Table of Contents

Enterprise Agreement billing model

Contract and hierarchy

  • The Enterprise Agreement (EA) uses a hierarchical structure—enrollment > departments > accounts > subscriptions—managed in the Azure Cost Management portal.
  • Enterprise Administrators control enrollment-level settings, assign Department Administrators and Account Owners, and can provision new subscriptions under any active account.

Billing administration tasks

  • EA administrators manage their enrollment directly in the Azure portal: they select the billing scope, activate the enrollment, adjust policies (for example, dev/test enablement, AO/DA view charges), and configure authentication requirements for account owners.
  • Departments allow cost segmentation and quota/budget controls, while accounts own the subscriptions and surface usage/cost reports for their scope.

Subscription provisioning and tenant placement

  • Enterprise Administrators or Account Owners can create EA subscriptions either for themselves or on behalf of another user, choosing the subscription directory (tenant) during creation and specifying additional subscription owners, including service principals via App IDs.
  • Cross-tenant provisioning is supported: the owner in the target tenant receives an acceptance request before the subscription is finalized.

Automation and service principals

  • EA exposes a dedicated SubscriptionCreator role for service principals so automation can create subscriptions at the account scope.
  • Automating EA actions requires registering a Microsoft Entra application, capturing the service principal object ID, and assigning the desired EA role (for example, SubscriptionCreator or EnrollmentReader) via the EA REST API or PowerShell before calling subscription APIs.

Policy and governance

  • Enrollment policies let administrators control who can create subscriptions (authorization levels: Microsoft Account only, Work/School only, cross-tenant) and whether dev/test offers are available to account owners.
  • EA billing roles must be assigned to individual identities (not groups) to ensure compliance and traceability; each user should have a monitored email for notifications so requests don't go unnoticed.
Edit this page