Session 10: Azure Subscriptions, Resource Groups & Management Groups

Azure Resource Hierarchy: From Enterprise to Individual Resources

Imagine you're managing IT for a multinational company with thousands of applications, millions of users, and strict compliance requirements. How do you organize thousands of virtual machines, databases, and storage accounts across multiple teams, departments, and geographic regions while maintaining security, controlling costs, and ensuring governance? Azure's hierarchical management structure provides the answer through a carefully designed organizational model.

🏗️ Azure Management Hierarchy: From Global to Granular

Root Management Group

Tenant-level (Enterprise)

IT Department

Marketing

Operations

Prod Sub

Dev Sub

Test Sub

Web-App-RG

DB-RG

Network-RG

VM

App

SQL

🎯 Why This Hierarchy Matters:

💰 Cost Management

Each subscription has its own billing boundary - IT can track costs separately from Marketing

🔐 Access Control

Developers get access to Dev subscription, but not Production - automatic security boundaries

📋 Governance

Apply company-wide policies at management group level, specific rules at subscription level

⚡ Lifecycle Management

Delete entire resource group when project ends - all resources go away together

📊 Hierarchy Benefits in Practice:

Enterprise Governance Management Groups

Apply security policies across all 50 subscriptions with one management group policy

Department Budgets Subscriptions

Marketing gets $10K/month budget on their subscription, IT gets $50K/month

Project Organization Resource Groups

All resources for "Customer Portal v2" project in one resource group for easy management

Resource Tracking Tags & Labels

Track which resources belong to which cost center, environment, or project owner

🏢 Real-World Example: Global Manufacturing Company Azure Setup

🏭 Company Overview:

GlobalTech Manufacturing: 15,000 employees across 25 countries, $2B annual revenue, strict compliance requirements (SOX, ISO), multiple business units, and complex IT governance needs.

Locations: North America, Europe, Asia-Pacific manufacturing facilities

Business Units: Manufacturing, Sales, R&D, Corporate Services

IT Budget: $50M annually across all business units

Compliance: SOX, ISO 27001, GDPR, industry-specific regulations

☁️ Azure Organizational Strategy:

🏢 Root Management Group

GlobalTech-Root: Enterprise-wide security and compliance policies

🏭 Business Unit Management Groups

Manufacturing-MG, Sales-MG, RnD-MG, Corporate-MG (budget allocation by unit)

💳 Environment Subscriptions

Prod-Manufacturing, Dev-Manufacturing, Test-Sales, etc. (isolation by environment)

📁 Application Resource Groups

ERP-Prod-RG, CRM-Prod-RG, MES-Manufacturing-RG (by application lifecycle)

📊 Organizational Benefits Achieved

98%

Policy Compliance

Automated enforcement

60%

Cost Reduction

Through better tracking

85%

Admin Efficiency

Less manual work

5min

Audit Response

vs 2 hours before

Azure Subscriptions: Your Billing & Access Boundary

Think of an Azure subscription as your "account" with Microsoft - it's where your bill comes from, where usage is tracked, and where access is controlled. Every Azure resource must belong to exactly one subscription, making it the fundamental unit for billing, access management, and policy enforcement. Understanding subscriptions is crucial because they define the boundaries of your Azure environment.

💳 Azure Subscriptions: The Foundation of Azure Management

🎯 What Is an Azure Subscription?

💰 Billing Boundary

All resources in a subscription appear on the same bill and invoice

One subscription = one bill per month

🔐 Access Control Boundary

Permissions can be granted at subscription level for all resources within

RBAC (Role-Based Access Control) scope

📊 Management Boundary

Policies, compliance, and governance settings apply subscription-wide

Azure Policy and compliance scope

⚖️ Scale Boundary

Each subscription has limits (quotas) on number and type of resources

Example: 980 VMs per subscription limit

📊 Subscription Relationship with Azure AD:

Azure AD Tenant ↔ Subscriptions

Azure AD Tenant

contoso.onmicrosoft.com

Identity & Directory Service

Production

$15K/month

Development

$3K/month

Testing

$1K/month

Key: One Azure AD tenant can have multiple subscriptions, but each subscription trusts exactly one tenant

🏢 Trust Relationship

Subscription trusts one Azure AD tenant for authentication and authorization

👥 User Management

Users and groups from trusted tenant can be assigned roles in subscription

🔄 Tenant Transfer

Subscriptions can be moved between tenants (with proper authorization)

🎯 Common Subscription Strategies & Use Cases

Environment-Based

Separate by Lifecycle

Production: Live applications

Staging: Pre-production testing

Development: Active development

Sandbox: Experimentation

Benefits: Clear cost separation, different access controls per environment, isolated failure domains

Department-Based

Separate by Business Unit

IT Department: Infrastructure

Marketing: Customer analytics

Sales: CRM systems

HR: Employee systems

Benefits: Department budgets, independent policies, clear ownership, chargeback billing

Geography-Based

Separate by Location

North America: US/Canada ops

Europe: EU/GDPR compliance

Asia Pacific: APAC operations

China: China-specific cloud

Benefits: Data residency compliance, regional billing, local access control, performance optimization

⚖️ Subscription Limits & Quotas (Examples)

980

Virtual Machines

Per subscription limit

100

Storage Accounts

Per region per subscription

10K

Resource Groups

Per subscription

20

Virtual Networks

Per region

Note: Many limits can be increased by contacting Azure support. Limits help prevent accidental resource sprawl.

💰 Interactive Billing Demo: How Subscription Costs Add Up

📊 Monthly Usage Breakdown:

Virtual Machines $3,247

15 VMs running 24/7 (D4s_v3 instances)

Storage $1,123

50TB blob storage + premium SSDs

Networking $432

VPN Gateway + Load Balancer + data transfer

Databases $198

SQL Database Standard tier

📋 Subscription Invoice Summary:

Production Subscription

Billing Period: March 2025

Compute Services $3,247.15

Storage Services $1,123.42

Networking $432.18

Database Services $198.76

Support Plan $100.00

Total Due $5,101.51

Pro Tip: Use Azure Cost Management to set budgets and alerts to avoid surprise bills!

Resource Groups: Logical Containers for Your Azure Resources

Resource groups are like project folders in Azure - they logically group related resources that share the same lifecycle, permissions, and policies. Think of building a web application: you'd put the web app, database, storage account, and networking components all in the same resource group because they belong to the same project and will be managed together throughout their lifecycle.

📁 Resource Groups: Your Azure Organization System

🎯 Resource Group Fundamentals:

📦 Logical Container

Groups related Azure resources for management, billing, and permissions

One resource can only exist in one resource group

🔄 Lifecycle Management

Delete resource group = delete all resources inside it instantly

Perfect for temporary environments and projects

🔐 Permission Boundary

Apply RBAC (Role-Based Access Control) at resource group level

Permissions inherited by all resources in the group

📍 Regional Location

Resource group has a location, but resources can be in any region

Location only stores resource group metadata

📋 Resource Group Design Patterns:

🎯 By Application/Project

All resources for one application together

🏢 By Environment

Separate dev, test, and production resources

⚙️ By Service Type

Group by technology or service layer

👥 By Team/Department

Resources managed by specific teams

🔄 Resource Group Lifecycle: From Creation to Deletion

1. Create Resource Group

Set up logical container for new project resources with appropriate naming and location.

Required Properties

• Name: CustomerPortal-Prod-RG
• Location: East US (metadata only)
• Subscription: Production
• Tags: Environment=Prod, Project=Portal

Best Practices

• Use consistent naming convention
• Apply appropriate tags from start
• Set up RBAC permissions early
• Document purpose and ownership

2. Deploy Resources

Add related resources that share the same lifecycle and management requirements.

Web App

SQL DB

Storage

Insights

3. Manage & Monitor

Apply policies, monitor costs, manage access, and maintain resources throughout their operational lifecycle.

🔒 Access Control

Apply RBAC roles to team members for appropriate access levels

💰 Cost Monitoring

Track spending and set budgets at resource group level

📋 Policy Compliance

Ensure resources follow organizational standards

4. Decommission

When project ends, delete resource group to clean up all resources instantly and stop all charges.

⚠️ Critical Warning

Deleting a resource group is permanent and irreversible. All resources inside will be deleted immediately.

💡 Pro Tip: Export ARM templates before deletion to recreate resources later if needed!

💡 Resource Group Best Practices & Common Patterns

✅ Best Practices:

🎯 Group by Lifecycle

Resources that are created, managed, and deleted together should be in the same resource group

🏷️ Consistent Naming

Use naming convention like: {ProjectName}-{Environment}-{Purpose}-RG

🏷️ Apply Tags Early

Tag for cost center, environment, owner, and project from the beginning

🔐 Least Privilege Access

Grant minimum permissions needed for each team member or service

❌ Common Mistakes to Avoid:

🚫 Single Giant Resource Group

Don't put all resources in one group - makes management and permissions complex

🚫 Mixed Lifecycles

Don't mix production and development resources in same group

🚫 No Naming Convention

Random names make it impossible to understand purpose and ownership

🚫 Ignoring Region Implications

Remember that resource group location only affects metadata storage

📋 Real-World Resource Group Examples

🌐 Web Application

Name: ECommerce-Prod-RG

Resources:

• App Service Plan
• Web App
• SQL Database
• Storage Account
• Application Insights
• Key Vault

💾 Data Analytics

Name: Analytics-Pipeline-RG

Resources:

• Data Factory
• Synapse Analytics
• Data Lake Storage
• Power BI Workspace
• Event Hub
• Cosmos DB

🔧 Infrastructure

Name: Corp-Network-RG

Resources:

• Virtual Network
• Subnets
• Network Security Groups
• VPN Gateway
• Load Balancer
• Public IP Addresses

Management Groups: Enterprise-Scale Organization

Management groups provide a governance layer above subscriptions, enabling enterprise-scale management of access, policies, and compliance across multiple subscriptions. Think of them as organizational units that help large enterprises apply consistent policies and access controls across hundreds or thousands of subscriptions while maintaining flexibility at lower levels.

🏢 Management Groups: Organizing Subscriptions at Enterprise Scale

🎯 Management Group Benefits:

📋 Policy Inheritance

Apply policies at management group level and inherit to all child subscriptions

One policy rule can govern thousands of resources

🔐 Centralized Access Control

Assign RBAC roles at management group for multiple subscriptions

Security administrators can manage access at scale

📊 Aggregate Reporting

View costs, compliance, and usage across multiple subscriptions

Enterprise-wide dashboards and reporting

🏗️ Organizational Structure

Mirror your business structure in Azure for better governance

Up to 6 levels of management group hierarchy

🏗️ Management Group Hierarchy:

Enterprise Management Group Structure

Root Management Group

ContosoTenant (Auto-Created)

IT-MG

Sales-MG

R&D-MG

Prod-MG

Dev-MG

S

Sub1

S

Sub2

S

Sub3

Maximum Depth: 6 levels of management groups

Root Group: Automatically created for each Azure AD tenant

Inheritance: Policies and permissions flow down the hierarchy

Movement: Subscriptions can be moved between management groups

🏢 Enterprise Scenario: Global Bank Management Group Strategy

🏦 Organization Challenge:

GlobalBank Corp: 50,000 employees, operations in 30 countries, 200+ Azure subscriptions, strict financial regulations (SOX, PCI-DSS, Basel III), complex organizational structure with multiple business units.

Governance Challenge: Apply consistent security policies across all subscriptions

Compliance Need: Ensure all resources meet banking regulations

Access Control: Different permissions for different business units

Cost Management: Track spending by department and geography

☁️ Management Group Solution:

🏢 Root Level Policies

Enterprise security baseline, encryption requirements, audit logging

🌍 Geographic Management Groups

North-America-MG, Europe-MG, Asia-Pacific-MG (data residency rules)

🏦 Business Unit Groups

RetailBanking-MG, CommercialBanking-MG, Investment-MG (different compliance rules)

⚙️ Environment Separation

Production-MG, NonProduction-MG (different security requirements)

📋 Policy Inheritance Example

Root Management Group: "All resources must be encrypted at rest"

Europe Management Group: + "Data must stay in EU regions"

Production Management Group: + "Backup required daily"

Final Subscription: Inherits ALL three policies automatically

🔐 RBAC (Role-Based Access Control) with Management Groups

👥 Common RBAC Patterns:

Role

Management Group

Subscription

Resource Group

Enterprise Admin

Owner

Department Manager

Contributor

Owner

Developer

None

Reader

Contributor

Security Auditor

Reader

Full Access

Limited Access

No Access

🔒 RBAC Best Practices:

🎯 Principle of Least Privilege

Grant minimum permissions needed for users to perform their jobs

👥 Use Groups, Not Individual Users

Assign roles to Azure AD groups for easier management and auditing

🔄 Regular Access Reviews

Periodically review and clean up permissions, especially for departing employees

📊 Inheritance Awareness

Understand how permissions inherit down the management hierarchy

🔐 Common Built-in Roles

Owner: Full access including permission management

Contributor: Full access except permission management

Reader: View all resources but cannot make changes

User Access Administrator: Manage user access only

Azure Resource Organization & Tagging Strategies

Proper organization and tagging of Azure resources is like having a well-organized library - it makes finding what you need quick and easy while enabling powerful automation, cost management, and governance capabilities. Tags are name-value pairs that provide metadata about your resources, enabling you to categorize resources for billing, management, and operational purposes.

