Azure Blog Series – Part 2




In our last blog we covered off the importance of Governance and how it can help set the stage for a successful Azure migration. We looked at some strategies your organisation could employ to control costs and some of the fundamentals that should be considered when defining your Governance strategy. We also looked at compliance and regulatory considerations for your organisation to further solidify the foundation. If you missed Part 1, we highly recommend you have a read.

In this series we’re going to look at the tools that will help you further plan out your migration into public Cloud to ensure best strategies are being met or at least considered.

Azure EA Portal

The EA Portal is used for managing your Enterprise Agreement, it’s essentially used for creating and delegating access to your Azure subscriptions at an enterprise level and establishing cost centres and quotas for charge back at the department level. The portal can be accessed by logging into

There are various Enterprise Azure Roles that exist, and it's pertinent we call these out to help provide an understanding of what roles manage your Enterprise in Azure. The table below defines each role and where they’re accessed.

Enterprise Azure Roles Azure graph

Department/Account/Subscription Methodology

Choosing the right methodology for your organisation is an important first step in setting up the enrolment. Consider cross subscription connectivity when making this decision (ExpressRoute, S2S VPN etc.).

The methodology follows a hierarchy which should be designed based on the three high-level patterns, they are:

  • Functional
  • Business unit
  • Geographic

The idea is to use departments as the administrative construct for account groupings and within each department, accounts can be assigned to subscriptions, which can then detail resource usage for reporting and billing.

The image below details the hierarchy:

Azure graph 2


The basic unit of management is the subscription which determines how resources usage is reported, billed and payed for.

Azure subscriptions establish three parameters:

  • Unique subscriber ID - the identifier of your subscription which could be thought of as a "billing unit"
  • Billing location – how you will be billed?
  • Set of available resources – Azure subscriptions establish the set of resources available

 The below outlines the Azure Subscription Roles:

  • Account Administrator
    • Authorised to access the Account Centre (create subscriptions, cancel subscriptions, change billing for a subscription, change Service Administrator and more)
  • Service Account Administrator (1 per Subscription)
    • Authorised to administer the subscription but cannot see billing details. By default, same as Account Administrator when a subscription is created
  • RBAC
    • Grant specific access to resources via users or groups within your organisation
  • Roles
    • Owner - allows complete control to the resources within the subscription
    • Contributor - like owner, except that the user cannot assign access to others
    • Read-Only - allows a user to view all the resources within the tenant

 Azure Management Groups

As of 31st July 2018, Azure management groups are GA.

Management groups allow you to organise your subscriptions and apply governance controls, such as Azure Policies and Role-Based Access Controls (RBAC), to the management groups and let those settings flow down to the subscriptions tied to the management group. If your organisation plans on deploying many subscriptions, you now have a way to efficiently manage governance for those subscriptions.

More information on Azure management groups can be found hereThe diagram below, taken from the article above, details the hierarchy of management groups and subscriptions:

Azure graph 3

Organising Subscriptions Resources

Before ARM (Azure Resource Manager) there was ASM (Azure Service Management or Classic). In the ASM model, the basic unit of management was the subscription, there were no resource groups which meant you either had some pseudo/ad-hoc process for managing the resources you procured, or you deployed many subscriptions to manage the shared lifecycle for example, which wasn't very efficient.

Enter ARM and the introduction of resource groups. Resource groups are used to organise resources that share a common lifecycle or have similar attributes. An example of this would be application X and all the infrastructure behind it would be placed in a resource group, that then would allow for individual application management, tagging and billing.

We’ve also seen some of our customers use resource groups as a security boundary and group resources based on what access users should have to them.

Azure Resource Tags

As mentioned, resource groups allow you to organise resources into shared lifecycles, but it doesn’t allow you to organise by cost centre or any other measurement. Tags allow you to provide another level of organisation above resource groups by applying “query-able” metadata to your resource groups and resources. For further categorisation, you may want to base queries of resources on:

  • Date
  • Who created it
  • Dev, Test or Production
  • Cost Centre

Resource tags are made up of name-value pairs with subscription wide taxonomy. Each resource group and resource can have up to 15 tags and can be used to roll up your Azure bill to help identify who’s spending what. You can also query tags via command line, portal or an API.

The following image gives you an indication of what resource tagging in an environment would look like:

Azure graph 4

As you can see, planning and preparation goes a long way to ensuring successful outcomes through ease of management. We hope this blog has been helpful, in the next series we’ll look at Policies, RBAC, Resource Locks and Automation to further manage and protect your investment.

In the meantime, if you have a challenging Azure project coming up or if you have any questions regarding this blog, please feel free to contact Eddie El-leissy, our Azure Solution Architect.

Tags Digital Transformation, cloud migration, cloud services, The Cloud, Azure, Microsoft, Governance