Manage tenants in your Microsoft Customer Agreement billing account
The article helps you understand and manage tenants associated with your Microsoft Customer Agreement billing account. Use the information to manage tenants, transfer subscriptions, and administer billing ownership while you ensure secure access to your billing environment.
What's a tenant?
A tenant is a digital representation of your organization and is primarily associated with a domain, like Microsoft.com. It's an environment managed through Azure Active Directory that enables you to assign users permissions to manage Azure resources and billing.
Each tenant is distinct and separate from other tenants. You can allow users from other tenants to access your billing account by using one of the following methods:
- Creating guest users in your tenants and assigning the appropriate billing role.
- Associating the other tenant to your tenant and assigning the appropriate billing role.
What's an associated tenant?
An associated tenant is a tenant that is linked to your primary billing tenant’s billing account. You can move Microsoft 365 subscriptions to these tenants. You can also assign billing account roles to users in associated billing tenants. Read more about associated tenants Manage billing across multiple tenants using associated billing tenants.
How tenants and subscriptions relate to billing account
You use your Microsoft Customer Agreement (billing account) to track costs and manage billing. Each billing account has at least one billing profile. The billing profile allows you to manage your invoice and payment method. Each billing profile includes one invoice section, by default. You can create more invoice sections to group, track, and manage costs at a more granular level if needed.
- Your billing account is associated with a single, primary tenant. Users who are part of the primary tenant or who are part of associated tenants can access your billing account if they have the appropriate billing role assigned.
- When you create a new Azure subscription for your billing account, it's created in your tenant or one of the other tenants you have access to. You can choose the tenant while creating the subscription.
- You can move subscriptions to other tenants. You can also link existing subscriptions from other tenants to your billing account. This flexibility allows you to centrally manage billing through one tenant while keeping resources and subscriptions in other tenants based on your needs.
The following diagram shows how billing account and subscriptions are linked to tenants. Let's assume Contoso would like to streamline their billing management through an MCA. The Contoso MCA billing account is in Tenant 1 while Contoso PAYG account is in Tenant 2. They can use a billing ownership transfer to link the subscription to their MCA billing account. The subscription and its resources will still be associated with Tenant 2, but they're paid for using the MCA billing account.
Manage subscriptions under multiple tenants in a single Microsoft Customer Agreement
Billing owners can create subscriptions when they have the appropriate permissions to the billing account. By default, any new subscriptions created under the Microsoft Customer Agreement are in the current user’s tenant. Different tenants can be selected from the list of tenants to which the user has access to create subscriptions.
- You can link subscriptions from other tenants to your Microsoft Customer Agreement billing account. Taking billing ownership of a subscription only changes the invoicing arrangement. It doesn't affect the service tenant or Azure RBAC roles.
Billing ownership transfer
A billing ownership transfer only changes the invoice arrangement for a single subscription. User and resource management for the subscription do not change.
A billing ownership transfer does two things:
- The subscription’s original billing ownership is removed.
- The subscription billing ownership is linked to the target billing account, which could be in a different tenant/directory.
Billing ownership transfer doesn’t affect:
- Azure RBAC permissions
Assign roles to users to your Microsoft Customer Agreement
There are three ways users with billing owner access can assign roles to users to MCA
- Assign billing roles to users in the primary tenant
- Assign billing roles to external users (outside of your primary tenant) if they are part of an associated tenant
- If tenants are not associated, create guest users in primary tenant and assign roles.
Add guest users to your Microsoft Customer Agreement tenant
Users that are added to your Microsoft Customer Agreement billing tenant, to manage billing responsibilities from a different tenant, must be invited as a guest.
To invite someone as a guest, the user must have an existing email address with a domain that's different from your Azure Active Directory (AD) domain. Azure AD sends the guest user an email with a link for authentication.
When a user is added to the Microsoft Customer Agreement tenant, they must accept the invitation.
When they select the Accept invitation link, they're prompted to authenticate with Azure.
Then they select Accept.
After they accept, they can view the Microsoft Customer Agreement billing account under Cost Management + Billing.
Authorization to invite guest users is controlled by your Azure AD settings. The value of the settings is shown under Settings on the Organizational relationships page. Ensure that the setting is selected, otherwise the invitation fails. For more information, see Restrict guest user access permissions.
Guest users get access to the Microsoft Customer Agreement tenant, which can potentially pose a security concern. For more information, see Learn how to restrict guest users' default permissions.
Manage multiple Microsoft cloud services under an Azure AD tenant
You can manage multiple cloud services for your organization under a single Azure AD tenant. User accounts for all of Microsoft's cloud offerings are stored in the Azure AD tenant, which contains user accounts and groups. The following diagram shows an example of an organization with multiple services using a common Azure AD tenant containing accounts. Each service has its own portal, in blue text, where users manage their services.
Read the following articles to learn how to administer flexible billing ownership and ensure secure access to your Microsoft Customer Agreement.
- How to set up a tenant
- Azure built-in roles
- Transfer an Azure subscription to a different Azure AD directory
- Restrict guest access permissions (preview) in Azure Active Directory
- Add guest users to your directory in the Azure portal
- What are the default user permissions in Azure Active Directory?
- What is Azure Active Directory?
Submit and view feedback for