When used individually, Azure Management Groups, Subscriptions, and Resource Groups are very powerful. But when used together, they can establish the entire organizational structure of Azure.
In this article, I will explain Azure Resource Manager, Management Groups, Subscriptions and Resource Groups. I’ll show the relationship between each and provide guidance on how to most effectively use them all to organize Azure to meet the needs of your business.
To deep dive into these topics, check out Cloud Academy’s full video-based Learning Path: AZ-103 Exam Preparation: Microsoft Azure Administrator. This Learning Path is designed to help you prepare for the AZ-103 Microsoft Azure Administrator exam, and it’s loaded with 25+ hours of content, including courses, quizzes, hands-on labs, and practices exams.
In Azure, Subscriptions, Management Groups, and Resource Groups are all essential organizational constructs. But to understand the purpose of Azure Subscriptions and Management Groups, you need to begin by understanding the Azure Resource Management hierarchy.
Azure Resource Manager is at the core of Microsoft Azure. It serves as an essential component of Azure deployment and provides a unified management layer regardless of the tool set used. Whether you use the Azure website, Azure CLI, Azure Powershell, or one of the many other methods for managing Azure resources, your commands all utilize Azure Resource Manager.
The Azure Resource Manager model uses four levels, or “scopes.” The following diagram provides an example of each of these scopes.
Image Source: Azure Resource Manager Overview
An Azure Management group is logical containers that allow Azure Administrators to manage access, policy, and compliance across multiple Azure Subscriptions en masse. Management groups allow you to build an Azure Subscription tree that can be used with several other Azure service, including Azure Policy and Azure Role Based Access Control. Azure Management Groups provide flexibility for organizing policy, access control, and compliance across multiple subscriptions. We can nest Azure Management Groups up to six levels deep for efficient management of resources.
Among the multiple ways management groups can be utilized, Azure Management Groups can mirror your billing hierarchy. Often enterprises begin utilizing management groups in this method. However, the power of management groups is when you use them to model your organization. Azure Subscriptions can be grouped based on a need for common roles assigned along with Azure Policies and initiatives.
Azure Management Groups provide a level of organization above Azure Subscriptions. If your company has more than one or two Azure Subscriptions, you will want to actively control access, policies, and compliance for those subscriptions. All subscription objects within a management group receives a copy of the role-based access control and policy settings applied to the management group.
Each Azure Active Directory (AD) tenant includes a top level or “root” management group. By default, only an Azure AD Global Administrator can access this root level group, and only after elevating access. The root management group has several important facts to be aware of:
Management groups have one large limitation: A management group cannot contain an Azure Resource. It can only contain other management groups or subscriptions.
An Azure Subscription can be defined in many ways, but at its simplest a subscription refers to the logical entity that provides entitlement to deploy and consume Azure resources. Some other ways to define an Azure Subscription:
Azure Subscriptions come with multiple considerations:
Microsoft’s definition of a subscription is “an agreement with Microsoft to use one or more Microsoft cloud platforms or services, for which charges accrue based on either a per-user license fee or on cloud-based resource consumption.”
Azure Subscriptions, at their core, are simple constructs. As stated above, an Azure Subscription can be used in multiple ways to organize and store Azure resources, and to organize resources in containers.
There are a large number of ways to create a subscription with Microsoft Azure, I am going to attempt to list the most prevalent. Please see the Microsoft Azure Offer Details site for a complete list of subscription types.
Azure has a large number of limitations per subscription, which are often referred to as “quotas”. Many (but not all) of the subscription limits can be raised by opening an online customer support request with Microsoft. Even so, all limits have a maximum value. Once you reach a maximum value, the only way to overcome it is multiple subscriptions. Details on most of the limits can be found on Microsoft Documentation site Azure subscription and service limits, quotas, and constraints.
In addition to Management Groups, subscriptions provide multiple layers to best organize Azure Resources to meet the needs of the enterprise. Ultimately, it is up to the business to determine how best to utilize Azure Subscriptions to organize Azure Resources. My advice; start simple. Generally I recommend beginning with two subscriptions, one for Production resources and one for non-production such as development and test.
As the number of Azure Subscriptions increases, so too does the management complexity and administrative overhead. With that being said, I give the same advice to everyone who asks me this question. Start as simple as possible, and expand as business needs demand. But with that advice, I also include the following caveat. Azure Azure (and your business) grow, be prepared to discover that the business has developed a requirement that will necessitate a move to additional subscriptions.
Used in conjunction, Azure Subscriptions and Management Groups can be used to create an organizational hierarchy for your Azure Resources. An example hierarchy is included below.
Image source: https://docs.microsoft.com/en-us/azure/governance/management-groups/
Resource groups are the lowest level of organizational scope, and are the level that contains almost all Azure Resources. Azure Resources Groups are logical collections of virtual machines, app services, storage accounts, virtual networks, web apps, Azure SQL databases, etc. Resource groups can be utilized to subdivide resources by application or environment, among the many options.
Azure Resource Groups are a useful tool for Role-Based Access Control (RBAC). This will allow you to grant user access at the group level. Resource Groups can also simplify reporting and billing.
It's Flash Sale time! Get 50% off your first year with Cloud Academy: all access to AWS, Azure, and Cloud…
In this blog post, we're going to answer some questions you might have about the new AWS Certified Data Engineer…
This is my 3rd and final post of this series ‘Navigating the Vocabulary of Gen AI’. If you would like…