SkarpSkarp

Chapter 7 of 20

Organizing Azure: Management Groups, Subscriptions, and Resource Groups

See how Azure’s logical hierarchy fits together so you can place every resource in the right subscription and resource group for billing, access, and governance.

27 min readen

Orienting Yourself in Azure’s Logical Hierarchy

From Physical to Logical

Azure runs on global physical infrastructure (regions, region pairs, Availability Zones). On top of that, Microsoft adds a logical structure so organizations can handle billing, access, and governance.

Exam-Relevant Question Types

For AZ-900, you must read simple hierarchy diagrams and answer: where to place a new resource, or whether to apply a policy at the management group or subscription level.

The Core Hierarchy

Typical hierarchy: Microsoft Entra ID tenant → Management groups → Subscriptions → Resource groups → Resources. Not every org uses management groups, but subscriptions and resource groups are always present.

Link to Shared Responsibility

Azure provides these organizing tools; you are responsible for using them to separate environments, isolate workloads, and apply governance under the shared responsibility model.

Tenants and Microsoft Entra ID: The Top Identity Boundary

What Is Microsoft Entra ID?

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365 and the Azure portal.

What Is a Tenant?

A tenant is an instance of Microsoft Entra ID that belongs to one organization. It contains users, groups, and app registrations and is the identity boundary.

Tenant–Subscription Relationship

Every Azure subscription is associated with one Microsoft Entra ID tenant. The tenant provides identities; the subscription holds Azure resources and billing.

Common Exam Trap

Do not confuse tenant and subscription. Tenant = identity directory. Subscription = billing and resource container. One tenant can have many subscriptions.

Azure Subscriptions: Billing, Boundaries, and Limits

What Is a Subscription?

An Azure subscription is a logical container that groups resources for billing, defines quotas and limits, and acts as a security and management boundary.

Subscriptions and Billing

Each subscription has its own billing relationship. Using multiple subscriptions lets you separate costs by environment, department, or customer.

Why Multiple Subscriptions?

Organizations create separate subscriptions for dev/test/prod, for different business units, or to enforce different governance or spending limits.

Exam Signals

If a question mentions separate billing or strong isolation between departments or environments, multiple subscriptions are often the correct choice.

Resource Groups: Organizing Related Resources Inside a Subscription

What Is a Resource Group?

A resource group is a logical container inside a subscription that holds related Azure resources for an application, workload, or environment.

Key Rules

Every resource belongs to exactly one resource group and one subscription. All resources in a resource group share the same subscription.

Why Use Resource Groups?

They let you deploy, manage, and delete related resources together, and apply RBAC and Azure Policy at a convenient scope for a specific workload.

Common Exam Trap

Resource groups are not for separate billing. Billing is per subscription. Resource groups are for logical organization and lifecycle management.

Worked Scenario: Choosing Subscriptions vs Resource Groups

Scenario Setup

Contoso has two apps: an internal HR Portal and a public ecommerce site. They want separate billing, prod vs non-prod isolation, and easy test cleanup.

Designing Subscriptions

Create two subscriptions: Contoso-Internal-IT for HR Portal and Contoso-Customer-Apps for the shop. This separates billing and high-level limits.

Designing Resource Groups

In each subscription, create resource groups like rg-hrportal-prod, rg-hrportal-test, rg-shop-prod, rg-shop-test to separate environments.

Lifecycle and Exam Logic

To delete all test resources, delete the test resource group. For separate billing, use separate subscriptions. Match the requirement to the correct level.

Management Groups: Governance Above Subscriptions

What Are Management Groups?

Management groups sit above subscriptions and can contain subscriptions and other management groups, all within the same Microsoft Entra ID tenant.

Why Use Them?

They let you apply Azure Policy and RBAC once at a higher level and have those settings inherit down to many subscriptions automatically.

RBAC and Azure Policy

RBAC is an authorization system that provides fine-grained access based on roles. Azure Policy enforces rules so resources stay compliant with standards and SLAs.

Exam Clue: Governance at Scale

If you see “apply controls across all subscriptions” or “governance at scale,” management groups are usually the right concept.

Visualizing a Management Group Hierarchy

Sample Hierarchy

Picture: Root management group → mg-Platform, mg-Prod, mg-NonProd. Under them: multiple subscriptions like sub-Prod-Finance, sub-Dev, sub-Test.

Policy Inheritance

A policy assigned at Root (for example, only EU regions) flows down to all child management groups and subscriptions automatically.

Different Rules by Branch

mg-Prod might have strict RBAC for central ops only, while mg-NonProd has looser permissions for developers to experiment.

Connecting to Exam Questions

To affect all workloads, assign at Root. To affect only production subscriptions, assign at the Prod management group branch.

Naming and Tagging: Making the Hierarchy Usable

Why Naming Matters

Good names encode environment, app, type, and location, making it easy to understand a resource’s purpose without opening it.

Example Naming Pattern

Resource group: rg-hr-weu-prod. VM: vm-hr-weu-prod-app01. Each part signals app, region, and environment.

What Are Tags?

Tags are key-value pairs on resources, groups, and subscriptions, like CostCenter=Finance or Environment=Prod.

Exam Clue: Cost Grouping

If a question mentions grouping costs or identifying owners across resources, tags are usually the correct mechanism.

Thought Exercise: Place the Resources

Work through this scenario mentally to practice choosing the right level for each decision.

Scenario

Fabrikam has:

  • One Microsoft Entra ID tenant.
  • Two subscriptions: `sub-Prod` and `sub-NonProd`.
  • In `sub-Prod`, resource groups: `rg-payroll-prod` and `rg-website-prod`.

They plan to add:

  1. A new test environment for the website.
  2. A policy that only allows resources in the "West Europe" region for all production workloads.
  3. A way to track which department pays for each resource (Finance vs Marketing), across both subscriptions.

Your tasks

For each item, decide:

  1. Where should the new test resources go?
  • Think: new subscription, new resource group, or existing resource group?
  1. At what scope should they assign the region restriction policy?
  • Options: resource group, subscription, or management group?
  • Assume they create a `mg-Prod` management group containing only `sub-Prod`.
  1. How should they track department ownership across both subscriptions?
  • Options: more subscriptions, more resource groups, or tags?

Check your reasoning

Compare your answers to these recommended choices:

  1. New test environment → New resource group in `sub-NonProd`, for example `rg-website-test`. Rationale: same app, different environment; resource group separation is enough.
  2. Region restriction → mg-Prod management group. Rationale: ensures all current and future production subscriptions inherit the policy.
  3. Department ownership → Tags, such as `Department = Finance` or `Department = Marketing`. Rationale: tags work across subscriptions and resource groups.

Quick Check 1: Subscriptions vs Resource Groups

Answer this question to test your understanding of subscriptions and resource groups.

Your company wants to receive separate invoices for the Finance department and the HR department. Both departments will use many different Azure services. What is the BEST way to achieve this?

  1. Create one subscription and separate Finance and HR into different resource groups.
  2. Create two subscriptions, one for Finance and one for HR.
  3. Create one subscription and use tags on each resource to mark Finance or HR.
  4. Create separate Microsoft Entra ID tenants for Finance and HR.
Show Answer

Answer: B) Create two subscriptions, one for Finance and one for HR.

Billing is scoped at the subscription level. To receive separate invoices for Finance and HR, create separate subscriptions for each department. Resource groups and tags help with organization and reporting, but invoices are tied to subscriptions. Multiple tenants would complicate identity without being required here.

Quick Check 2: Management Groups and Policy

Test your understanding of management groups and Azure Policy inheritance.

An organization has 5 subscriptions in the same Microsoft Entra ID tenant. They want to enforce that only approved VM sizes can be created in ANY of these subscriptions. What should they configure?

  1. Assign an Azure Policy to each resource group in every subscription.
  2. Assign an Azure Policy at each subscription scope separately.
  3. Create a management group that contains all 5 subscriptions and assign the Azure Policy at the management group scope.
  4. Move all resources into a single subscription and rely on default settings.
Show Answer

Answer: C) Create a management group that contains all 5 subscriptions and assign the Azure Policy at the management group scope.

Management groups are designed for governance at scale. By creating a management group that contains all 5 subscriptions and assigning the Azure Policy at that scope, the policy automatically applies to all subscriptions and their resource groups. Assigning per subscription or per resource group is more work and easier to misconfigure.

Flashcards: Key Terms and Relationships

Use these flashcards to reinforce the most important concepts from this module.

Microsoft Entra ID
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
Tenant
An instance of Microsoft Entra ID that belongs to one organization. It contains users, groups, and app registrations. All subscriptions in the organization are associated with a tenant for identity.
Azure subscription (main purposes)
A logical container for Azure resources that defines billing, quotas and limits, and a security/management boundary. Organizations often use multiple subscriptions to separate environments, departments, or customers.
Resource group
A logical container within a subscription that holds related Azure resources. Used to organize resources with a shared lifecycle and to apply RBAC and Azure Policy at a workload level.
Management group
A container above subscriptions used to group subscriptions and other management groups for governance at scale. Policies and RBAC assigned here inherit down to child subscriptions.
Role-based access control (RBAC)
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
Tags
Key-value pairs applied to resources, resource groups, and subscriptions to support cost reporting, governance, and automation. Example: CostCenter=Finance, Environment=Prod.
Billing vs organization
Billing separation is achieved with multiple subscriptions. Resource groups and tags are for organizing and managing resources within and across subscriptions, not for separate invoices.
Hierarchy order (top to bottom)
Microsoft Entra ID tenant → Root management group → Child management groups → Subscriptions → Resource groups → Resources.

Key Terms

Tags
Key-value pairs that you can apply to Azure resources, resource groups, and subscriptions to support cost reporting, governance, and automation.
Tenant
An instance of Microsoft Entra ID that belongs to one organization and contains users, groups, and app registrations. All associated Azure subscriptions trust this tenant for identity.
Hierarchy
The logical structure in Azure from tenant to resource: Microsoft Entra ID tenant → management groups → subscriptions → resource groups → resources.
Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
Resource group
A logical container within a subscription that holds related Azure resources, typically those that share the same lifecycle and management requirements.
Management group
A container above subscriptions used to group subscriptions and other management groups so that Azure Policy and RBAC can be applied and inherited at scale.
Azure subscription
A logical container for Azure resources that defines billing, quotas and limits, and a security/management boundary. Often used to separate environments, departments, or customers.
Microsoft Entra ID
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
Role-based access control (RBAC)
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself