SkarpSkarp

Chapter 7 of 20

Organizing Azure: Resources, Resource Groups, and Subscriptions

Discover how Azure’s logical hierarchy—resources, resource groups, and subscriptions—shapes billing, access control, and lifecycle management for everything you deploy.

27 min readen

The Big Picture: How Azure Is Organized

Physical vs Logical Azure

Previously you saw physical Azure: regions, region pairs, Availability Zones, and datacenters. Now we move to the logical side: Azure resources, resource groups, and subscriptions.

Core Architectural Components

Remember the Azure core architectural components list: Azure regions, region pairs, Availability Zones, Azure datacenters, Azure resources, resource groups, subscriptions.

Why This Matters

These logical pieces control billing, access control, lifecycle, and governance. AZ-900 questions often hinge on knowing which layer does what.

Hierarchy Overview

Top to bottom: Management groups → Subscriptions → Resource groups → Resources. Next, we will unpack each layer with examples and exam-style thinking.

Azure Resources: The Building Blocks

What Is an Azure Resource?

An Azure resource is any manageable item in Azure: a VM, storage account, database, web app, virtual network, and many more.

Resource Categories

Common categories: compute (VMs, web apps), storage (storage accounts, disks), networking (VNets, IPs), data and AI (databases, AI services).

Where Resources Live

Most resources are created in a specific region; some are logically global. All are managed through Azure Resource Manager (ARM).

Ownership and Scope

Each resource belongs to exactly one resource group and one subscription. RBAC and Azure Policy can target individual resources.

Resource Groups: Logical Containers With a Shared Lifecycle

What Is a Resource Group?

A resource group is a logical container for related Azure resources. It helps you organize and manage resources as a unit.

Shared Lifecycle

Resources in a group often share a lifecycle. Deleting the resource group deletes all resources inside it, which is powerful but risky.

Management Scope

You can apply RBAC and Azure Policy at the resource group level so permissions and rules flow down to all resources it contains.

Region and Membership

A resource group is created in one region but can contain resources from multiple regions. Each resource belongs to exactly one resource group.

Subscriptions: Billing and Broad Access Boundaries

What Is a Subscription?

A subscription is a logical container for resource groups and resources. It is tightly linked to billing, quotas, and broad access boundaries.

Billing and Quotas

All resource costs in a subscription roll up to one bill. Azure also applies many service limits per subscription, such as VM core counts.

Security and Isolation

RBAC can be assigned at subscription scope, affecting everything inside. Separate subscriptions help isolate prod vs dev or different business units.

Hierarchy Recap

A subscription contains zero or more resource groups. Each resource group belongs to one subscription; resources inherit that subscription through the group.

Management Groups and the Full Hierarchy

Why Management Groups?

Management groups sit above subscriptions and help large organizations apply governance and access control across many subscriptions at once.

Full Hierarchy

Top to bottom: Management groups → Subscriptions → Resource groups → Resources. Only subscriptions live inside management groups.

Governance at Scale

You can assign RBAC roles and Azure Policy at the management group level to affect all child subscriptions, groups, and resources.

Scope and Inheritance

RBAC and policies inherit downward: management group → subscription → resource group → resource. Higher scopes impact everything underneath.

Real-World Design: Organizing a Simple Company in Azure

Scenario: Contoso Company

Contoso has Dev and Prod environments, two apps (public website and HR app), and two teams. How should they organize Azure?

Step 1: Subscriptions

Create two subscriptions: Contoso-Prod and Contoso-Dev. This separates billing, limits, and broad access for Prod vs Dev.

Step 2: Resource Groups

In each subscription, create rg-webapp and rg-hrapp. Each app gets its own group to manage its lifecycle independently.

Step 3: Resources and Access

Place app resources (web apps, storage, DBs) into the right group. Grant each team Contributor on its group, keeping Owner at subscription level.

Naming Conventions and Tagging Basics

Why Naming and Tagging?

Good naming and tagging make it easier to understand, manage, and report on Azure resources as your environment grows.

Naming Conventions

Names often include app, environment, type, and region: for example, hr-prod-weu-sa for a production HR storage account in West Europe.

What Are Tags?

Tags are key-value pairs like Environment=Production or Department=Finance. You can apply them to resources and resource groups.

Why Tags Matter

Tags support cost reporting and governance. Azure Policy can require tags, but tags do not control security or access.

Thought Exercise: Choosing Resource Groups and Subscriptions

Work through this design mentally. Do not worry about being perfect; focus on reasoning.

Scenario: A university IT department is moving to Azure. They have:

  • Three environments: Dev, Test, Prod
  • Two major systems: Student Portal and Learning Management System (LMS)
  • A strict rule: only senior admins can touch Prod; junior admins can manage Dev and Test
  • They want to track costs per system and per environment

Questions to think through:

  1. How many subscriptions would you create, and why?
  • Option A: One subscription for everything
  • Option B: One subscription per system (Student Portal, LMS)
  • Option C: One subscription per environment (Dev, Test, Prod)
  1. How would you structure resource groups inside your chosen subscription design?
  • Group by system (StudentPortal, LMS)
  • Group by environment (Dev, Test, Prod)
  • Some combination of both
  1. Where would you apply RBAC to enforce the “only senior admins in Prod” rule?
  • At subscription level?
  • At resource group level?
  • At individual resource level?
  1. Which tags would help with cost reporting?
  • Think of at least two useful tags (key and example value).

Pause and sketch a simple hierarchy (text is fine):

  • Management group (optional)
  • Subscriptions
  • Resource groups
  • Example resources

Then compare your design mentally to the Contoso example from earlier. How similar or different is your approach, and why?

Quiz 1: Hierarchy and Scope

Check your understanding of Azure’s logical hierarchy and scopes.

You want to ensure that a specific security policy applies to ALL current and future subscriptions in your organization. At which scope should you assign the Azure Policy definition?

  1. At each individual resource group
  2. At a management group that contains all subscriptions
  3. At one of the subscriptions
  4. At each individual resource
Show Answer

Answer: B) At a management group that contains all subscriptions

Management groups sit above subscriptions. Assigning Azure Policy at a management group scope ensures it applies to all child subscriptions, resource groups, and resources. Assigning at subscription, resource group, or resource scope would limit the policy to that narrower scope only.

Quiz 2: Resource Groups and Subscriptions

Test your understanding of how resource groups and subscriptions relate to each other.

Which statement about Azure resource groups and subscriptions is CORRECT?

  1. A resource group can span multiple subscriptions to simplify management.
  2. A single resource can belong to multiple resource groups within the same subscription.
  3. A subscription can contain multiple resource groups, and each resource group belongs to exactly one subscription.
  4. Resource groups are physical containers that map to specific datacenters.
Show Answer

Answer: C) A subscription can contain multiple resource groups, and each resource group belongs to exactly one subscription.

The correct relationship is: a subscription can contain multiple resource groups, and each resource group belongs to exactly one subscription. Resource groups are logical (not physical) containers, and resources and groups cannot belong to multiple subscriptions or groups at once.

Key Terms Review: Resources, Groups, Subscriptions, Management Groups

Flip through these cards to reinforce the core concepts.

Azure resource
Any manageable item in Azure, such as a virtual machine, storage account, web app, database, or virtual network. It is the fundamental unit you deploy, configure, and monitor in Azure.
Resource group
A logical container that holds related Azure resources. It provides a shared lifecycle and a scope for management operations, RBAC, and Azure Policy assignments.
Subscription
A logical container that groups resource groups and resources for purposes of billing, service limits (quotas), and broad access control boundaries.
Management group
A container for managing access, policy, and compliance across multiple Azure subscriptions. It sits above subscriptions in the hierarchy and lets you apply RBAC and Azure Policy to all child subscriptions.
Hierarchy order (top to bottom)
Management groups → Subscriptions → Resource groups → Resources.
Scope options for RBAC and Azure Policy
You can assign RBAC roles and Azure Policy at four main scopes: management group, subscription, resource group, and resource.
Tag
A key-value pair applied to an Azure resource or resource group (for example, Environment=Production). Tags support organization, reporting, and cost management, but do not control security.
Naming convention purpose
A consistent naming convention helps identify what a resource is, which app or system it belongs to, its environment, and sometimes its region, making management and troubleshooting easier.

Common Exam Traps and How to Avoid Them

Trap 1: Resource Group and Region

Resource groups can hold resources from multiple regions. They are not limited to a single region’s resources, even though the group itself is created in one region.

Trap 2: One Resource, Many Groups?

A resource cannot belong to multiple resource groups or subscriptions. It has exactly one resource group and one subscription at any time.

Trap 3: Billing vs Organization

Billing is tied to subscriptions, not resource groups. Groups and tags help organize and report costs but do not change who gets billed.

Trap 4: Tags vs Security

Tags are for organization and cost reporting. Access control uses RBAC at management group, subscription, resource group, or resource scope.

Key Terms

Tags
Key-value pairs that you apply to Azure resources and resource groups to support organization, reporting, and cost management.
Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
Subscription
A logical container that groups resource groups and resources for billing, quotas, and broad access control.
Resource group
A logical container that holds related Azure resources and provides a shared lifecycle and management scope.
Azure resources
Manageable items in Azure, such as virtual machines, storage accounts, web apps, databases, and virtual networks. They are the fundamental units you deploy and configure.
Management group
A container used to manage access, policy, and compliance across multiple Azure subscriptions, sitting above subscriptions in the hierarchy.
Azure Resource Manager (ARM)
The deployment and management service for Azure that provides a consistent management layer for creating, updating, and deleting resources through the Azure portal, Azure PowerShell, Azure CLI, and templates.
Role-based access control (RBAC)
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself