MANAGE: Keeping a handle on your Azure subscriptions

Azure Subscription Management | Binary Tree

After you PLAN your migration and make the MOVE to the cloud, it’s now time to optimize how you use it. So in our MANAGE series, we’re talking about best practices to optimize how you use the Microsoft cloud.
In this post, we share options to set up and manage your Azure subscriptions. This is one of those things where you need to have a solid starting strategy in place. Otherwise, it’s all too easy for subscriptions to balloon over time, which can cause headaches for the admins who have to manage everything.

The goal here is to keep your subscription model as simple as possible, while still being flexible enough to support what your organization needs to do in Azure.

How subscriptions work

To start, let’s talk about what subscriptions mean in Azure. Basically, they set boundaries and limits on your:

  • Security: Each subscription forms a security boundary for an admin. This person has full control over the resources and policies in that subscription. And they control who else can access it.
  • Service limits: The subscription is the boundary at which many of the Azure service limits, quotas, and constraints are applied. To make sure you can stay within these boundaries for a particular subscription, you can forecast your resource utilization.
  • Billing: Subscriptions also inform how you pay for Azure. All Azure resources in a subscription are billed at the subscription scope. And different billing schemes (like pay-as-you-go, cloud provider, or enterprise agreements) are also applied at the subscription level.

Types of subscriptions

There are two overarching types of Azure subscriptions. If you have an enterprise agreement, you can add Azure to your agreement. Or you might get your subscriptions through a cloud service provider. Here’s how each of these works.

Get a subscription under an enterprise agreement

As an enterprise customer, you can use the Azure Enterprise Agreement portal to manage your subscriptions and licenses—all from a single place. You can add Azure to an existing enterprise agreement by making an upfront monetary commitment to Azure. You then consume that cost throughout the year by using any combination of the wide variety of services that Azure offers.

This type of subscription comes with several roles:

  • Enterprise admin: These people can add or associate accounts and departments to the enrollment, view usage data across all accounts and departments, and see the balance for the enrollment. And there’s no limit to the number of enterprise admins you can have.
  • Department admins: These people can manage department properties, manage accounts under their department, and download usage info. And if the enterprise admin has given them permission, they can see monthly usage and charges for their department.
  • Account owners: These people can add subscriptions for their account, view usage data for their account, and view account charges (if an enterprise admin has given them permission). But they won’t be able to see the overall subscription balance unless they also have enterprise admin rights.

Get a subscription through a cloud solution provider (CSP)

Under this model, you won’t work with departments and accounts. Instead, your provider will create a single subscription for you as their customer. This includes all the services that you’re getting from the service provider, such as Office 365, Dynamics CRM, and Azure subscriptions. Also note that these types of Azure subscriptions are subject to a few technical limitations, including around moving resources between subscriptions.

Things to consider

As you’re choosing your approach to manage your subscriptions, make sure to consider these things:

  • Subscription service limits: Choose a subscription type that meets your service requirements and gives you room to grow. For example, will the migration be affected by service limits around the number of virtual networks? Or ExpressRoute connectivity?
  • Virtual network connectivity: Do you need to connect resources across subscriptions? If so, how will they connect to each other? You have several options here, including site-to-site, ExpressRoute, and virtual network peering.
  • Security: You’ll need to set up role-based access control (RBAC) per subscription. How will this impact your strategy for creating new subscriptions?
  • Chargeback: How will you report and group Azure consumption costs? Depending on how you set this up, it could be more or less complex for your admins to deal with.

Common ways to manage subscriptions

Depending on the considerations above, you can then create subscriptions to support your service model. Here are three options for doing this.

Option 1: Create a subscription per department

This option is available to EA clients only. In this model, each department has its own types of environments (like production and non-production), and all Azure resources are created under the same subscription.


  • Your ExpressRoute circuit costs will be lower
  • You’ll have fewer overall subscriptions to manage


  • You’ll need granular, role-based access control model to let people access different resources
  • You run a higher risk of issues with your subscription limits, since you might be deploying many services under one subscription
  • If you make a mistake in managing the subscription, it will affect all environments in the department

Option 2: Create a subscription for each environment

In this model, each environment contains different types of applications and workloads.


  • You minimize the risk of running into issues with subscription limits
  • You can tailor virtual network spaces per application
  • You minimize the risk of impacting one environment when you change another


  • You’ll need a new ExpressRoute circuit for every 10 applications (unless you’re using ExpressRoute Premium, which has larger limits)
  • You’ll have more subscriptions to manage (which means more RBAC, policies, tagging, and chargeback)

Option 3: Create a subscription for each application

In this model, you set up each of your applications with its own subscription.


  • You’ll likely have minimal subscription issues since each application is in a subscription
  • You can take advantage of a per-application RBAC model


  • You run a higher risk of reaching cross-subscription connectivity limits (unless applications are isolated from each other)
  • You’ll have more subscriptions to manage (which means more RBAC, policies, tagging, and chargeback)

Get started

Need help managing your subscriptions in Azure? We at Binary Tree are standing by. We offer a range of managed services that mitigate the risks and take the guesswork out of adopting, managing, and leveraging the power of the Microsoft cloud. To get started, get in touch.

Source: Microsoft. Cloud Migration and Modernization Playbook. 2018.