Jan 24, 2017

Azure Governance Part 1: Understanding the Hierarchies

Adrian Romo
Bryan Sakowski

Adrian Romo and Bryan Sakowski

Azure Governance Part 1: Understanding the Hierarchies

This is part one of a four-part series on Enterprise Governance in Microsoft Azure.

As enterprise adoption of the public and hybrid cloud continues to increase, organizations of all sizes are considering Microsoft Azure for their cloud-based workloads. Microsoft has outpaced its competition according to Gartner’s 2016 “Magic Quadrant for Cloud IaaS” and “Magic Quadrant for Enterprise Application PaaS” reports, and it is continuing to develop at a rapid pace. The need to apply sound governance practices within Azure is essential to maintaining proper access controls, cost management, and organization of resources, from mid-market companies through large enterprise.

Microsoft has tools and guidelines available to achieve effective governance, and in this series, we will explore many of them and make some best practice recommendations to help get you started down the right path.

Azure Governance Wheel

Screenshot (9)
Screenshot (9)

The Azure governance wheel defines foundational components that together help organizations meet IT governance requirements while enabling business leaders and developers to meet objectives quickly. The primary goal of this framework is to mitigate risk by enforcing standardized governance principles to protect critical shared resources, while allowing business stakeholders, developers and operations/engineering teams the access they need to work autonomously. The Enterprise Agreement enrollment forms the outermost boundary of the model, typically as the organization’s master agreement for Microsoft Azure cloud enrollment. All other governance items, starting with the subscription as the base unit, frame Azure resources for the deployment and management of enterprise technology solutions.

This model is highly flexible and customizable within each component to the specific requirements of each organization. It is likely that if you are considering this issue, governance policies for on-premises systems already exist and will serve as a good starting point for how to apply those principles within these features. It is also important to mention that this should apply whether the organization primarily runs “traditional IT” workloads (e.g., servers/VMs, monolithic applications, etc.) or “agile IT” workloads (e.g., microservices, containerized apps, etc.), from the perspective of preventing unauthorized access and ensuring budgets are adhered to.

IT teams, risk and security management, and business leaders should work together to establish how the business will approach governance so there is consensus between all stakeholders. Doing this will greatly increase the chances of successfully leveraging Azure in a way that aligns with your organization’s goals.

Hierarchy Patterns

Azure Governance
Azure Governance

Azure enrollment hierarchies define how services are structured within an Enterprise Agreement. The Enterprise Portal allows customers to divide access to Azure resources associated with an Enterprise Agreement based on flexible hierarchies customizable to an organization’s unique needs. The hierarchy pattern should match an organization’s management and geographic structure so that the associated billing and resource access can be accurately accounted for. The three high-level patterns are functional, business unit, and geographic, using departments as an administrative construct for account groupings. Within each department, accounts can be assigned subscriptions, which create silos for billing and several key limits in Azure (e.g., number of VMs, storage accounts, etc.).

The Azure governance wheel will be used within subscriptions to apply the organization’s governance principles to each environment. Although subscriptions provide billing segregation and generally form a security boundary, it is possible to enable private communication between virtual networks in different subscriptions using VNet Peering.





Enterprise Enrollment

  • The root level element of governance, tied to an Azure Enterprise Agreement.

  • May contain multiple departments, accounts and/or subscriptions.

  • Enterprise administrators

  • Full access to add/remove departments, accounts and subscriptions; lower-level administrators applicable to the Enterprise Portal; and billing information.

  • Multiple Enterprise administrators can exist.


  • An administrative division of organizational hierarchy, based on the selected hierarchy pattern.

  • Owns one or more accounts.

  • Department administrator

  • Edit department level properties such as name and cost center.

  • Add/remove accounts within the department.


  • An individual or group associated with an email address, which may belong to either an Azure AD account or Microsoft account.

  • Given a descriptive name within the Enterprise Portal for administrative purposes.

  • Holds one or more Azure subscriptions.

  • Account administrator

  • Creates and manages subscriptions.

  • Also known as the account owner within the Enterprise Portal, this user will become the account administrator of its subscriptions through the Azure Account Portal.

  • By default, this user also becomes the service administrator for associated subscriptions.


  • A billing container that also serves as a security boundary and defines many Azure limits (e.g., number of cores and resources, etc.).

  • Contains and organizes all resources and establishes governance principles over them.

  • Service administrator, co-administrators, subscription owners

  • Manage resources and resource governance.

  • A single service administrator is defined through the Azure Account Portal.

  • Multiple co-administrators may be added in the Classic Portal, and multiple subscription owners may be defined in the Azure Portal.

  • The service administrator and co-administrators are automatically added as subscription owners in the Azure Portal.

Resource Groups

  • Logical containers within a subscription that contain related Azure resources sharing a common lifecycle.

  • Defines access for various roles and users to associated resources.

  • Service administrator, co-administrators, subscription owners, RBAC users

  • Abilities vary based on access assigned by administrators/owners.

  • Administrator/owner level users have full access to all resources.

Enterprise enrollments and Enterprise administrators are each managed in the Enterprise Portal. Here, you can also create read-only administrators who have access to the account for billing or reporting purposes but cannot make any changes. Departments and department administrators are both managed in the Enterprise Portal as well. Accounts and account administrators (aka account owners) are created in the Enterprise Portal, but these users will usually manage subscriptions through the Account Portal.

In the next part of this series, we will take a closer look at subscription and resource group management.

Azure Management Sites

Enterprise Portal

Account Portal

Classic Portal

Azure Portal


With all these things in mind, it is important to consider how this applies to your organization, because ultimately any governance model will need to reflect the company’s strategic, compliance, and budgetary goals and requirements. One of your first steps should be to model the organization’s hierarchy to map out the pattern for departments, accounts and subscriptions you will use in the Enterprise Portal.

Deciding where to draw the line between subscriptions and resource groups is also an important step that we will discuss in the next part of this series. Once you have modeled this hierarchy, you can begin to define where and how other governance policies and principles will apply.

Are you interested in exploring Microsoft Azure but concerned about governance and how to make the public cloud fit within your IT model? Credera has extensive experience in cloud infrastructure design and implementation. If you have questions or would like to discuss cloud and infrastructure solutions, contact us at

Conversation Icon

Contact Us

Ready to achieve your vision? We're here to help.

We'd love to start a conversation. Fill out the form and we'll connect you with the right person.

Searching for a new career?

View job openings