An introduction to Microsoft Azure cost management using Azure Enterprise portal

This post is the first in a series about  payment, billing and chargeback for consumption of Azure resources. This is not as simple as it might look like. This post will also explain the Azure Enterprise Portal and the process of creating accounts and subscriptions.

First of all there are various ways to purchase Azure resources:

  1. pay as you go using a creditcard
  2. pre-paid: buying credits in advance via Open Licensing
  3. pre-paid: monetary commitment via Enterprise Agreement

The most easy way to purchase Azure resourcs is using a creditcard. Register an account at Azure, use the free credit and register the creditcard. Your creditcard will only be charged if you allow Microsoft to do so. Otherwise the services you created will be suspended when the all the credits are consumed.

This is not useable for organizations. There is no control over which department is using what. Chargeback is hard. Services will stop unexpected.

For organizations a better way to use Azure is using Open Licensing. Here an organization buys credits from a reseller or distributor. The credits can be purchased in blocks worth $ 100,- each. The credits are valid for one year.

The third option is to purchase an Enterprise Agreement. Customers buy in advance a certain amount of credits. The more credits the more discount. Mind if the credit is not used within a year, the credit is deleted. The costs in an EA are about 25% lower than when using Pay as you go.

An enterprise agreement has various types of enrollments. An enrollment is a contract which has a program with conditions and benefits. Examples for Enrollments are for Core Infrastructure and Application platforms. Azure Enrollment is a program part of the Enterprise Agreement.

Azure enrollments are managed using the Microsoft Azure Enterprise  Portal.

Azure Enterprise Portal

The Azure Enterprise Portal enables organizations to manage costs associated to multiple subscriptions used in an organization.

Costs are shown in built-in reports in the portal or using Power BI. Also third party tools like CloudCruiser and Cloudyn can use the billing API in Azure to manage costs. Later I will blog about these tools.


Lets have a look at the roles and components in the Azure Enterprise portal.

Each Azure enrollment has one or more Enterprise administrators associated. Each Enterprise administrator is able to create departments and department administrators. Think about carving out the credits of the enrollments to various subscriptions.

An enrollment has one or more departments. Each department has none, one or multiple department administrators.  All of the billing and usage data can be seen down to a daily basis and down to component level data like individual VMs.

Each department has none, one or more Department accounts associated to it. Basically a department account a container with an account owner role linked to it. .The account owner will receive notifications and is able to view the costs consumed by subscriptions linked to that department. A department administrator account cannot be an enterprise administrator account as well.

The account owner is able to create subscriptions.

The Enterprise Administrator must enable the account owner to see the cost data. By default the account owner will see only usage data in a report called the Download Usage Data report.

Each account has one or more subscriptions associated to the account. An Azure subscription is a container for billing. Microsoft will group resource consumption into subscriptions. Subscriptions can be used by organizations to granular show back or charge back costs for using Azure.

Each subscription is assigned to an account. An account can have subscriptions in multiple departments.

Eah subscription can be associated to a cost center. A cost center is basically a tag. The tag is displayed in the invoice

The process

After an organzation has purchased an enterprise agreement and Enrollment for Azure, an Enterprise Administrator can log in to the Azure Enterprise portal. Then departments and accounts can be created. The department account needs to be an existing Microsoft account or organizational account.

This person can then log in to the Enterprise Portal. Then a subscription can be created. The department account which created the subscription is the service administrator in the Azure management portal.

Mind it can take several hours before a newly created subcription which is part of the enrollement is displayed in the Azure Enterprise portal! 

This account can then create additional accounts in the management portal.

Management of subscriptions

It is best practise to rename the name of the subscription once it was created. Otherwise soon you will not be able to find out what subscription is used for what purpose.

Rename can be done by Login to your account at

Select the subscription you want to edit. In the righthand part of the window select the link ‘edit subscription details’

Give the subscription as name like: <company>-<department>-<environment/project>

For example


Microsoft account

To create a new Microsoft account click here

Data latency

Usage data can be retrieved in two ways:

  • download a CSV file and process it in a third part tool
  • direct access from a tool using the Billing API.

Data for the billing API is updated every 24 hours.  There may be data latency of up to 3 days. So usage incurred on Monday may not appear in your report  till Thursday.


  • Account – An organizational unit on the Azure Enterprise Portal used to administer subscriptions and utilized for reporting
  • Account Owner – The person identified to manage subscriptions and service administrators on Microsoft Azure. They also have the ability to view usage data on this account and its associated subscriptions
  • Amendment Subscription – A single one year or coterminous subscription under the Enrollment Amendment
  • Commitment – Commitment of an annual monetary amount for Microsoft Azure services at a discounted commitment rate for usage against this prepayment.
  • Department Administrator—the person(s) identified to manage departments, create new accounts and account owners, view usage details for the departments they manage, and view costs when granted permissions.
  • Enrollment Number – A unique identifier supplied by Microsoft to identify the specific enrollment associated with an Enterprise Agreement
  • Enterprise Administrator – The person(s) identified to manage departments and department owners and accounts and account owners on Microsoft Azure. They also have the ability to manage enterprise administrators and view usage data, billed quantities and unbilled charges across all accounts and subscriptions associated with the enterprise enrollment
  • Enterprise Agreement – A Microsoft licensing agreement for customers with centralized purchasing who want to standardize their entire organization on Microsoft technology and maintain an information technology infrastructure on a standard of Microsoft software
  • Enterprise Agreement Enrollment – An enrollment in the Enterprise Agreement program providing Microsoft products in volume at discounted rates
  • Microsoft Account – A Web-based service that enables participating sites to authenticate a user with a single set of sign-in credentials
  • Microsoft Azure Enterprise Enrollment Amendment (Enrollment Amendment) – An amendment signed by an enterprise which provides them access to Microsoft Azure as part of their Enterprise Enrollment
  • Microsoft Azure Enterprise Portal – The portal used by our enterprise customers to manage their Microsoft Azure accounts and their related subscriptions
  • Resource Quantity Consumed – The quantity of an individual Microsoft Azure service that was utilized in a month.
  • Service Administrator – The person identified to access and manage subscriptions and development projects on the Microsoft Azure
  • Subscription – Represents an Azure Enterprise Portal subscription and is a container of Microsoft Azure services managed by the same Service Administrator.
  • Work or School Account: For organizations that have set up Active Directory with Federation to the Cloud and all accounts are on a single tenant.

Add a Comment

Your email address will not be published. Required fields are marked *

Current ye@r *