Azure DevOps Governance 101 – How does Identity, Billing and Service Endpoints intertwine?

Introduction

A common discussion I have had in my role is around the “billing structure” of Azure DevOps. Though the discussion typically spreads out to other topics like identity and service connections for deployment. In today’s post, we’ll go over the general governance structure behind Azure DevOps.

 

High Level Structure

For this, let us start with a complex drawing! 😉

 

As a bit of an introduction ;

  • Azure Active Directory is a component used for identity on both the Azure DevOps side (organization level), Azure Subscription and on the contract level for Role Based Access Control (RBAC).
  • Azure DevOps has the concept of an organization, which can hold multiple projects. The billing & identity part reside on organizational level (marked in red). Where the service connections for deployment (pipelines) resides on project level (marked in green).
  • There can only be one AAD linked to an Azure DevOps subscription. Though you can invite users from another AAD tenant via a typical B2B invite. Thus granting access to users outside of the AAD tenant linked to that organization.
  • There can only be one Azure subscription linked for billing. Though you can have multiple Azure subscriptions linked as service connections for deployment.
  • Multiple Azure DevOps organizations can use the same Azure subscription for billing. This will even allow the scenario of multi org billing.

So far for the basics… Let us now delve deeper into various topics.

 

Billing

Each Azure DevOps organization is linked to an Azure subscription for billing. If you want to learn more on how to set this up, do check out this documentation page.

Next to that, you can also link multiple organizations to the same Azure subscription. Which then provides you with the ability to enable the concept of “Multi Organization Billing“. The advantage is that you can consolidate the user costs across organizations. Where if each organization would have their own Azure subscription, though the same users would be part of multiple organizations, they would need to pay multiple times. This you can mitigate by leveraging the same Azure subscription for billing purposes.

A common question here is the ability the share pipelines across organizations… This is not possible. The number of concurrent pipelines is linked to an organization and cannot be shared across.

 

Identity

Azure DevOps also provides you with the ability to integrate with Azure Active Directory. Want to learn more? Do check out this documentation page.

If you want to invite people from outside of the linked tenant, you can do this via a B2B invite. There is also no relationship with the AAD tenant to the linked Azure subscription for billing, or the one used on the billing aspect of your contract.

 

Deployment

Next to using an Azure subscription for billing purposes… You can also link Azure subscriptions (or other cloud services) via a Service Connection. This connection is the link you can then use in your pipelines. There is also no required link between the Azure subscription used for billing, or the ones used for service connections.

 

Closing Thoughts

As always, I hope this helps! Governance scenarios are common for any enterprise and the setup needed to achieve the most complex scenarios does not make the configurable concepts easier… Though no worries, there is a logic behind it. 😉