You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/cost-management-billing/manage/direct-ea-administration.md
+22Lines changed: 22 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -82,6 +82,28 @@ An Azure enterprise administrator (EA admin) can view and manage enrollment prop
82
82
83
83
For more information about the department admin (DA) and account owner (AO) view charges policy settings, see [Pricing for different user roles](understand-ea-roles.md#see-pricing-for-different-user-roles).
84
84
85
+
#### Authorization levels allowed
86
+
87
+
Enterprise agreements have an authorization (previously labeled authentication) level set that determines which types of users can be added as EA account owners for the enrollment. There are four authorization levels available.
88
+
89
+
- Microsoft Account only - For organizations that want to use, create, and manage users through Microsoft accounts.
90
+
- Work or School Account only - For organizations that set up Microsoft Entra ID with Federation to the Cloud and all accounts are on a single tenant.
91
+
- Work or School Account Cross Tenant - For organizations that set up Microsoft Entra ID with Federation to the Cloud and have accounts in multiple tenants.
92
+
- Mixed Mode - Allows you to add users with Microsoft Account and/or with a Work or School Account.
93
+
94
+
The first work or school account added to the enrollment determines the _default_ domain. To add a work or school account with another tenant, you must change the authorization level under the enrollment to cross-tenant authentication.
95
+
96
+
Ensure that the authorization level set for the EA allows you to create a new EA account owner using the subscription account administrator noted previously. For example:
97
+
98
+
- If the subscription account administrator has an email address domain of `@outlook.com`, then the EA must have its authorization level set to either **Microsoft Account Only** or **Mixed Mode**.
99
+
- If the subscription account administrator has an email address domain of `@<YourAzureADTenantPrimaryDomain.com>`, then the EA must have its authorization level set to either **Work or School Account only** or **Work or School Account Cross Tenant**. The ability to create a new EA account owner depends on whether the EA's default domain is the same as the subscription account administrator's email address domain.
100
+
101
+
Microsoft accounts must have an associated ID created at [https://signup.live.com](https://signup.live.com/).
102
+
103
+
Work or school accounts are available to organizations that set up Microsoft Entra ID with federation and where all accounts are on a single tenant. Users can be added with work or school federated user authentication if the company's internal Microsoft Entra ID is federated.
104
+
105
+
If your organization doesn't use Microsoft Entra ID federation, you can't use your work or school email address. Instead, register or create a new email address and register it as a Microsoft account.
106
+
85
107
## Add another enterprise administrator
86
108
87
109
Only existing EA admins can create other enterprise administrators. Use one of the following options, based on your situation.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments