The Azure EA enrollment hierarchy is the foundational governance decision for the entire EA term. Get it right at the start, and cost attribution, chargeback, and spending limit governance require minimal ongoing effort. Get it wrong, and you spend the next three years fighting to attribute $4M of annual Azure spend to business units while engineering teams run development environments with no accountability. This guide covers the optimal hierarchy design, the most common structural mistakes, and the restructuring process for enrollments that have grown organically without governance.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We negotiate on your behalf — never Microsoft's.
View Advisory Services →The EA Enrollment Hierarchy: Four Levels
The Azure EA enrollment hierarchy has exactly four levels, each serving a distinct governance purpose:
| Level | Name | Purpose | Max Count (Typical) |
|---|---|---|---|
| 1 | Enrollment | The entire EA — one per contract. Contains all departments, accounts, and subscriptions. | 1 per EA |
| 2 | Department | Maps to business units or cost centres. Spending limits can be set at this level. | 3–15 |
| 3 | Account | Maps to application portfolios or project owners. Subscription creation permission is granted here. | 10–50 per department |
| 4 | Subscription | The billing and RBAC boundary for Azure resources. One subscription per environment/application. | 3–10 per account |
Management Groups are a separate hierarchy in the Azure portal (not the EA Portal) that overlays the subscription layer for policy and RBAC governance. A complete Azure governance architecture uses both: EA hierarchy for billing and financial accountability, management group hierarchy for security policy and access control.
Department Design: Aligning to Cost Centres
The department layer is the cost centre layer of your EA. The optimal design maps each department to a single finance cost centre — the organisational unit that has its own IT budget and is accountable for Azure spend. Common department structures:
Business Unit Model (Most Common)
Create one department per major business unit: Finance, Operations, Engineering, Marketing, Sales, HR, IT (for shared infrastructure). This model works when each business unit has a dedicated IT budget and an identified owner accountable for Azure costs. Chargeback is straightforward — filter billing by department and the cost centre mapping is 1:1.
Environment Model
Create departments by environment tier rather than business unit: Production, Non-Production, Sandbox, Shared Infrastructure. This model prioritises operational governance over financial accountability — you can apply strict spending limits to Non-Production and Sandbox departments while leaving Production uncapped. Use this model when your organisation has centralised IT billing but needs operational cost controls by environment.
Hybrid Model (Recommended for Larger Enterprises)
Combine business unit alignment with environment separation: each business unit has a Production account and a Non-Production account within its department. Non-Production accounts have spending limits; Production accounts have alert-based governance only. This is the most governance-effective structure for enterprises with multiple business units and both centralised and distributed IT.
Account Design: Mapping to Application Portfolios
Accounts sit within departments and grant subscription creation permissions to Account Owners. The design principle: one account per coherent application portfolio, owned by the person responsible for that portfolio's Azure costs.
Account Ownership: Service Accounts vs Personal Emails
The most common account governance failure is assigning personal email addresses as account owners. When that person leaves, the account is immediately orphaned — no new subscriptions can be created, and the account needs Enterprise Administrator intervention to reassign. Use a shared mailbox or service account email (azure-account-{team}@company.com) for all account ownerships. The Service Account owns the account; the relevant manager has access to the mailbox.
Account-to-Subscription Mapping
Each account should contain at most 5–10 subscriptions. The recommended subscription structure within an account:
- Production subscription: All production resources for the application portfolio
- Pre-production subscription: Staging/UAT environments that mirror production configuration
- Development subscription: Active development environments (with spending limit enforcement)
- Sandbox subscription: Experimental and proof-of-concept work (hard spending limit: $500/month)
This 4-subscription-per-account pattern is appropriate for application portfolios with separate teams managing production vs development. For smaller portfolios, a 2-subscription structure (production + non-production) is simpler and often more governable.
Spending Limits: Where to Apply Them
Spending limits in the EA Portal block resource deployment when spending hits the cap. The rule: apply to non-production environments, never to production. For the full spending limit configuration guide, see our article on Azure Spending Limit Management.
| Environment Type | Spending Limit | Rationale | Override Process |
|---|---|---|---|
| Production | None (alert-based only) | Production outage from spending block unacceptable | N/A — budget alert response only |
| Pre-production / Staging | 150% of previous quarter avg monthly spend | Prevents runaway load testing from generating overage | Manager approval, resolved within 2h |
| Development | 150% of previous quarter avg monthly spend | Creates accountability for development costs | Manager approval, resolved within 2h |
| Sandbox | $500/month fixed | Sandbox is inherently experimental — hard cap prevents surprises | Enterprise Administrator only, 24h SLA |
Restructuring a Legacy Enrollment Hierarchy
Most enterprises that have been on Azure for 3+ years have messy enrollment hierarchies: orphaned accounts, misaligned departments, subscriptions in the wrong accounts, and personal-email account owners who have left. Restructuring requires a 4-phase approach:
Phase 1 — Discovery (2 weeks): Export the full account and subscription list from the EA Portal. Map each subscription to its current owner, environment type, and business unit. Identify orphaned accounts, accounts with departed owners, and departments that no longer match the current org structure. This produces the restructuring blueprint.
Phase 2 — Account owner remediation (2 weeks): Assign service account email addresses to all production-critical accounts. For development accounts, assign the current team lead. Remove or re-assign accounts with departed owners. This is the highest-priority action — orphaned accounts are an immediate operational risk.
Phase 3 — Subscription migration (4–8 weeks): Transfer subscriptions to the correct accounts using EA Portal transfer functionality. Transfers take effect at the start of the next billing period — plan migrations at the beginning of a billing period to ensure clean reporting boundaries. Test billing reports after each transfer to confirm cost attribution is working as expected.
Phase 4 — Department restructuring (at EA renewal): Department restructuring is most cleanly done at EA renewal when you have a fresh enrollment structure to design. Mid-term department changes are possible but create reporting discontinuities. Plan the new department design 90 days before renewal and implement it as part of the new agreement structure.
Management Groups: The Parallel Hierarchy
Azure Management Groups are the Azure portal governance equivalent of EA departments — they define where Azure Policy and RBAC assignments apply across subscriptions. The relationship between the two hierarchies:
- EA departments define billing hierarchy and spending limits
- Management groups define policy and access control hierarchy
- Subscriptions are the connection point — they exist in both hierarchies
- A subscription can be in one EA account AND one management group simultaneously
The governance recommendation: design management groups to mirror EA departments at the top level, then add child management groups for environment types (production vs non-production) that cut across departments. This creates a governance hierarchy that enforces stricter policies on production workloads across all departments, while maintaining the cost attribution clarity of the business unit department structure. See our Azure FinOps Advanced Governance guide for the full governance architecture.
Get an Independent Second Opinion
Before you sign your next Microsoft agreement, speak with an adviser who has no commercial relationship with Microsoft.
Request a Consultation →Frequently Asked Questions
How many departments should an Azure EA enrollment have?
The optimal number equals the number of distinct Azure budget holders in your organisation — typically 3–10. Each department should correspond to a business unit or cost centre with its own Azure budget. Creating one department for everything makes chargeback governance impossible.
What is the difference between an EA department and an Azure management group?
EA departments define billing hierarchy and spending limits in the EA Portal. Management groups define policy and RBAC hierarchy in the Azure portal. They are separate hierarchies that should be aligned — a department maps to a top-level management group.
Can subscriptions be moved between EA accounts?
Yes. Subscriptions can be transferred between accounts via the EA Portal, taking effect at the start of the next billing period. Enterprise Administrator permission is required for transfers across departments.
What happens when an EA account owner leaves the organisation?
The account becomes orphaned — no new subscriptions can be created until an Enterprise Administrator assigns a new owner. Use service account (functional mailbox) email addresses for all account ownerships to prevent this common governance failure.
Should management groups mirror EA department structure?
Ideally yes at the top level. Add child management groups for environments (production, non-production) that cut across departments, enabling stricter security policies on production workloads without compromising cost attribution clarity.
📄 Free Guide: Azure FinOps Complete Guide 2026
End-to-end Azure governance including EA hierarchy design, management groups, tagging, budgets, and MACC management.
Download Free Guide →