Task 02: Create Subscription
DOCUMENT CATEGORY: Runbook SCOPE: Single subscription deployment — subscription provisioning PURPOSE: Create and configure single subscription MASTER REFERENCE: Create Azure subscriptions programmatically
Status: Active
Overview
Provision a single Azure subscription and associate it with the landing zone management group. In the single subscription deployment model, all resources reside in one subscription, with organization achieved through resource groups and tags.
How You Create Subscriptions
How you create subscriptions depends on your organization's billing arrangement:
| Billing Type | Creation Method | Programmatic Support |
|---|---|---|
| Enterprise Agreement (EA) | EA Portal, Azure CLI, or REST API | ✅ Full — az account create with enrollment account |
| Microsoft Customer Agreement (MCA) | Azure Portal, Azure CLI, or REST API | ✅ Full — az account create with billing profile + invoice section |
| Pay-As-You-Go / MOSP | Azure Portal only | ❌ Manual only — use the Portal tab |
What This Accomplishes
- Single billing boundary — all costs tracked in one subscription
- Unified resource container — all resources under one subscription
- Simplified management — one subscription to govern
Prerequisites
| Prerequisite | Detail |
|---|---|
| Management Group | Landing zone management group deployed (Task 01) |
| Billing Access | EA enrollment account owner, MCA billing profile owner, or Azure Portal access to create subscriptions |
| Permissions | Management Group Contributor on the landing zone MG (to associate the subscription after creation) |
Subscription Details
Naming Convention
Pattern: <org>-<purpose>-<environment>-<instance>
Example (IIC): iic-lz-azurelocal-001
Configuration Reference
| Attribute | Value | Config Path |
|---|---|---|
| Subscription Name | Per config | variables.yml → azure.subscriptions.lab.name |
| Subscription ID | Per config | variables.yml → azure.subscriptions.lab.id |
| Landing Zone MG | Per config | variables.yml → azure.management_groups.landing_zone.name |
| Purpose | All Azure Local resources | — |
IIC Example Values
| Attribute | IIC Value |
|---|---|
| Subscription Name | iic-lz-azurelocal-001 |
| Landing Zone MG | cmp-landing-zones-iic |
Resource Organization Strategy
In the single subscription model, a single resource group provides resource organization within the subscription:
iic-lz-azurelocal-001 ← subscription
└── rg-c01-azl-eus-01 ← single resource group (Task 03)
├── Azure Local cluster resources
├── Arc-enabled servers
├── Key Vault
└── Storage accounts
tip
The single resource group is created in Task 03: Create Resource Groups. This task only covers the subscription itself.
Variables from variables.yml
| Variable | Config Path | Example (IIC) |
|---|---|---|
| Subscription Name | azure.subscriptions.lab.name | iic-lz-azurelocal-001 |
| Subscription ID | azure.subscriptions.lab.id | (per environment) |
| Landing Zone MG | azure.management_groups.landing_zone.name | cmp-landing-zones-iic |
Execution Options
- Azure Portal
- EA — Azure CLI
- MCA — Azure CLI
- PowerShell (EA)
Azure Portal
When to use: Pay-As-You-Go billing, or you prefer the visual interface
Procedure
-
Navigate to Subscriptions:
- In Azure Portal, search for Subscriptions
- Click + Add
-
Create the subscription:
- Subscription name:
iic-lz-azurelocal-001(or your value fromvariables.yml) - Billing: Select your billing account / enrollment
- Management group: Select the landing zone management group (
cmp-landing-zones-iic) - Click Create
- Subscription name:
-
Verify the subscription appears under the correct management group in Management groups view
Validation
- Subscription created with name matching
variables.yml - Subscription is under the landing zone management group
- You have Owner access to the subscription
Enterprise Agreement — Azure CLI
When to use: Your organization has an EA and you want to automate subscription creation
Find Your Enrollment Account
# List enrollment accounts you have access to
az billing enrollment-account list --query "[].{name:name, principalName:principalName}" -o table
Save the name value (a GUID) — this is your enrollment account ID.
