How to Effectively Use Azure Management Groups, Subscriptions, and Resource Groups

When used individually, Azure Management Groups, Subscriptions, and Resource Groups are very powerful. But when used together, they can establish the entire organizational structure of Azure.

In this article, I will explain Azure Resource Manager, Management Groups, Subscriptions and Resource Groups. I’ll show the relationship between each and provide guidance on how to most effectively use them all to organize Azure to meet the needs of your business. 

To deep dive into these topics, check out Cloud Academy’s full video-based Learning Path: AZ-103 Exam Preparation: Microsoft Azure Administrator. This Learning Path is designed to help you prepare for the AZ-103 Microsoft Azure Administrator exam, and it’s loaded with 25+ hours of content, including courses, quizzes, hands-on labs, and practices exams.

AZ-103 Exam Preparation: Microsoft Azure Administrator

Azure Resource Manager

In Azure, Subscriptions, Management Groups, and Resource Groups are all essential organizational constructs. But to understand the purpose of Azure Subscriptions and Management Groups, you need to begin by understanding the Azure Resource Management hierarchy.

What is Azure Resource Manager?

Azure Resource Manager is at the core of Microsoft Azure. It serves as an essential component of Azure deployment and provides a unified management layer regardless of the tool set used. Whether you use the Azure website, Azure CLI, Azure Powershell, or one of the many other methods for managing Azure resources, your commands all utilize Azure Resource Manager.

Understanding the Resource Manager Hierarchy

The Azure Resource Manager model uses four levels, or “scopes.” The following diagram provides an example of each of these scopes.

Azure Scope Levels

Image Source: Azure Resource Manager Overview

Azure Management Groups

What is a management group?

An Azure Management group is logical containers that allow Azure Administrators to manage access, policy, and compliance across multiple Azure Subscriptions en masse. Management groups allow you to build an Azure Subscription tree that can be used with several other Azure service, including Azure Policy and Azure Role Based Access Control. Azure Management Groups provide flexibility for organizing policy, access control, and compliance across multiple subscriptions. We can nest Azure Management Groups up to six levels deep for efficient management of resources.

Effective use of management groups

Among the multiple ways management groups can be utilized, Azure Management Groups can mirror your billing hierarchy. Often enterprises begin utilizing management groups in this method. However, the power of management groups is when you use them to model your organization. Azure Subscriptions can be grouped based on a need for common roles assigned along with Azure Policies and initiatives.

Organizing with management groups

Azure Management Groups provide a level of organization above Azure Subscriptions. If your company has more than one or two Azure Subscriptions, you will want to actively control access, policies, and compliance for those subscriptions. All subscription objects within a management group receives a copy of the role-based access control and policy settings applied to the management group. 

Root management group for each directory

Each Azure Active Directory (AD) tenant includes a top level or “root” management group. By default, only an Azure AD Global Administrator can access this root level group, and only after elevating access. The root management group has several important facts to be aware of:

  • Root management group is named Tenant root group, though the name can be changed.
  • The root management group cannot be moved or deleted
  • All management groups in the Azure AD are under the root management group.
  • All Azure users can see the root management group
  • You can only have one root management group
  • New subscriptions are automatically placed in the root management group when created.

Important facts about management groups

  • Up to 10,000 management groups are supported in a single Azure AD tenant.
  • Management group trees can support up to six levels of depth, not including the root level or the subscription level.
  • Management groups and subscriptions can only support one parent.
  • Management groups can have many children.
  • All subscriptions and management groups are within a single hierarchy in each directory. 

Limitations of management groups

Management groups have one large limitation: A management group cannot contain an Azure Resource. It can only contain other management groups or subscriptions.

Azure Subscriptions

What is an Azure Subscription?

An Azure Subscription can be defined in many ways, but at its simplest a subscription refers to the logical entity that provides entitlement to deploy and consume Azure resources. Some other ways to define an Azure Subscription:

  • A logical collection of Azure resources. Each asset in Azure is deployed to a single subscription.
  • A defined administrative security boundary that supports Role-Based Access Control.
  • A limiting factor to Azure scale (more on this below, see Subscription Limitations).
  • A deployment construct for the organization and consistency of Azure resources

Azure Subscriptions come with multiple considerations:

  • An Azure Subscription doesn’t cost anything
  • Each Azure Subscription has its own Administrators
  • Azure Subscriptions are global and can contain resources from multiple regions
  • Subscriptions can be purchased via many different methods (see Types of Subscriptions)

Microsoft’s definition of a subscription is “an agreement with Microsoft to use one or more Microsoft cloud platforms or services, for which charges accrue based on either a per-user license fee or on cloud-based resource consumption.”

How do subscriptions work?

Azure Subscriptions, at their core, are simple constructs. As stated above, an Azure Subscription can be used in multiple ways to organize and store Azure resources, and to organize resources in containers.

Types of subscriptions

There are a large number of ways to create a subscription with Microsoft Azure, I am going to attempt to list the most prevalent. Please see the Microsoft Azure Offer Details site for a complete list of subscription types.

  • Enterprise Agreement (EA) – an Enterprise Agreement is a volume licensing program offered by Microsoft. The Enterprise Agreement most often is seen in larger organizations with 500 or more users, and is a three year contract with Microsoft. The EA is one of the most common types of subscriptions. Also see Enterprise Dev/Test, which offers the same access as an Enterprise Agreement with a reduced rate for development and test workloads.
  • Pay as you go – Pay as you go is the second most common subscription type. Typically, the business will place a credit card file. Though rare, occasionally a client will pay by invoice.
  • Free Trial – Anyone can sign up for a Free Trial of Azure, which is good for 30 days. The free trial subscription includes $200 of Azure spend credits. A free trial is converted to Pay once a credit card is placed on file.
  • Cloud Solutions Partner (CSP) – CSP subscriptions are purchased through a Microsoft partner.

Subscription limitations

Azure has a large number of limitations per subscription, which are often referred to as “quotas”. Many (but not all) of the subscription limits can be raised by opening an online customer support request with Microsoft. Even so, all limits have a maximum value. Once you reach a maximum value, the only way to overcome it is multiple subscriptions. Details on most of the limits can be found on Microsoft Documentation site Azure subscription and service limits, quotas, and constraints.

Subscription design

In addition to Management Groups, subscriptions provide multiple layers to best organize Azure Resources to meet the needs of the enterprise. Ultimately, it is up to the business to determine how best to utilize Azure Subscriptions to organize Azure Resources. My advice; start simple. Generally I recommend beginning with two subscriptions, one for Production resources and one for non-production such as development and test.

How many subscriptions is too many?

As the number of Azure Subscriptions increases, so too does the management complexity and administrative overhead. With that being said, I give the same advice to everyone who asks me this question. Start as simple as possible, and expand as business needs demand. But with that advice, I also include the following caveat. Azure Azure (and your business) grow, be prepared to discover that the business has developed a requirement that will necessitate a move to additional subscriptions.

Subscription and management group hierarchy examples

Used in conjunction, Azure Subscriptions and Management Groups can be used to create an organizational hierarchy for your Azure Resources. An example hierarchy is included below.

Hierarchy of management groups and subscriptions

Image source: https://docs.microsoft.com/en-us/azure/governance/management-groups/

Azure Resource Groups

What is a resource group?

Resource groups are the lowest level of organizational scope, and are the level that contains almost all Azure Resources. Azure Resources Groups are logical collections of virtual machines, app services, storage accounts, virtual networks, web apps, Azure SQL databases, etc. Resource groups can be utilized to subdivide resources by application or environment, among the many options.

Azure Resource Groups are a useful tool for Role-Based Access Control (RBAC). This will allow you to grant user access at the group level. Resource Groups can also simplify reporting and billing.

 

Orion Withrow

Written by

Orion Withrow

Orion is a Sr. Solutions Architect, focused on Microsoft technologies for the last 15 years. He lives in Louisa, Virginia with his loving wife of 14 years, where they are devoted parents of four energetic, beautiful (and sometimes challenging) children. As parents and homeschoolers of an Autistic child, Orion and his wife are active in both Autism and Home School communities.


Related Posts

Nisar Ahmad
Nisar Ahmad
— November 12, 2019

Kubernetes Services: AWS vs. Azure vs. Google Cloud

Kubernetes is a popular open-source container orchestration platform that allows us to deploy and manage multi-container applications at scale. Businesses are rapidly adopting this revolutionary technology to modernize their applications. Cloud service providers — such as Amazon Web Ser...

Read more
  • AWS
  • Azure
  • Google Cloud
  • Kubernetes
Alisha Reyes
Alisha Reyes
— November 6, 2019

New on Cloud Academy: AZ-900 Exam Update; MS-100 Exam Prep; PRINCE2 Foundation; Azure, Kubernetes, and Google Hands-on Labs; and Much More

This month, our Content Team really kicked it into overdrive with tons of new content. If you're Team Azure, then you'll be amazed at the number of Azure Courses and Hands-on Labs we published this month alone!  At any time, you can find all of our new releases by going to our Training ...

Read more
  • AZ-900
  • Azure
  • Google Cloud Platform
  • Kubernetes
  • MS-100
  • New content
  • PRINCE2
  • Product Feature
Joe Nemer
Joe Nemer
— October 30, 2019

How to Get Hands-on Experience on AWS, Azure, and GCP: Lab Challenges

Meaningful cloud skills require more than book knowledge. Hands-on experience is required to translate knowledge into real-world results. We see this time and time again in studies about how kids and adults best learn — doing the actual learning task is key. Hands-on Labs and Lab Challe...

Read more
  • AWS Labs
  • Azure
  • Google Cloud Platform
  • Hands-on Labs
Avatar
Cloud Academy Team
— October 23, 2019

Which Certifications Should I Get?

As we mentioned in an earlier post, the old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and compan...

Read more
  • AWS
  • Azure
  • Certifications
  • Cloud Computing
  • Google Cloud Platform
Alisha Reyes
Alisha Reyes
— October 1, 2019

New on Cloud Academy: ITIL® 4, Microsoft 365 Tenant, Jenkins, TOGAF® 9.1, and more

At Cloud Academy, we're always striving to make improvements to our training platform. Based on your feedback, we released some new features to help make it easier for you to continue studying. These new features allow you to: Remove content from “Continue Studying” section Disc...

Read more
  • AWS
  • Azure
  • Google Cloud Platform
  • ITIL® 4
  • Jenkins
  • Microsoft 365 Tenant
  • New content
  • Product Feature
  • Python programming
  • TOGAF® 9.1
Avatar
Jeremy Cook
— September 17, 2019

Cloud Migration Risks & Benefits

If you’re like most businesses, you already have at least one workload running in the cloud. However, that doesn’t mean that cloud migration is right for everyone. While cloud environments are generally scalable, reliable, and highly available, those won’t be the only considerations dri...

Read more
  • AWS
  • Azure
  • Cloud Migration
Joe Nemer
Joe Nemer
— September 6, 2019

Google Cloud Functions vs. AWS Lambda: The Fight for Serverless Cloud Domination

Serverless computing: What is it and why is it important? A quick background The general concept of serverless computing was introduced to the market by Amazon Web Services (AWS) around 2014 with the release of AWS Lambda. As we know, cloud computing has made it possible for users to ...

Read more
  • AWS
  • Azure
  • Google Cloud Platform
Alisha Reyes
Alisha Reyes
— August 30, 2019

New on Cloud Academy: CISSP, AWS, Azure, & DevOps Labs, Python for Beginners, and more…

As Hurricane Dorian intensifies, it looks like Floridians across the entire state might have to hunker down for another big one. If you've gone through a hurricane, you know that preparing for one is no joke. You'll need a survival kit with plenty of water, flashlights, batteries, and n...

Read more
  • AWS
  • Azure
  • Google Cloud Platform
  • New content
  • Product Feature
  • Python programming
Alisha Reyes
Alisha Reyes
— August 22, 2019

How to Unlock Complimentary Access to Cloud Academy

Are you looking to get trained or certified on AWS, Azure, Google Cloud Platform, DevOps, Cloud Security, Python, Java, or another technical skill? Then you'll want to mark your calendars for August 23, 2019. Starting Friday at 12:00 a.m. PDT (3:00 a.m. EDT), Cloud Academy is offering c...

Read more
  • AWS
  • Azure
  • cloud academy content
  • complimentary access
  • GCP
  • on the house
Avatar
Andrew Larkin
— August 13, 2019

Content Roadmap: AZ-500, ITIL 4, MS-100, Google Cloud Associate Engineer, and More

Last month, Cloud Academy joined forces with QA, the UK’s largest B2B skills provider, and it put us in an excellent position to solve a massive skills gap problem. As a result of this collaboration, you will see our training library grow with additions from QA’s massive catalog of 500+...

Read more
  • AWS
  • Azure
  • content roadmap
  • Google Cloud Platform
Avatar
Andrew Larkin
— August 7, 2019

Disadvantages of Cloud Computing

If you want to deliver digital services of any kind, you’ll need to estimate all types of resources, not the least of which are CPU, memory, storage, and network connectivity. Which resources you choose for your delivery —  cloud-based or local — is up to you. But you’ll definitely want...

Read more
  • AWS
  • Azure
  • Cloud Computing
  • Google Cloud Platform
Alisha Reyes
Alisha Reyes
— July 22, 2019

Cloud Academy’s Blog Digest: July 2019

July has been a very exciting month for us at Cloud Academy. On July 10, we officially joined forces with QA, the UK’s largest B2B skills provider (read the announcement). Over the coming weeks, you will see additions from QA’s massive catalog of 500+ certification courses and 1500+ ins...

Read more
  • AWS
  • Azure
  • Cloud Academy
  • Cybersecurity
  • DevOps
  • Kubernetes