A common discussion I have had in my role is around the “billing structure” of Azure DevOps. Though the discussion typically spreads out to other topics like identity and service connections for deployment. In today’s post, we’ll go over the general governance structure behind Azure DevOps.
High Level Structure
For this, let us start with a complex drawing! 😉
As a bit of an introduction ;
- Azure Active Directory is a component used for identity on both the Azure DevOps side (organization level), Azure Subscription and on the contract level for Role Based Access Control (RBAC).
- Azure DevOps has the concept of an organization, which can hold multiple projects. The billing & identity part reside on organizational level (marked in red). Where the service connections for deployment (pipelines) resides on project level (marked in green).
- There can only be one AAD linked to an Azure DevOps subscription. Though you can invite users from another AAD tenant via a typical B2B invite. Thus granting access to users outside of the AAD tenant linked to that organization.
- There can only be one Azure subscription linked for billing. Though you can have multiple Azure subscriptions linked as service connections for deployment.
- Multiple Azure DevOps organizations can use the same Azure subscription for billing. This will even allow the scenario of multi org billing.
So far for the basics… Let us now delve deeper into various topics.
Continue reading “Azure DevOps Governance 101 – How does Identity, Billing and Service Endpoints intertwine?”