Azure Enterprise Enrollment – Hierarchy

I wanted to write this post to clear up any confusion about the process of managing an Azure EA, the Enrollment, Department, Account and Subscription. Look at the entire hierarchy and work down through the levels that is Microsoft Azure.

The Enrollment

Managed using http://ea.azure.com

At the very top-level from a licensing perspective, you can have multiple Azure Enrollments, here you can select the enrollment you want to work with. You need to be an Enterprise Administrator to access this. There can be an unlimited number of Enterprise Administrators.

Azure Enrollment

The other thing you need to do is change the Enrollment Authentication Level to ‘Mixed Account‘ so that you have the ability to add both Microsoft Accounts and/or Work or School accounts as Account Administrators.

Azure EA Auth Level

 

2016-06-03_1056

The Department

Also managed using http://ea.azure.com

Once you select the Enrollment you are working with, you then select ‘Department‘ at the top. This is where you can see all the departments in which you are the Department Administrator for and you can setup more departments which can be setup as a logical segmentation of a company or application.

The Department

The Account

The Account

To save some confusion, this part is not a generic account (like what a department and subscription is), but more so an individual account for a person, who will ultimately become the Azure Account Administrator. The AA can manage and setup Azure subscriptions, at which point will also become – by default – the Service Administrator for the subscription as well at the time of subscription creation.

Notice, this part is managed using two portals.

You will use http://ea.azure.com only to first setup the Account Administrator under the relevant department, whether it be a Microsoft Account or a Work/School (Organisational) account, this is where you do it.

2016-06-03_1015

At this stage, once you add in the account, it can take up to 24 hours for it to actually add itself in and will sit at ‘pending‘ for a while.

2016-06-03_1010

Once it goes through and gets setup, the email you used when adding the account, that person will get an email to confirm with a link to logon to the Azure Account portal.

Please note: at this point, even through that adding a work/school account from an Azure AD directory is an option, the ‘directory‘ doesn’t have to have any affiliation with the EA, nor does the Microsoft Account. In saying this, you can use an account from a new Azure AD directory, or an existing Azure AD directory, e.g. if you are using Office 365 and AD Connect to sync on-prem accounts to Azure AD, you can use any of these accounts.

Once the account has been completed being setup, the Account Administrator will get an email.

The Subscription

All Azure subscriptions can then be created and managed by the Account Administrator and this is all done by using the Azure Account portal  http://account.windowsazure.com  then by clicking on ‘Account‘ at the top.

Azure Account

From here you will notice you have the option of adding a new subscription.

Or, you can edit an existing subscription. If you click on an existing subscription, by default all Azure Enterprise based subscriptions are named ‘Microsoft Azure Enterprise‘. You have the option to ‘Edit Subscription Details‘.

2016-06-03_1031

Here you can rename the Azure subscription or rename the Azure subscription in the Azure portal. Also under ‘Edit Subscription Details‘ you change the Service Administrator to someone else. Remember that with all new Azure subscriptions which are created by the Account Administrator, Azure stamps the Account Administrator as the Service Administrator by default, this is where you change that.

The Azure Hierarchy

And this is the whole thing visually.

Enterprise Enrollment Hierarchy

More details can be found on the Channel 9 website on the subject of Enterprise Azure Portal https://channel9.msdn.com/blogs/EA.Azure.com

A few pointers:

As long as you remember that an Azure directory (also referred to as AAD/Tenant) is totally separate to the Azure subscription.

Imagine you wanted to transfer an Azure Subscription from PAYG to an EA while keeping the existing directory.

  • You would follow this article, tick Retain this subscription within my Azure AD – however the account owner you are transferring it to, this person would need to exist in the current tenant attached to the incoming subscription otherwise they would get another error The requester has specified that the subscription be retained within their organization. Please contact the requester and ask them to either update their request or add you to their organisation….

Imagine you had your EA set to Microsoft Account mode and you wanted to add a new Account which was a Work or School account.

  • You would get an error like this: The login information provided is not a valid user. If you believe you have received this message in error, please contact customer support2018-08-27_1734Simply change the EA to be set for Work or School Account Cross Tenant authentication. If you have Microsoft accounts already setup as other account owners, this won’t break these accounts.

Changing the directory associated with an Azure Subscription: see How to associate or add an Azure subscription to Azure Active Directory.

Any other EA support type of issues, contact http://aka.ms/azureentsupport

Azure

4 Comments Leave a comment

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: