attached to that
circuit. Please refer here for more information -
https://azure.microsoft.com/en-us/documentation/articles/azure-
subscription-service-limits/#networking-limits

Networking possibilities:
Different Possible Angles:

Azure Active Directory Every Azure subscription has a trust

relationship with an Azure AD
instance. This means that it trusts that
directory to authenticate users,
services, and devices. Multiple
subscriptions can trust the same
directory, but a subscription trusts
only one directory. The administrative
roles for an Azure subscription
manage resources tied to the Azure
subscription. By default, you are
assigned the Service Administrator
role when you sign up. If others need
to sign in and access services using
the same subscription, you can add
 them as co-administrators. But the
important point here is that Azure
subscription admins and Azure AD
directory admins are two separate
concepts. Azure subscription admins
can manage resources in Azure and
can view the Active Directory
extension in the Azure classic portal
(because the Azure classic portal is an
Azure resource). Directory admins can
manage properties in the directory. A
person can be in both roles but this
isnt required. A user can be assigned
to the directory global administrator
role but not be assigned as Service
administrator or co-administrator of
an Azure subscription. Without being
an administrator of the subscription,
this user cannot sign in to the Azure
classic portal. But the user could
perform directory administration tasks
using other tools such as Azure AD
PowerShell or Office 365 Admin
Center. Limitations with synchronizing
with AD Connect is mentioned in this
article -
https://azure.microsoft.com/en-
us/documentation/articles/active-
directory-aadconnect-topologies/
Azure Load Balancer and Application Both are tied to a Subnet in a specific
gateway subscription and cannot be shared.
You can create both as required for
different subscriptions
Azure IaaS backup Azure backup is a service which you
can enable in a specific subscription
for backing up VMs and applications.
For individual subscriptions, Azure
backup service need to be enabled
Azure KMS Key vault is a service which should be
enabled on a subscription basis
ARM Model with Tags Tags are associated with a Resource
manager group within a subscription
and cannot be shared
Azure Custom images Same image can be shared across the
subscriptions but need to be copied to
the Azure storage attached to the
specific subscription
Azure RBAC RBAC is configured resources in a
specific subscription and cannot be
shared
Azure storage accounts
vNet with Private and Public IP
addresses with UDR, Force tunneling
and NSGs
Express Route
Storage accounts are tied to VMs in an
availability set which is contained in
the subscription and cannot be shared
VNET is contained within a
subscription but can be connected to
other subscriptions using VNET to
VNET connectivity. NSG is applied to a
VM, NIC or Subnet in a VNET
contained in a subscription. UDR are
utilized between subnets in a VNET
contained in a subscription. Forced
tunnelling works since Express route
can be shared across subscriptions
Express route has limitations of linking
VNETs as mentioned in this article -
https://azure.microsoft.com/en-
us/documentation/articles/azure-
subscription-service-
limits/#networking-limits . For
instance, for a standard connection of
10 mbps, 10 VNETs can be linked to an
Express route. And if there is 1 VNET
per subscription, this would be 20
subscriptions per 10 Mbps Standard
Express route.