Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The article helps you understand and manage tenants associated with your Microsoft Customer Agreement billing account. Use the information to manage tenants, transfer subscriptions, and administer billing ownership while you ensure secure access to your billing environment.
What's a tenant?
A tenant is a digital representation of your organization and is primarily associated with a domain, like Azure.cn. It's an environment managed through Microsoft Entra ID that enables you to assign users permissions to manage Azure resources and billing.
Each tenant is distinct and separate from other tenants. You can allow users from other tenants to access your billing account by using one of the following methods:
- Creating guest users in your tenants and assigning the appropriate billing role.
- Associating the other tenant to your tenant and assigning the appropriate billing role.
What's an associated tenant?
An associated tenant is a tenant that is linked to your primary billing tenant’s billing account. You can move Microsoft 365 subscriptions to these tenants. You can also assign billing account roles to users in associated billing tenants. Read more about associated tenants Manage billing across multiple tenants using associated billing tenants.
How tenants and subscriptions relate to billing account
You use your Microsoft Customer Agreement (billing account) to track costs and manage billing. Each billing account has at least one billing profile. The billing profile allows you to manage your invoice and payment method. Each billing profile includes one invoice section, by default. You can create more invoice sections to group, track, and manage costs at a more granular level if needed.
- Your billing account is associated with a single, primary tenant. Users who are part of the primary tenant or who are part of associated tenants can access your billing account if they have the appropriate billing role assigned.
- When you create a new Azure subscription for your billing account, it's created in your tenant or one of the other tenants you have access to. You can choose the tenant while creating the subscription.
- You can move subscriptions to other tenants. You can also link existing subscriptions from other tenants to your billing account. This flexibility allows you to centrally manage billing through one tenant while keeping resources and subscriptions in other tenants based on your needs.
The following diagram shows how billing account and subscriptions are linked to tenants. Let's assume Contoso would like to streamline their billing management through an MCA. The Contoso MCA billing account is in Tenant 1 while Contoso PAYG account is in Tenant 2. They can use a billing ownership transfer to link the subscription to their MCA billing account. The subscription and its resources will still be associated with Tenant 2, but they're paid for using the MCA billing account.
Manage subscriptions under multiple tenants in a single Microsoft Customer Agreement
Billing owners can create subscriptions when they have the appropriate permissions to the billing account. By default, any new subscriptions created under the Microsoft Customer Agreement are in the current user’s tenant. Different tenants can be selected from the list of tenants to which the user has access to create subscriptions.
- You can link subscriptions from other tenants to your Microsoft Customer Agreement billing account. Taking billing ownership of a subscription only changes the invoicing arrangement. It doesn't affect the service tenant or Azure RBAC roles.
Billing ownership transfer
A billing ownership transfer only changes the invoice arrangement for a single subscription. User and resource management for the subscription do not change.
A billing ownership transfer does two things:
- The subscription’s original billing ownership is removed.
- The subscription billing ownership is linked to the target billing account, which could be in a different tenant/directory.
Billing ownership transfer doesn’t affect:
- Users
- Resources
- Azure RBAC permissions
Assign roles to users to your Microsoft Customer Agreement
There are three ways users with billing owner access can assign roles to users to MCA
- Assign billing roles to users in the primary tenant
- Assign billing roles to external users (outside of your primary tenant) if they are part of an associated tenant
- If tenants are not associated, create guest users in primary tenant and assign roles.
Add guest users to your Microsoft Customer Agreement tenant
Users that are added to your Microsoft Customer Agreement billing tenant, to manage billing responsibilities from a different tenant, must be invited as a guest.
To invite someone as a guest, the user must have an existing email address with a domain that's different from your Microsoft Entra domain. Microsoft Entra ID sends the guest user an email with a link for authentication.
When they select the Accept invitation link, they're prompted to authenticate with Azure.
Then they select Accept.
After they accept, they can view the Microsoft Customer Agreement billing account under Cost Management + Billing.
Authorization to invite guest users is controlled by your Microsoft Entra settings. The value of the settings is shown under Settings on the Organizational relationships page. Ensure that the setting is selected, otherwise the invitation fails.
Important
Guest users get access to the Microsoft Customer Agreement tenant, which can potentially pose a security concern.
Manage multiple Azure cloud services under a Microsoft Entra tenant
You can manage multiple cloud services for your organization under a single Microsoft Entra tenant. User accounts for all of Microsoft's cloud offerings are stored in the Microsoft Entra tenant, which contains user accounts and groups. The following diagram shows an example of an organization with multiple services using a common Microsoft Entra tenant containing accounts. Each service has its own portal, in blue text, where users manage their services.
Related content
Read the following articles to learn how to administer flexible billing ownership and ensure secure access to your Microsoft Customer Agreement.