How is access to Azure organized?

In the previous sections of this chapter, we've had an overview of the Azure platform. Now let's dig a bit deeper.

The first point in our discovery journey— How is access to the Azure platform organized?

As long as we look at Azure from our personal point of view, the answer is simple—our entire world consists of an Azure account, a subscription and the direct or indirect handling of Azure resources, as shown here:

But if we look at the situation from the perspective of an enterprise, it becomes much more complicated, as shown in the next figure. The reason for this is Microsoft's attempt to delineate your company with an Azure enrollment as precisely as possible.

Let's have a look—the high-level element in the figure is now the enterprise element linked to the Enterprise Administrator's role. Here, the most comprehensive and highest rights exist. An Enterprise Administrator is allowed to do everything within the Azure enrollment.

The rights of the Enterprise Administrator include:

• If necessary, he/she can appoint additional Enterprise Administrators
• It defines the so-called departments and appoints corresponding department administrators
• It can set up accounts as required

The Enterprise Administrator is also the only person who can access all consumption and cost data at every level of the Azure enrollment.

The next element is departments (linked to the Department Administrator's role)—with the creation of departments, you can subdivide your enrollment into logical units. Even if the term department suggests something different, you have given yourself flexibility in terms of how the elements are divided.

The decision on how elements are classified is actually made based on the following:

• Functional aspects (in fact, according to the organizational structure)
• Business interests (that is according to the project's business)
• Geographical aspects (different locations, branch offices, and so on)

Let's go to the Department Administrators—they have the ability to create accounts within their department and, if necessary, can create a cost center (for a complete cost control).

From the next level, everything is as usual (Azure account, subscriptions, Azure resources and so on):