Skip to main content
Version: Next

Task 02: Create Subscriptions

Runbook Azure

DOCUMENT CATEGORY: Runbook
SCOPE: Full CAF/WAF subscription provisioning
PURPOSE: Create and associate dedicated subscriptions with management groups
MASTER REFERENCE: Create Azure subscriptions programmatically

Status: Active

Overview

Provision dedicated Azure subscriptions and associate each with its corresponding management group. The full CAF/WAF deployment uses separate subscriptions for platform services and landing zones, providing maximum billing isolation, RBAC boundaries, and governance flexibility.

How You Create Subscriptions

How you create subscriptions depends on your organization's billing arrangement:

Billing TypeCreation MethodProgrammatic Support
Enterprise Agreement (EA)EA Portal, Azure CLI, or REST API✅ Full — az account create with enrollment account
Microsoft Customer Agreement (MCA)Azure Portal, Azure CLI, or REST API✅ Full — az account create with billing profile + invoice section
Pay-As-You-Go / MOSPAzure Portal only❌ Manual only — use the portal
Programmatic Subscription Creation

If you have an EA or MCA, you can create subscriptions programmatically using az account create or New-AzSubscriptionAlias. This is the recommended approach for the full deployment model where you need 5+ subscriptions. See the Execution Options below.

What This Accomplishes

  • Billing isolation — separate cost tracking per platform function and landing zone
  • Access control — subscription-level RBAC boundaries
  • Resource organization — dedicated containers aligned with management group hierarchy
  • Governance scope — policy and compliance boundaries per subscription

Prerequisites

PrerequisiteDetail
Management GroupsFull hierarchy deployed (Task 01)
Billing AccessEA enrollment account owner, MCA billing profile owner, or Azure Portal access to create subscriptions
Subscription QuotaAvailable subscription quota in your tenant (default: 5000 per EA, varies by agreement)
PermissionsManagement Group Contributor on target MGs (to associate subscriptions after creation)

Subscription Architecture

Each leaf-level management group hosts a dedicated subscription:

Subscription Mapping (IIC Example)

Management GroupSubscription NameConfig PathPurpose
cmp-platform-identity-iiciic-platform-identity-001azure.subscriptions.platform_identity.nameEntra ID Connect, identity services
cmp-platform-management-iiciic-platform-management-001azure.subscriptions.platform_management.nameAzure Monitor, Log Analytics, Automation
cmp-platform-connectivity-iiciic-platform-connectivity-001azure.subscriptions.platform_connectivity.nameHub VNet, VPN, ExpressRoute
cmp-lz-corp-iiciic-lz-azurelocal-corp-001azure.subscriptions.lz_corp.nameAzure Local clusters (corporate)
cmp-lz-online-iiciic-lz-azurelocal-online-001azure.subscriptions.lz_online.nameInternet-facing workloads

Target Structure

cmp-iic-root                              ← organization root MG
├── cmp-platform-iic
│   ├── cmp-platform-identity-iic
│   │   └── iic-platform-identity-001     ← subscription
│   ├── cmp-platform-management-iic
│   │   └── iic-platform-management-001   ← subscription
│   └── cmp-platform-connectivity-iic
│       └── iic-platform-connectivity-001 ← subscription
├── cmp-landing-zones-iic
│   ├── cmp-lz-corp-iic
│   │   └── iic-lz-azurelocal-corp-001    ← subscription
│   └── cmp-lz-online-iic
│       └── iic-lz-azurelocal-online-001  ← subscription
├── cmp-sandbox-iic (no subscription yet)
└── cmp-decommissioned-iic (no subscription yet)

Variables from variables.yml

VariableConfig PathExample (IIC)
Platform Identity Subazure.subscriptions.platform_identity.nameiic-platform-identity-001
Platform Management Subazure.subscriptions.platform_management.nameiic-platform-management-001
Platform Connectivity Subazure.subscriptions.platform_connectivity.nameiic-platform-connectivity-001
Corp Landing Zone Subazure.subscriptions.lz_corp.nameiic-lz-azurelocal-corp-001
Online Landing Zone Subazure.subscriptions.lz_online.nameiic-lz-azurelocal-online-001

Execution Options

Azure Portal

When to use: Pay-As-You-Go billing, or you prefer the visual interface

Procedure

  1. Navigate to Subscriptions:

    • In Azure Portal, search for Subscriptions
    • Click + Add

  2. Create each subscription from the mapping table above:

    • Subscription name: Enter the name from the mapping table (e.g., iic-platform-identity-001)
    • Billing: Select your billing account / enrollment
    • Management group: Select the corresponding management group from the mapping table
    • Click Create

  3. Verify each subscription appears under the correct management group in Management groups view

Creating Multiple Subscriptions

Work through the mapping table top-to-bottom, creating all Platform subscriptions first, then Landing Zone subscriptions. The Azure Portal allows you to set the management group at creation time, saving the manual association step.

Validation

  • All 5 subscriptions created with names matching variables.yml
  • Each subscription is under the correct management group
  • You have Owner access to all subscriptions

Using Existing Subscriptions

If your organization already has subscriptions provisioned (e.g., through a volume licensing agreement or prior setup), you can skip creation and just associate them with the correct management groups.

Move Existing Subscriptions

# Move a subscription to a management group
az account management-group subscription add \
  --name "<management-group-id>" \
  --subscription "<subscription-id-or-name>"
# PowerShell equivalent
New-AzManagementGroupSubscription `
    -GroupId "<management-group-id>" `
    -SubscriptionId "<subscription-id>"
Subscription Move Impact

Moving a subscription to a different management group changes which Azure Policies and RBAC role assignments it inherits. Review inherited policies before moving production subscriptions.

Validation

  • All subscriptions exist with names from variables.yml
  • Each subscription is associated with the correct management group per the mapping table
  • Subscriptions are visible under their respective MGs in the Azure Portal
  • You have Owner or Contributor access to all subscriptions

Verify via CLI

# List subscriptions and their management group parents
az account management-group show --name "cmp-iic-root" --expand --recurse \
  --query "children[].{Name:name, DisplayName:displayName, Children:children[].{Name:name, DisplayName:displayName, Subs:children[?type=='Microsoft.Management/managementGroups/subscriptions'].{Name:name, DisplayName:displayName}}}" \
  -o json
# PowerShell: verify all subscriptions under root
Get-AzManagementGroup -GroupName "cmp-iic-root" -Expand -Recurse |
    Select-Object -ExpandProperty Children |
    Format-Table Name, DisplayName, Type -AutoSize

Troubleshooting

SymptomErrorResolution
No enrollment account foundEmpty result from az billing enrollment-account listYou need EA enrollment account owner role — contact your organization's EA admin
Subscription creation failsAuthorizationFailed or BillingAccountNotFoundVerify your billing access — EA enrollment owner, MCA billing profile contributor, etc.
Cannot associate with MGAuthorizationFailedVerify Management Group Contributor role on the target MG
Subscription under wrong MGShows under root or Tenant Root GroupMove the subscription: az account management-group subscription add --name <target-mg> --subscription <sub-id>
Subscription quota exceededSubscriptionLimitReachedRequest quota increase from Microsoft support
Subscription not visibleNot listed in Azure PortalVerify you're signed into the correct tenant — check with az account show

Next Steps

Proceed to Task 03: Create Resource Groups

References

PreviousUpNext
Task 01 — Management GroupsFull Deployment OverviewTask 03 — Create Resource Groups

Version Control

  • Created: 2026-01-15 by Hybrid Cloud Solutions
  • Last Updated: 2026-03-19 by Hybrid Cloud Solutions
  • Version: 3.0.0