StrategyMar 06, 2020

Enterprise Governance in Azure Part 1: Azure Subscription Model

Adrian Romo, Bryan Sakowski, Brittany Wadsworth, and Jim Jimenez

This is the first of a five-part blog series focused on enterprise governance in Microsoft Azure.

As enterprise adoption of public and hybrid cloud options continues to increase, organizations of all sizes are considering Microsoft Azure for their cloud-based workloads. The cloud creates new paradigms for the technologies that support business objectives. These new paradigms change how technologies are adopted, managed, and governed. When entire datacenters can be virtually torn down and rebuilt with one line of code executed by an unattended process, we have to rethink traditional approaches. This is especially true for governance. The need to apply sound governance practices within Azure is essential to maintaining proper access controls, cost management, and organization of resources. This need exists from mid-market companies to large enterprises.

Microsoft offers tools and guidelines to achieve effective governance, and in this series, we will explore many of them and make recommended practices to get you started on the right path. This blog post will focus on the different types of Azure subscription models, the Azure Governance Wheel, and hierarchy patterns.

Azure Subscription Models

To begin, we will look at the different ways to enroll for Azure services. Microsoft offers multiple types of subscriptions with unique governance features available to them:

Many of the subscription models are targeted at individuals, small businesses, and developers. Core management and security features within Azure are common across all of these. However, additional features become available at the Enterprise Agreement level. These features are designed for mid-size and large enterprises. This is the model we will primarily focus on as we consider the needs of organizations with multiple application environments, diverse business units, and distributed geographic locations.

Enterprise Agreement

The Microsoft Enterprise Agreement offers the best value to organizations with 500 or more users or devices. It provides a manageable volume licensing program offering the flexibility to buy cloud services and software licenses under one agreement.

There is a minimum 500 user/device requirement for commercial customers. It does not apply to Server and Cloud Enrollment (SCE). The minimum requirement for public sector customers is 250 users/devices.

Azure Governance Wheel

Credera’s Azure Governance Wheel defines foundational components that together help organizations meet IT governance requirements while enabling business leaders and developers to meet objectives quickly. The primary goal of this framework is to mitigate risk by enforcing standardized governance principles to protect critical shared resources, while allowing business stakeholders, developers, and operations/engineering teams the access they need to work autonomously. The Enterprise Agreement enrollment forms the outermost boundary of the model, typically as the organization’s master agreement for Microsoft Azure cloud enrollment. All other governance items, starting with the subscription as the base unit, frame Azure resources for the deployment and management of enterprise technology solutions.

This model is highly flexible and customizable within each component to the specific requirements of each organization. It is likely that if you are considering this issue, governance policies for on-premises systems already exist and will serve as a good starting point for how to apply those principles within these features. It is also important to mention that this should apply whether the organization primarily runs “traditional IT” workloads (e.g., servers/VMs, monolithic applications, etc.) or “agile IT” workloads (e.g., microservices, containerized apps, etc.), from the perspective of preventing unauthorized access and ensuring budgets are adhered to. IT teams, risk and security management, and business leaders should work together to establish how the business will approach governance so there is consensus between all stakeholders. Doing this will greatly increase the chances of successfully leveraging Azure in a way that aligns with your organization’s goals.

Hierarchy Patterns

Azure enrollment hierarchies define how services are structured within an Enterprise Agreement. The Enterprise Portal allows customers to divide access to Azure resources associated with an Enterprise Agreement based on flexible hierarchies customizable to an organization’s unique needs. The hierarchy pattern should match an organization’s management and geographic structure so that the associated billing and resource access can be accurately accounted for.  For larger organizations, there are typically three high-level patterns—functional, business unit, and geographic, using departments as an administrative construct for account groupings. Within each department, accounts can be assigned subscriptions, which create silos for billing and several key limits in Azure (e.g., number of VMs, storage accounts, etc.).

For small-to-medium-sized organizations, the breakdown of Azure resources is typically organized at the subscription or resource group level. This reduces the complexity of the logical structure of their Azure environment.

Management groups may also be used to segment and manage access, policies, and compliance within Azure. Management groups provide the ability to group subscriptions together and apply governance throughout the management group and all subscriptions, resource groups, and resources within.

The Azure Governance Wheel will be used within subscriptions to apply the organization’s governance principles to each environment. Although subscriptions provide billing segregation and generally form a security boundary, it is possible to enable private communication between virtual networks in different subscriptions using VNet Peering.

table, th, td { border: 2px solid black; border-collapse: collapse; padding: 6px; padding-left: 10px; color:black; font-size:12px }

The Four Levels of Management in the Azure Enterprise Portal





Enterprise Enrollment

  • The root-level element of governance, tied to an Azure Enterprise Agreement.

  • May contain multiple departments, accounts and/or subscriptions.

Enterprise administrators

  • Full access to add/remove departments, accounts, and subscriptions; lower-level administrators applicable to the Enterprise Portal; and billing information.

  • Multiple enterprise administrators can exist.


  • An administrative division of organizational hierarchy, based on the selected hierarchy pattern.

  • Owns one or more accounts.

Department administrator

  • Edit department-level properties such as name and cost center.

  • Add/remove accounts within the department.


  • An individual or group associated with an email address, which may belong to either an Azure AD account or Microsoft account.

  • Given a descriptive name within the Enterprise Portal for administrative purposes.

  • Holds one or more Azure subscriptions.

Account administrator

  • Creates and manages subscriptions.

  • Also known as the account owner within the Enterprise Portal, this user will become the account administrator of its subscriptions through the Azure Account Portal.

  • By default, this user also becomes the service administrator for associated subscriptions.


  • A billing container that also serves as a security boundary and defines many Azure limits (e.g., number of cores and resources, etc.).

  • Contains and organizes all resources and establishes governance principles over them.

Service administrator, Co-administrators, Subscription owners

  • Manage resources and resource governance.

  • A single-service administrator is defined through the Azure Account Portal.

  • Multiple co-administrators and multiple subscription owners may be defined in the Azure Portal.

  • The service administrator and co-administrators are automatically added as subscription owners in the Azure Portal.

Resource Groups

  • Logical containers within a subscription that contain related Azure resources sharing a common lifecycle.

  • Given a descriptive name within the Enterprise Portal for administrative purposes.

  • Holds one or more Azure subscriptions.

Account administrator

  • Creates and manages subscriptions.

  • Also known as the account owner within the Enterprise Portal, this user will become the account administrator of its subscriptions through the Azure Account Portal.

  • By default, this user also becomes the service administrator for associated subscriptions.

Enterprise enrollments and enterprise administrators are each managed in the Enterprise Portal. Here you can also create read-only administrators who have access to the account for billing or reporting purposes but cannot make any changes. Departments and department administrators are both managed in the Enterprise Portal as well. Accounts and account administrators (aka account owners) are created in the Enterprise Portal, but these users will usually manage subscriptions through the Azure Portal.

Azure Management Sites

The following sites are referenced throughout this document and are the primary portals in which your Azure environment will be managed.


The organization of departments, accounts, and subscriptions form the cornerstone of your Azure environment and should reflect the company’s strategic, compliance, and budgetary goals and requirements. As such,  it is important to plan for and align on these items prior to deploying workloads in Azure. With this foundation formed, it becomes easier to define the lines between subscriptions and resources groups as well as understand and manage cloud spend which we will discuss in the next part of this series.

Are you interested in exploring Microsoft Azure but concerned about governance and how to make public cloud fit within your IT model? Credera has extensive experience in cloud infrastructure design and implementation. If you have questions or would like to discuss cloud and infrastructure solutions, contact us at

Have a Question?

Please complete the Captcha