Today we will cover a topic that is one of the main concerns of most cutomers. The question about the right Azure Structure or Hierarchy is commonly asked. And to be honest: There is not „the“ answer .. the right way depends on your organization, your needs and your goals.
So let us have a look into the options to structure your Azure environment…
Azure Hierarchy in Enterprise Enrollments
The first option we are looking at is the Azure Hierarchy described in the Azure Enterprise Scaffold. If you are using Azure via an Enterprise Enrollment, you have the option to create a billing hierarchy to structure and separate your cost.
In an Azure Enrollment your can have a structure of Departments and Accounts. This will help to create a structure outside the Azure Portal. It can be created and managed by Controlling or Management, without giving them access to Azure itself.
Departments are a logical unit to create a separation on business units, departments, countries or similar. It has no impact on Azure Resources itself. It is just going through to the usage details, so you can group costs by Departments. So you can use it for chargeback or showback.
Accounts are used to give people access to the Azure Portal. The so called „Account Owners“ are able to create Azure Subscriptions and to spin up services. These accounts are normally used to separate responsibility and access for different areas or environments … as said already, depending on you structure.
This all leads to an Azure Structure like this:
As Microsoft is nowadays moving more and more away from Enterprise Enrollments, like the discontinuation of SCE contracts, many things are moved to the Azure Cost Management Portal…
Azure Hierarchy in Cost Management
The modern way to create an Azure Structure for Cost purposes is in the Azure Portal. The Cost Management section now allows to do a lot action that were previously available in EA-Portal only. For customers with an MCA contract or who are purchasing direct PAYG it is all in Azure Cost Management.
The new model works with so called Billing Profiles, which reflects your contract scope. In this Billing Profile you can have Invoice sections, which are comparable to the „old“ Departments. But they do not have the exact same capability.
For an Invoice section you can have Role-Based-Access roles assigned. If you are an „Azure Subscription Creator“ this is comparable to the „old“ Account Owner.
Azure Structure with Management Groups
Another layer of Azure Structure can be created outside the billing area. While Management Groups can also be used to get a consolidated view on cost, the main benefit out of Management Groups is on the Management side.
Management Groups can be used to create a structure inside the Azure Portal. So similar to Department you can create a structure of business units, geographies, or whatever is your structure.
A Management Group can contain other Management Groups or subscriptions. With this, you can create the structure that reflects your needs.
Management Groups can be used to assign role-based access and policies. While you could assign this to a single subscription, assignments to a Management Group have the benefit, that every subscription that is created later will follow the same rules and configurations.
Azure Structure with Subscriptions
Another chance you have to create a structure is to choose, when and how to create an Azure Subscription.
You can start your Azure journey with a single subscription. But over time you will get to a point where you do not want to have everything in the same Subscription.
Maybe you want to separate internal from external services, you want to differentiate between production and non-production workloads or any other reason.
When creating new subscriptions you can assign them to different Management Groups, which for example will result in different access rights and policies attached.
Microsoft Docs contains a Decision Guide to understand the options and benefits of different models.
Azure Structure with Resource Groups
Last but not least Resource Groups can be used to structure your Azure environment. Depending on you decisions on the topics above you may or may not need a structure in Resource Groups.
A commonly seen approach is the separation of DEV-TEST-PROD into different RGs like:
RG-SuperApp-Dev
RG-SuperApp-Test
RG-SuperApp-Prod
As you can assign RBAC rights on Resource Groups level and also scope Policies to Resource Groups, it would also be an option for a valid structure.
But you also could do this on subscription level … you have the choice
Conclusion
As you can see there are several options to create a structure in Microsoft Azure for different reasons. In the end it really depends on your structure, your way to operate and your regulatory and legal requirements.
So go ahead and find the right Azure Structure for your environment.
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Azure Data Box Disk is now available with hardware encryption General availability: HBv4-series & HX-series VMs are now available in Sweden Central. Azure Machine Learning data collector is now generally available GA: Azure Monitor log search alerts support…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: General availability: Azure SQL updates for mid-April 2024 Azure Red Hat OpenShift April 2024 updates General availability: Extensible key management using Azure Key Vault for SQL Server on Linux General Availability: Azure Database for PostgreSQL – Flexible Server…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Azure Virtual Network Manager Security Admin Rule generally available in 45 regions Test General Availability of Azure Logic Apps connectors for IBM Mainframe and Midranges Public Preview of Azure OpenAI and AI Search in-app connectors for Logic Apps…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Azure Sphere version 24.03 and Azure Sphere (Integrated) are now generally available GA: Improved throughput performance on Azure Disks’ Standard SSD GA: Azure Logic Apps Designer for Consumption Public Preview: Safety evaluations for generative AI applications in Azure…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: General Availability: Azure Files geo-redundancy for standard large file shares Public preview: Database watcher for Azure SQL Generally available: Application Gateway (v2) IPv6 support General availability: Listener TLS certificates management in the Azure portal Generally available: Azure Health…
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here:
Cookie-Richtlinie
Leave a comment