Create the Subscription
az account create \
--enrollment-account-name "<enrollment-account-id>" \
--display-name "iic-lz-azurelocal-001" \
--offer-type "MS-AZR-0017P"
Associate with Management Group
# Get the subscription ID
SUB_ID=$(az account list --query "[?name=='iic-lz-azurelocal-001'].id" -o tsv)
# Move to the landing zone management group
az account management-group subscription add \
--name "cmp-landing-zones-iic" \
--subscription $SUB_ID
Offer Types
MS-AZR-0017P= EA Enterprise (most common)MS-AZR-0148P= EA Dev/Test (lower rates, no SLA)
Microsoft Customer Agreement — Azure CLI
When to use: Your organization has an MCA and you want to automate subscription creation
Find Your Billing Info
# List billing accounts
az billing account list --query "[].{name:name, displayName:displayName}" -o table
# List billing profiles
az billing profile list --account-name "<billing-account-name>" \
--query "[].{name:name, displayName:displayName}" -o table
# List invoice sections
az billing invoice section list \
--account-name "<billing-account-name>" \
--profile-name "<billing-profile-name>" \
--query "[].{name:name, displayName:displayName}" -o table
Create the Subscription
az account create \
--billing-account-name "<billing-account-name>" \
--billing-profile-name "<billing-profile-name>" \
--invoice-section-name "<invoice-section-name>" \
--display-name "iic-lz-azurelocal-001" \
--sku-id "0001"
Associate with Management Group
SUB_ID=$(az account list --query "[?name=='iic-lz-azurelocal-001'].id" -o tsv)
az account management-group subscription add \
--name "cmp-landing-zones-iic" \
--subscription $SUB_ID
PowerShell — Enterprise Agreement
When to use: PowerShell-based automation for EA subscriptions
Code
# ============================================================================
# Script: Deploy-Subscription.ps1
# Prerequisites: Az.Subscription module, EA enrollment account access
# ============================================================================
#Requires -Modules Az.Subscription, Az.Resources
# Load configuration
$config = Get-Content "./config/variables.yml" | ConvertFrom-Yaml
$SubName = $config.azure.subscriptions.lab.name
$LandingZoneMg = $config.azure.management_groups.landing_zone.name
# Get enrollment account
$enrollmentAccount = Get-AzEnrollmentAccount | Select-Object -First 1
if (-not $enrollmentAccount) {
Write-Error "No enrollment account found. Verify EA access."
return
}
Write-Host "Creating subscription: $SubName ..." -ForegroundColor Cyan
# Create subscription
$result = New-AzSubscriptionAlias `
-AliasName $SubName `
-SubscriptionName $SubName `
-BillingScope $enrollmentAccount.ObjectId `
-Workload "Production"
$subId = $result.Properties.SubscriptionId
Write-Host " Created: $subId" -ForegroundColor Gray
# Associate with management group
New-AzManagementGroupSubscription `
-GroupId $LandingZoneMg `
-SubscriptionId $subId
Write-Host "Subscription created and associated with $LandingZoneMg" -ForegroundColor Green
Using an Existing Subscription
If your organization already has a subscription provisioned, skip creation and associate it with the landing zone management group:
az account management-group subscription add \
--name "cmp-landing-zones-iic" \
--subscription "<subscription-id-or-name>"
New-AzManagementGroupSubscription `
-GroupId "cmp-landing-zones-iic" `
-SubscriptionId "<subscription-id>"
Subscription Move Impact
Moving a subscription to a different management group changes which Azure Policies and RBAC role assignments it inherits. Review inherited policies before moving production subscriptions.
Target Structure
cmp-iic-root ← organization root MG (already exists)
└── cmp-landing-zones-iic ← landing zone MG (Task 01)
└── iic-lz-azurelocal-001 ← subscription (this task)
Validation
- Subscription exists with the name from
variables.yml - Subscription is associated with the landing zone management group (not root)
- Subscription is visible under the landing zone MG in the Azure Portal
- You have Owner or Contributor access to the subscription
Verify via CLI
az account management-group show --name "cmp-landing-zones-iic" --expand \
--query "children[?type=='Microsoft.Management/managementGroups/subscriptions'].{Name:name, DisplayName:displayName}" \
-o table
Troubleshooting
| Symptom | Error | Resolution |
|---|---|---|
| No enrollment account found | Empty result from az billing enrollment-account list | You need EA enrollment account owner role — contact your organization's EA admin |
| Subscription creation fails | AuthorizationFailed or BillingAccountNotFound | Verify your billing access — EA enrollment owner, MCA billing profile contributor, etc. |
| Cannot associate with MG | AuthorizationFailed | Verify Management Group Contributor role on the landing zone MG |
| Subscription under wrong MG | Shows under root or Tenant Root Group | Move: az account management-group subscription add --name cmp-landing-zones-iic --subscription <sub-id> |
| Subscription not visible | Not listed in Azure Portal | Verify you're signed into the correct tenant — check with az account show |
Next Steps
Proceed to Task 03: Create Resource Groups
References
- Create Azure Subscriptions Programmatically
- Create EA Subscriptions
- Create MCA Subscriptions
- Move Subscriptions Between Management Groups
Navigation
| Previous | Up | Next |
|---|---|---|
| Task 01 — Management Group | Single Subscription Deployment Overview | Task 03 — Create Resource Groups |
Version Control
- Created: 2026-01-15 by Hybrid Cloud Solutions
- Last Updated: 2026-03-19 by Hybrid Cloud Solutions
- Version: 3.0.0