Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The article helps you understand and manage tenants associated with your Microsoft Customer Agreement billing account. Use the information to manage tenants, transfer subscriptions, and administer billing ownership while you ensure secure access to your billing environment.
What's a tenant?
A tenant is a digital representation of your organization and is primarily associated with a domain, like Azure.cn. It's an environment managed through Microsoft Entra ID that enables you to assign users permissions to manage Azure resources and billing.
Each tenant is distinct and separate from other tenants. You can allow users from other tenants to access your billing account by using one of the following methods:
- Creating guest users in your tenants and assigning the appropriate billing role.
- Associating the other tenant to your tenant and assigning the appropriate billing role.
What's an associated tenant?
An associated tenant is a tenant that is linked to your primary billing tenant’s billing account. You can move Microsoft 365 subscriptions to these tenants. You can also assign billing account roles to users in associated billing tenants. Read more about associated tenants Manage billing across multiple tenants using associated billing tenants.
How tenants and subscriptions relate to billing account
You use your Microsoft Customer Agreement (billing account) to track costs and manage billing. Each billing account has at least one billing profile. The billing profile allows you to manage your invoice and payment method. Each billing profile includes one invoice section, by default. You can create more invoice sections to group, track, and manage costs at a more granular level if needed.
- Your billing account is associated with a single, primary tenant. Users who are part of the primary tenant or who are part of associated tenants can access your billing account if they have the appropriate billing role assigned.
- When you create a new Azure subscription for your billing account, it's created in your tenant or one of the other tenants you have access to. You can choose the tenant while creating the subscription.
- You can move subscriptions to other tenants. You can also link existing subscriptions from other tenants to your billing account. This flexibility allows you to centrally manage billing through one tenant while keeping resources and subscriptions in other tenants based on your needs.
The following diagram shows how billing account and subscriptions are linked to tenants. Let's assume Contoso would like to streamline their billing management through an MCA. The Contoso MCA billing account is in Tenant 1 while Contoso PAYG account is in Tenant 2. They can use a billing ownership transfer to link the subscription to their MCA billing account. The subscription and its resources will still be associated with Tenant 2, but they're paid for using the MCA billing account.
Manage subscriptions under multiple tenants in a single Microsoft Customer Agreement
Billing owners can create subscriptions when they have the appropriate permissions to the billing account. By default, any new subscriptions created under the Microsoft Customer Agreement are in the current user’s tenant. Different tenants can be selected from the list of tenants to which the user has access to create subscriptions.
- You can link subscriptions from other tenants to your Microsoft Customer Agreement billing account. Taking billing ownership of a subscription only changes the invoicing arrangement. It doesn't affect the service tenant or Azure RBAC roles.
Billing ownership transfer
A billing ownership transfer only changes the invoice arrangement for a single subscription. User and resource management for the subscription do not change.
A billing ownership transfer does two things:
- The subscription’s original billing ownership is removed.
- The subscription billing ownership is linked to the target billing account, which could be in a different tenant/directory.
Billing ownership transfer doesn’t affect:
- Users
- Resources
- Azure RBAC permissions
Assign roles to users to your Microsoft Customer Agreement
There are three ways users with billing owner access can assign roles to users to MCA
- Assign billing roles to users in the primary tenant
- Assign billing roles to external users (outside of your primary tenant) if they are part of an associated tenant
- If tenants are not associated, create guest users in primary tenant and assign roles.
Understanding Guest Users in Azure Portal
A guest user (also known as guested user or B2B user) is an external user who has been invited to access resources within an Azure Active Directory (Azure AD) tenant. Typically, this user has a primary identity in another Azure AD tenant or identity provider and receives access via Azure AD B2B (business-to-business) collaboration features. Once invited, the guest user appears in the inviting organization’s directory and can be assigned roles and permissions just like any other user.
Accessing the Azure Portal
The guest user must sign in to the Azure portal using their own organization’s credentials. Upon successful authentication, they should select the host directory (the client organization) from the top-right user menu in the Azure portal if they are members of multiple tenants.
Navigation and User Interface
Once inside the client’s directory, the guest user will see the resources and features available based on their role assignments. They can navigate to:
- Cost Management + Billing: The main blade for all billing-related tasks.
- Billing accounts, profiles, and invoice sections: Visible as per access rights.
Add guest users to your Microsoft Customer Agreement tenant
Users that are added to your Microsoft Customer Agreement billing tenant, to manage billing responsibilities from a different tenant, must be invited as a guest.
To invite someone as a guest, the user must have an existing email address with a domain that's different from your Microsoft Entra domain. Microsoft Entra ID sends the guest user an email with a link for authentication.
When they select the Accept invitation link, they're prompted to authenticate with Azure.
Then they select Accept.
After they accept, they can view the Microsoft Customer Agreement billing account under Cost Management + Billing.
Authorization to invite guest users is controlled by your Microsoft Entra settings. The value of the settings is shown under Settings on the Organizational relationships page. Ensure that the setting is selected, otherwise the invitation fails.
Important
Guest users get access to the Microsoft Customer Agreement tenant, which can potentially pose a security concern.
Troubleshooting Common Issues for Guest Users
- Access Denied Errors: Ensure correct roles are assigned and the guest has accepted the invitation.
- Directory Not Found: Instruct the user to switch directories in the Azure Portal.
- Resource Visibility: Confirm that the user’s roles map to the correct billing profiles or invoice sections.
Manage multiple Azure cloud services under a Microsoft Entra tenant
You can manage multiple cloud services for your organization under a single Microsoft Entra tenant. User accounts for all of Microsoft's cloud offerings are stored in the Microsoft Entra tenant, which contains user accounts and groups. The following diagram shows an example of an organization with multiple services using a common Microsoft Entra tenant containing accounts. Each service has its own portal, in blue text, where users manage their services.
Related content
Read the following articles to learn how to administer flexible billing ownership and ensure secure access to your Microsoft Customer Agreement.