Part 3 of 3: The implementation playbook for engineering, finance, and security teams
In Part 1, we established Azure's three-plane model: Entra for identity, RBAC for resources, Commerce for billing. In Part 2, we explored where those planes collide: Marketplace governance, Managed Identity, and ABAC.
Now it's time to get practical. This post covers the patterns that work, the anti-patterns that don't, and the governance principles that every digital-native company should adopt before they're forced to adopt them after an incident.
7 anti-patterns to avoid
These seven anti-patterns appear repeatedly across AI, SaaS, and digital-native customers. Every one of them has caused real incidents — surprise invoices, accidental deletions, compliance failures, or governance breakdowns.
❌ Anti-Pattern 1: Giving engineers billing permissions
What happens: Engineers are given Billing Reader or Billing Contributor roles "so they can see costs." They can now see MACC credits, private offer terms, commercial discounts, and Marketplace purchase history, none of which they need.
Symptoms: Engineers purchasing Marketplace SaaS without oversight. Surprise invoices. Procurement loses visibility into vendor commitments.
Fix: Engineers need Cost Management Reader (RBAC) for usage-based cost visibility. They do not need billing roles. If they need to understand MACC impact, create a reporting process, don't give them the keys.
❌ Anti-Pattern 2: Giving finance subscription owner access
What happens: Finance teams are given Owner or Contributor roles on subscriptions "so they can track spending." They now have the ability to deploy, modify, and delete production resources.
Symptoms: Massive over-permissioning. Finance can accidentally delete production resources. Audit risk, regulators will flag this.
Fix: Finance roles belong in the Billing plane, not the resource plane. Give finance Billing Reader for credit and invoice visibility. If they also need resource cost data, add Cost Management Reader (RBAC) scoped to the appropriate subscriptions — that's a read-only, resource-plane role.
❌ Anti-Pattern 3: Too many subscription owners
What happens: Every senior engineer, team lead, and sometimes product managers get Owner on subscriptions. The logic: "they need to unblock themselves."
Symptoms: No accountability, when everyone is Owner, nobody is. High blast radius. Hard to trace role assignments when troubleshooting.
Fix: Maximum 2–3 Owners per subscription: Platform Lead, SRE Lead, and optionally the Cloud Architect. Everyone else gets Contributor or scoped roles. Use PIM for emergency elevation.
❌ Anti-Pattern 4: Believing Entra Global Admin = Azure Owner
What happens: Leadership assumes Global Admin has universal access: subscriptions, resources, billing. They don't. Global Admin controls the identity plane only.
Symptoms: Security teams thinking they can see all resources (they can't). Incorrect governance designs that assume Entra = RBAC.
Fix: Train leadership explicitly: Entra ≠ RBAC ≠ Billing. Three planes, three sets of roles, zero overlap. A Global Admin who needs resource access must be separately granted RBAC roles.
❌ Anti-Pattern 5: Deploying marketplace SaaS without finance
What happens: Engineers purchase Marketplace tools directly because they have billing permissions (see Anti-Pattern 1) or because the org hasn't restricted Marketplace purchases.
Symptoms: Incorrect MACC burn. Licensing duplicates. Vendor lock-in without legal review. Private offer terms not applied.
Fix: Require finance approval for all paid Marketplace purchases. Follow the five-step workflow from Part 2: Engineer requests → Finance reviews → Billing executes → Engineering deploys → Cost monitoring activated.
❌ Anti-Pattern 6: Mixed dev/test/prod in one subscription
What happens: To save time, teams put all environments in one subscription.
Symptoms: Can't isolate production costs. A Contributor on the sub can modify both dev and prod. Can't enforce stricter policies on prod without affecting dev. Compliance teams can't get clean boundaries.
Fix: Separate subscriptions by environment. Pattern: 1 subscription per environment per workload (or at minimum per environment). Use cross-subscription networking via Hub & Spoke or Landing Zones.
❌ Anti-Pattern 7: Not using Azure Policy
What happens: Teams deploy freely with no guardrails. Over time: VMs in unapproved regions, GPU SKUs in non-production, storage accounts without encryption, missing tags, public IP drift.
Symptoms: Inconsistent regions. Wrong VM families. Missing tags make cost attribution impossible. Non-compliant configurations.
Fix: Adopt Azure Policy early, at Management Group scope. Critical policies: allowed locations, allowed VM SKUs, enforce HTTPS, enforce private endpoints, enforce tagging (environment, owner, cost-center).
Recommended role structure
Based on experience with dozens of digital-native customers, here's the role structure that works across the three planes.
Engineering plane (RBAC)
- 2–3 subscription Owners: Platform Lead, SRE Lead, Cloud Architect
- Platform/SRE team as Contributors: deploy and manage infrastructure
- Developers as RG-scoped Contributors or Readers: limited to their workload's resource group
- Cost Management Reader for budget owners: usage visibility without deployment rights
- Azure Policy for guardrails: VM SKUs, regions, encryption, tags
- Management Groups for organizational structure
Finance plane (Commerce)
- Billing Account Owner = CFO or Finance Director
- Billing Contributor = Finance Operations
- Billing Reader = FP&A and financial analysts
- All Marketplace-paid offers require finance approval
- MACC visibility restricted to finance roles
Identity/Security plane (Entra)
- 2–4 Global Admins (break-glass accounts included)
- PIM enforced for all privileged roles, no permanent admin access
- Conditional Access for all admin roles (MFA, compliant device, block legacy auth)
- Groups used for RBAC assignment, never assign RBAC to individual users
- Workload identities (Managed Identity) preferred over service principals
Role mapping templates
Copy these into your onboarding documentation.
Engineering Team
| Role | Azure Role | Plane | Allowed actions |
|---|---|---|---|
| Cloud Architect | Owner (2–3 per sub) | RBAC | Govern workloads, assign roles, manage infrastructure |
| Platform / SRE | Contributor | RBAC | Deploy and manage infrastructure |
| Developer | Contributor or Reader (RG-scoped) | RBAC | Deploy to specific resource groups |
| Budget Owner | Cost Management Reader | RBAC | View usage-based cost, manage budgets — not billing |
Finance Team
| Role | Azure Role | Plane | Allowed actions |
|---|---|---|---|
| Finance Lead | Billing Account Owner | Billing | View and manage credits, invoices, MACC, payment methods |
| Finance Analyst | Billing Reader | Billing | Read-only billing visibility |
| FP&A | Billing Reader | Billing | Read-only; no deployments, no resource access |
Leadership
| Role | Azure Role | Plane | Actions |
|---|---|---|---|
| CTO / VP Engineering | Reader or Cost Mgmt Reader | RBAC | Visibility into platform and resource costs |
| CFO | Billing Reader | Billing | Visibility into credits, invoices, MACC, commitments |
RACI Matrix
Adapted from the Microsoft Cloud Adoption Framework.
| Function | Accountable | Responsible | Consulted | Informed |
|---|---|---|---|---|
| Billing account roles & access | Finance Lead | Finance Ops | Cloud Architect | Engineering |
| Subscription role assignments | Cloud Architect | Platform / SRE | Finance, Security | Engineering |
| Cost monitoring & budgets | Finance | Engineering | Leadership | All teams |
| Marketplace purchases | Finance Lead | Finance Ops | Engineering, Legal | CFO |
| IaC / Deployment governance | Platform Lead | Engineers | Security | Finance |
| Policies & guardrails | Security / Cloud Architect | Platform Team | Engineering | Leadership |
| Identity & access governance | Security Lead | Identity Admin | Cloud Architect | All teams |
| PIM & Conditional Access | Security Lead | Identity Admin | Platform Lead | Engineering |
| MACC tracking & credit visibility | Finance Lead | Finance Ops | Cloud Architect | Leadership |
Include this template in your onboarding documentation and review it quarterly.
Best Practices
Use Entra Groups for RBAC assignment, never assign directly to users
Benefits: clear separation of identity and resource planes, easy onboarding/offboarding, predictable RBAC inheritance, enables PIM for group-based elevation.
Naming pattern:
- grp-sub-<SubscriptionName>-Owner
- grp-sub-<SubscriptionName>-Contributor
- grp-rg-<WorkloadName>-Reader
Assign the group to the role, not individual users.
Enforce PIM + Conditional Access for all privileged roles
Key CA policies: MFA required for all admins, compliant device requirement, block legacy authentication, block sign-in from high-risk locations, require phishing-resistant MFA.
No permanent admin access. Use time-based elevation for every privileged operation.
Separate subscriptions by environment and workload
Subscriptions are a security boundary. Pattern: 1 subscription per environment per workload. Platform teams get their own subscription. Use Hub & Spoke or Landing Zones for cross-subscription networking.
Keep billing data confidential
Only Billing roles should see credits, commitments, discounts, invoices, and MACC balance. Engineers should never have access to commercial data.
The 10 Principles of Azure Governance
After working with digital natives across AI, SaaS, and infrastructure companies, I can summarize Azure governance into these principles:
| # | Principle | Summary |
|---|---|---|
| 1 | Separate identity, resources, and billing. Always. | Never mix roles across planes. An engineer should never hold billing roles. A finance analyst should never hold subscription Owner. |
| 2 | Engineering owns the resource plane. | Give them Contributor and Cost Management Reader. Don't burden them with billing or identity administration. |
| 3 | Finance owns the billing plane. | Credits, MACC, invoices, private offers. Every Marketplace purchase flows through Finance. |
| 4 | Security owns identity and governance. | PIM, Conditional Access, Azure Policy. Identity decisions should not be made by engineering or finance. |
| 5 | Keep subscription Owners scarce. | Maximum 2–3 per subscription. Use PIM for emergency elevation. Everyone else gets Contributor or scoped roles. |
| 6 | Lock down Marketplace. | Every SaaS purchase approved by Finance. No exceptions. Use the five-step workflow. |
| 7 | Use Infrastructure as Code. | Manual deployments don't scale and can't be audited. Use Bicep, Terraform, or Pulumi. |
| 8 | Use budgets early. | Set budgets at Management Group, Subscription, and Resource Group levels. Configure alerts to email, Teams, or automation. |
| 9 | Use Management Groups from day one. | Every startup that scales beyond a single subscription regrets not using them. Recommended hierarchy: Tenant Root → OrgName → Platform / Production / NonProduction / Sandbox / Shared Services. |
| 10 | Build governance before scale. | The companies that scale successfully treat Azure governance as infrastructure, not bureaucracy. |
References
- Azure RBAC Overview
- Entra Directory & Admin Roles
- Billing Roles (Microsoft Customer Agreement)
- Assign Access to Cost Management Data
- Marketplace Purchases & Invoicing
- Private Offers in Azure Marketplace
- Azure RBAC Conditions (ABAC)
- Azure Policy Overview
- Cloud Adoption Framework RACI
- Managed Identities Overview
- AKS Workload Identity
Closing thoughts
Azure's three permission planes aren't a problem to solve, they're a framework to leverage.
The confusion happens when teams try to treat Azure as if it has a single permission system. It doesn't, and it never will. Because identity, billing, and resource deployment are fundamentally different domains that must be operated and secured differently.
But when organizations understand these three planes and structure their roles accordingly, something powerful happens:
- Engineering moves faster. Clear RBAC scopes mean teams deploy without waiting for approvals they don't need.
- Finance gains real oversight. Billing roles provide full commercial visibility without the risk of touching production resources.
- Security gets a clean, enforceable boundary model. Entra controls identity; PIM and Conditional Access control elevation; Azure Policy controls the guardrails.
- Leadership sees clarity instead of chaos. The right roles in the right planes mean dashboards, reports, and alerts actually reflect what each stakeholder needs.
Good governance doesn't slow down innovation. Bad governance does.
The companies that scale successfully, whether AI-native, SaaS platforms, or global digital-first organizations, are the ones that adopt a clean, intentional model early. They treat Azure governance as infrastructure, not bureaucracy.
The model is simple: Entra for who. RBAC for what. Commerce for how you pay. Start with that, and everything else becomes easier.
This concludes the 3-part series on Azure Governance for Digital Natives. For the full model, start with Part 1: The Three Permission Planes. For collision points and Managed Identity, read Part 2: Marketplace Governance and the Cross-Plane Bridge.
Microsoft