Series: Azure Governance for Digital Natives and Startups: This is Part 1 of a 3-part series on Azure governance for digital-native companies scaling on Azure.
- Part 1 (this post): The three-plane model: Identity, Resources, and Billing
- Part 2: Marketplace, Managed Identity, and where the planes collide
- Part 3: Anti-patterns, role structures, and the 10 principles of Azure governance
Azure is a powerful cloud platform, but its governance model is widely misunderstood, especially in fast-moving, engineering-led organizations.
After working with dozens of digital-native customers (AI startups, SaaS platforms, companies scaling from zero to millions in Azure spend), I've seen the same confusion play out over and over. Engineers can't see MACC credits. Finance can't see workloads. Global Admins think they own everything. And Marketplace purchases happen without anyone in Finance knowing.
The root cause is always the same: Azure is governed by three completely separate permission systems, and most teams treat it like one.
If you're a customer moving fast on Azure, you've likely heard these questions:
- "Why can't my engineering Owner see MACC credits?"
- "Why can't a Billing Contributor deploy a VM?"
- "Why doesn't Global Admin let me access subscriptions?"
- "Why can a Contributor deploy AKS but not buy Snowflake?"
- "Why does Cost Management Reader show cost but not credit balance?"
These questions appear in nearly every customer I work with: AI companies consuming Azure OpenAI at scale, SaaS companies running global AKS footprints, and digital natives under Microsoft Azure Consumption Commitments (MACC).
This guide breaks down the entire model with practical patterns and deep insight into each plane — so these questions are never confusing again.
Why digital natives struggle with this
Before diving into the technical model, it's worth understanding why this causes so much friction in digital-native companies specifically. These problems hit startups and scaling companies harder than traditional enterprises for three reasons:
- Speed over governance. Engineering-led companies prioritize shipping over process. Governance is added retroactively, often after something goes wrong.
- Flat org structures. Without clear Platform, Finance, and Security functions, the same people end up with roles across multiple planes creating exactly the kind of role sprawl the three-plane model was designed to prevent.
- MACC commitments. Digital natives under MACC have a financial relationship with Azure that most team members don't even know exists. When engineers can't see MACC burn and finance can't see resource usage, nobody has the full picture.
The result is predictable:
| Role | What They Expect | What They Actually Get |
|---|---|---|
| Engineers | "I'm Owner, I should see everything, including billing" | RBAC gives full resource control but zero billing visibility |
| Finance | "I need to see what's running so I can forecast" | Billing Reader shows credits and invoices but not workloads |
| Security | "I'm Global Admin, I have total control" | Entra controls identity but not resources or billing |
| Procurement | "I need to buy Marketplace software for the team" | Marketplace purchases require billing roles, not RBAC |
| Leadership | "I want a single dashboard for cost, resources, and credits" | No single role spans all three planes; you need a combination |
When these expectations go unaddressed: engineers get billing access "just to see costs" (creating financial risk), Marketplace purchases happen without finance oversight, and Global Admin is treated as the "master key" when it controls only one of three planes.
The fix isn't more permissions. It's the right permissions in the right plane for the right people.
The three-plane model
Everything in Azure governance flows from this single truth:
| Plane | Controls | Example Roles | See Billing? | Deploy Resources? | Manage Identity? |
|---|---|---|---|---|---|
| Microsoft Entra (Identity) | Users, groups, MFA, PIM, Conditional Access | Global Admin, Groups Admin, PIM Admin | ❌ No | ❌ No | ✅ Yes |
| Azure RBAC (Resources) | VMs, AKS, Storage, AOAI, networking, policies | Owner, Contributor, Reader | ❌ No | ✅ Yes | ❌ No |
| Billing / Commerce (Financial) | Invoices, credits, MACC, payments, Marketplace purchases | Billing Owner, Billing Reader | ✅ Yes | ❌ No | ❌ No |
Three planes. Zero overlap. A role in one plane grants zero access in the others.
- Entra Global Admin can't access subscriptions.
- Subscription Owner can't see the MACC balance.
- Billing Account Owner can't deploy resources.
This separation is by design. Once your company internalizes it, governance becomes dramatically more predictable.
Plane 1: Microsoft Entra (Identity Plane)
Security, authentication, authorization, administrative boundaries.
Microsoft Entra (formerly Azure AD) is the authoritative identity provider for Azure. It governs identity, authentication, Conditional Access, PIM (Privileged Identity Management), group membership, and tenant-wide administrative policies. Entra is the security boundary for the entire tenant.
💡 Common misunderstanding: "I'm Global Admin, why can't I access subscriptions?"
Because Entra roles do not grant Azure RBAC permissions by default. This behavior is intentional and foundational. A compromised Global Admin cannot delete all subscriptions. A compromised Subscription Owner cannot compromise directory security. Identity and infrastructure operate independently for resiliency.
What Entra roles can do
- Create and manage users
- Manage MFA & Conditional Access
- Approve PIM requests
- Manage security settings
- Create/assign groups (which can then hold RBAC roles)
- Manage enterprise applications, OIDC apps, etc.
What Entra roles cannot do
| Action | Allowed? |
|---|---|
| Deploy resources | ❌ No |
| Access subscriptions | ❌ No |
| View MACC credits | ❌ No |
| Make Marketplace purchases | ❌ No |
| Modify billing profiles | ❌ No |
| Change RBAC roles | ❌ No |
| Access data or storage accounts | ❌ No |
Most relevant Entra roles for startups
| Entra Role | Purpose |
|---|---|
| Global Administrator | Full directory control (identity, security) |
| Privileged Role Administrator | Manages privileged role assignments |
| Groups Administrator | Creates and manages groups (often used for RBAC assignments) |
| Conditional Access Administrator | Manages CA policies |
| Authentication Administrator | Controls authentication settings |
| Security Administrator | Manages security policies and alerts |
Key insight: Entra governs identity and security, not cloud resources or billing. Because Entra manages groups, and groups are often used for RBAC assignments, Entra is the root of who can be given access, but not what access they have. This is where many organizations misunderstand the boundary.
Plane 2: Azure RBAC (Resource Plane)
Everything engineering touches: workloads, clusters, deployments, pipelines, resources.
Azure RBAC is the backbone of the Azure operational model. It controls all deployments (IaC, CLI, Portal, API), resource creation & modification, monitoring & diagnostics, Key Vault, Storage, Networking, AKS cluster operations, Azure OpenAI deployments, everything under Azure Resource Manager (ARM).
RBAC scopes
RBAC can be assigned at: Tenant root → Management group → Subscription → Resource group → Individual resource → Sub-resource (e.g., Key Vault secret).
RBAC role behavior
| Role | Can Deploy? | Can View Usage Cost? | Can View Billing/MACC? |
|---|---|---|---|
| Owner | ✅ Yes | ✅ Yes | ❌ No |
| Contributor | ✅ Yes | ✅ Yes | ❌ No |
| Reader | ❌ No | ✅ Yes (limited) | ❌ No |
| Cost Management Reader | ❌ No | ✅ Yes | ❌ No |
| User Access Admin | ❌ No | ❌ No | ❌ No |
The critical point: RBAC cannot see billing. RBAC cannot view MACC. RBAC cannot read invoices. RBAC cannot approve Marketplace purchases. Even Owner, the highest role in the resource plane, is blind to billing.
Plane 3: Azure Billing/Commerce (Financial Plane)
Governed by the Microsoft Commerce Platform, not Azure Resource Manager.
This plane governs the financial relationship between the customer and Microsoft: billing accounts, invoices, credits (MACC, Azure credits, grants), commitments, discounts, payment methods, invoice sections, Marketplace SaaS purchases, reservations & savings plans, and private offers. Commerce roles live in an entirely different system from RBAC.
Common billing roles
| Role | Can see credits? | Can deploy? | Notes |
|---|---|---|---|
| Billing Account Owner | ✅ Yes | ❌ No | Full financial authority |
| Billing Contributor | ✅ Yes | ❌ No | Can update payment methods |
| Billing Reader | ✅ Yes | ❌ No | Most finance teams use this |
| Invoice Section Owner | ✅ Yes | ❌ No | Scoped financial management |
What billing roles can see: MACC balance, credits, invoices, payment history, reservations & savings plans (financial side), and Marketplace purchase capabilities.
What billing roles cannot do: deploy anything, modify RBAC, access resources, see workloads, change policy, or access cost analysis at resource group level.
Billing is where MACC lives. MACC (Azure Consumption Commitment) visibility is tied to Billing Account Owner, Billing Account Contributor, and Billing Reader. Even a subscription Owner cannot see MACC burn rate. This single point causes confusion in almost every startup onboarding Azure.
Full comparison matrix
When you need to answer "who can see what?" Use this table:
| Data type | System | Who can see it |
|---|---|---|
| Resource usage cost | ARM (RBAC) | Cost Mgmt Reader, Owner, Contributor |
| Resource inventory | ARM (RBAC) | Owner, Contributor, Reader |
| Budgets & cost alerts | ARM (RBAC) | Owner, Contributor, Cost Mgmt Reader |
| Azure OpenAI cost analysis | ARM (RBAC) | RBAC roles |
| MACC credit balance | Commerce Platform | Billing roles only |
| Invoices & payments | Commerce Platform | Billing roles only |
| Marketplace private offers | Commerce Platform | Billing roles only |
| Commercial discounts | Commerce Platform | Billing roles only |
💡 If your engineering lead says "I can see costs" and your CFO says "I can see costs", they are looking at different data from different systems. Both are right. Neither has the full picture.
The #1 source of confusion: Cost Management Reader vs. Billing Reader
This is the single most frequent misunderstanding in Azure governance. These two roles sound similar. They are completely different systems.
Cost Management Reader (RBAC Plane)
Can see: usage-based resource cost, cost by tags, cost by resource, cost forecast, budgets & alerts.
Cannot see: credits, invoices, payments, MACC, private offers, or contract terms.
Billing Reader (Commerce Plane)
Can see: invoices, credits, payments, MACC balance, Marketplace transaction history.
Cannot see: resource-level cost breakdown, cost by tags, subscription usage trends, or resource inventory.
| Data type | Where it lives | Who can see it |
|---|---|---|
| Resource usage cost | Azure Cost Management (ARM) | Cost Mgmt Reader, Owner, Contributor |
| Budgets & cost alerts | ARM | Owner, Contributor, Cost Mgmt Reader |
| MACC credit balance | Commerce Platform | Billing roles only |
| Invoices | Commerce Platform | Billing roles only |
| Marketplace private offers | Commerce Platform | Billing roles only |
| Commercial discounts | Commerce Platform | Billing roles only |
Cost visibility (usage-based cost) comes from RBAC. Billing visibility (credits, invoices, MACC) comes from Commerce. These are two completely different datasets. When you understand this distinction, half of the "why can't I see…?" questions answer themselves.
Quick start: where to set this up
Here's exactly where each plane is configured, in the Portal and via CLI.
Microsoft Entra (Identity Plane)
Portal: Azure Portal → Microsoft Entra ID → Roles and administrators
# List Entra directory role assignments az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles" # Add a user to a directory role az ad group member add --group "Groups Administrator" --member-id <user-object-id>Azure RBAC (Resource Plane)
Portal: Subscription → Access Control (IAM) → Add role assignment
# Assign Contributor at subscription scope az role assignment create \ --assignee "user@contoso.com" \ --role "Contributor" \ --scope "/subscriptions/{subscription-id}" # Assign Cost Management Reader at resource group scope az role assignment create \ --assignee "user@contoso.com" \ --role "Cost Management Reader" \ --scope "/subscriptions/{sub-id}/resourceGroups/{rg-name}"Azure Billing/Commerce (Financial Plane)
Portal: Azure Portal → Cost Management + Billing → Billing scopes → select billing account → Access control (IAM)
# List billing accounts az billing account list --output table # Assign Billing Reader via REST API az rest --method PUT \ --url "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/{billing-account-id}/billingRoleAssignments/{id}?api-version=2024-04-01" \ --body '{"properties":{"principalId":"{user-object-id}","roleDefinitionId":"/providers/Microsoft.Billing/billingAccounts/{billing-account-id}/billingRoleDefinitions/{billing-reader-role-id}"}}'References
- Azure RBAC Overview
- Entra Directory & Admin Roles
- Billing Roles (Microsoft Customer Agreement)
- Assign Access to Cost Management Data
What's next → This post established the foundation: Azure's three permission planes are separate by design. But the real complexity begins where these planes intersect.
In the part 2, we'll explore Marketplace governance, where resource deployment meets financial authority along with Managed Identity, the one construct that bridges two planes, and ABAC for advanced conditional governance.
Microsoft