🔹 What is an Azure Subscription?
An Azure subscription is a logical container used to provision resources in Microsoft Azure. It holds the details of all the resources like virtual machines (VMs), databases, and storage accounts, and governs billing, quotas, and access control.
🔹 Azure Subscription Structure
| Component | Description |
|---|---|
| Tenant (Azure AD) | Represents an organization and houses users, groups, apps. One tenant can have multiple subscriptions. |
| Subscription | Bound to a tenant; it defines billing boundaries and resource limits. |
| Resource Groups | Logical containers in a subscription that hold related resources. |
| Resources | Actual services like VMs, storage, databases deployed in Azure. |
🔹 Subscription Types
| Type | Description | Ideal For |
|---|---|---|
| Free Account | Comes with $200 credit for 30 days and limited free services for 12 months. | Evaluation / Learning |
| Pay-As-You-Go | Pay for what you use, no upfront cost. | Small to Medium Businesses |
| Enterprise Agreement (EA) | Pre-committed usage with discounts, billed annually. | Large Enterprises |
| Microsoft Customer Agreement (MCA) | Replaces EA for many customers; modernized billing. | Organizations with flexible use |
| CSP (Cloud Solution Provider) | Sold through a Microsoft partner, managed billing/support. | Managed Service Providers |
| Student, Sponsorship, MSDN, Dev/Test | Specialized offers with limits. | Dev/Test, Education, MVPs |
🔹 Billing and Cost Management
- Invoices: Generated monthly per subscription.
- Budgets and Alerts: Set thresholds to avoid overspending.
- Azure Cost Management + Billing:
- Analyze usage
- Forecast future spend
- Export cost data
- Tags: Key-value pairs for cost allocation and tracking (e.g.,
Environment=Prod).
🔹 Access Management (RBAC)
Azure uses Role-Based Access Control (RBAC) to manage who can access what.
| Scope | Role Examples |
|---|---|
| Management Group | Azure Administrator, Security Reader |
| Subscription | Contributor, Owner, Reader |
| Resource Group | VM Operator, Storage Contributor |
| Resource | SQL DB Reader, Web App Contributor |
🔐 Best Practice: Use least privilege access, custom roles, and PIM (Privileged Identity Management) for elevated access.
🔹 Limits and Quotas
Each subscription has default limits, e.g.:
| Resource | Default Limit |
|---|---|
| VNets | 50 per region |
| VM Cores | 10-20 per region (can increase) |
| Storage Accounts | 250 |
| Public IPs | 10-20 |
Limits can be increased via support request.
🔹 Linking Subscriptions to Tenants
- Multiple Subscriptions, One Tenant: Common for isolating environments (Dev/Test/Prod).
- One Subscription, One Tenant: Smaller orgs.
- Management Groups: Used to organize multiple subscriptions under a hierarchy.
🔹 Azure Policy & Governance
- Azure Policy: Enforce rules on resource deployments (e.g., allowed locations).
- Blueprints: Bundle ARM templates, policies, and RBAC roles for consistency.
- Locks: Prevent accidental deletion (ReadOnly, CanNotDelete).
🔹 Subscription Lifecycle
- Create subscription (via Azure portal, CSP, or EA portal)
- Assign roles and policies
- Deploy resources
- Monitor usage and cost
- Renew/terminate subscription (non-payment may lead to suspension/deletion)
🔹 Security & Compliance
- MFA for global admins
- Azure Defender / Security Center
- Audit Logs (Azure Monitor, Activity Logs)
- Compliance Offerings: ISO, SOC, HIPAA, FedRAMP, etc.
🔹 Programmatic Access
- Azure CLI / PowerShell (
az account) - Azure REST APIs
- SDKs (Python, .NET, Java, etc.)
- ARM Templates / Bicep / Terraform
Would you like a diagram of the subscription hierarchy, a comparison table between EA/CSP/MCA, or help designing a multi-subscription strategy for your organization?
4o
You said:
like a diagram of the subscription hierarchy, a comparison table between EA/CSP/MCA, or help designing a multi-subscription strategy for your organization
📊 EA vs CSP vs MCA: Comparison Table
| Feature | Enterprise Agreement (EA) | Cloud Solution Provider (CSP) | Microsoft Customer Agreement (MCA) |
|---|---|---|---|
| Billing Model | Prepaid (commitments & overage) | Partner-billed | Pay-as-you-go (monthly billing via Azure portal) |
| Who Owns Subscription? | Organization | Partner (can delegate admin) | Customer (direct with Microsoft) |
| Support | Premier support (optional) | Provided by CSP partner | Azure Standard support available |
| Portal Access | EA portal + Azure portal | Azure portal (partner visibility) | Azure portal + Cost Mgmt APIs |
| Contract | Fixed term (1-3 years) | Month-to-month via partner | Flexible, rolling |
| Commitment Levels | Yes (monetary commit) | No commitment | No commitment |
| Ideal For | Large orgs with predictable spend | SMBs or orgs working with a service provider | Enterprises and self-managed organizations |
| Management Groups Support | Yes | Yes | Yes |
| Advanced Cost Mgmt | EA portal reports, usage exports | Partner handles it | Full Azure Cost Management |
🗂 Diagram: Azure Subscription Hierarchy
🔹 Why Use Multiple Subscriptions?
| Purpose | Benefits |
|---|---|
| Environment Separation | Isolate Dev, Test, Prod workloads |
| Departmental Billing | Track costs per department/org unit |
| Service Limits | Avoid hitting regional/VM quotas |
| Security Isolation | Separate access/RBAC & policies |
| Compliance Boundaries | Meet regulatory zones/data sovereignty |