🏷️ Azure Resource Tagging: Your Organizational Superpower

🎯 Essential Tag Categories:

💰 Financial Tags

Essential for chargeback billing and cost reporting

⚙️ Operational Tags

Critical for operations and automation

👥 Ownership Tags

Know who to contact for issues or approvals

📋 Compliance Tags

Essential for regulatory compliance and security

🚀 Tagging Benefits & Use Cases:

💰 Cost Management & Chargeback

Generate detailed cost reports by department, project, or cost center for accurate billing allocation.

Marketing
$3,500

IT
$2,500

Sales
$2,000

HR
$2,000

🔧 Automation & Operations

Automatically start/stop VMs based on environment tags, apply security policies based on data classification, trigger backups based on criticality tags.

📊 Resource Discovery & Inventory

Quickly find all resources belonging to a project, all production databases, or all resources owned by a specific team.

📋 Compliance & Auditing

Generate compliance reports, track data classification requirements, identify resources subject to specific regulations.

🔒 Resource Locks: Preventing Accidental Changes and Deletions

🛡️ Types of Resource Locks:

Delete Lock (CannotDelete)

Prevents deletion of the resource but allows read and modify operations.

Use Case: Protect critical production resources like databases and storage accounts

Read-Only Lock (ReadOnly)

Prevents deletion and modification but allows read operations only.

Use Case: Protect configuration resources during maintenance or audits

Lock Inheritance Rules

• Subscription locks apply to all resource groups and resources
• Resource group locks apply to all resources in the group
• Child resources inherit the most restrictive lock from parents
• Only Owners can create or delete locks

🎯 Lock Management Scenarios:

🏢 Production Environment Protection

Apply CannotDelete locks to all production resource groups to prevent accidental environment deletion.

Example: WebApp-Prod-RG with CannotDelete lock prevents entire application stack deletion

💾 Critical Data Protection

Apply ReadOnly locks to backup storage accounts and archive data during compliance periods.

Example: Legal hold requirements for financial data during audit periods

🔧 Shared Infrastructure

Lock shared networking resources like VPN gateways and core virtual networks.

Example: Corporate VNet with CannotDelete lock prevents network outages

⚠️ Lock Override Process

Establish clear procedures for emergency lock removal with approval workflows.

Process: Manager approval → Remove lock → Perform action → Reapply lock

Azure Organization Best Practices & Governance

Successful Azure deployments follow proven organizational patterns and governance practices. These best practices help ensure security, compliance, cost control, and operational efficiency at scale while maintaining flexibility for growth and change.

⭐ Azure Organization Best Practices Framework

Hierarchy Design

Organizational Structure

✓ Business-aligned: Mirror company structure

✓ Environment separation: Prod/Test/Dev boundaries

✓ Scalable design: Plan for growth

✓ Clear ownership: Defined responsibilities

Security & Access

Identity & Permissions

✓ Least privilege: Minimum necessary access

✓ Group-based RBAC: Use Azure AD groups

✓ Regular reviews: Audit permissions quarterly

✓ Emergency access: Break-glass procedures

Cost Management

Financial Control

✓ Budget alerts: Proactive monitoring

✓ Cost center tags: Chargeback tracking

✓ Resource policies: Prevent expensive resources

✓ Lifecycle automation: Auto-shutdown dev/test

Governance

Policy & Compliance

✓ Policy enforcement: Automated compliance

✓ Naming standards: Consistent conventions

✓ Resource standards: Approved SKUs only

✓ Change control: Approval workflows

Operations

Day-to-Day Management

✓ Monitoring strategy: Centralized logging

✓ Backup policies: Automated protection

✓ Update management: Scheduled maintenance

✓ Disaster recovery: Tested procedures

Team & Culture

People & Processes

✓ Training programs: Azure skills development

✓ Documentation: Maintain runbooks

✓ Communication: Regular team updates

✓ Knowledge sharing: Cross-training

🗺️ Azure Organization Implementation Roadmap

Phase 1: Planning & Design (Week 1-2)

Assessment & Requirements

• Inventory existing Azure resources
• Document business structure
• Identify compliance requirements
• Map current cost centers

Design Decisions

• Management group hierarchy
• Subscription strategy
• Naming conventions
• Tagging taxonomy

Phase 2: Implementation (Week 3-6)

Infrastructure Setup

• Create management groups
• Organize subscriptions
• Restructure resource groups
• Apply initial tags

Policy & Access

• Deploy Azure policies
• Configure RBAC roles
• Set up resource locks
• Implement cost budgets

Phase 3: Monitoring & Governance (Week 7-8)

Monitoring Setup

• Configure cost alerts
• Set up compliance monitoring
• Create governance dashboards
• Implement automated reporting

Process Integration

• Train teams on new structure
• Document procedures
• Create change processes
• Establish review cycles

Phase 4: Optimization & Continuous Improvement (Ongoing)

Regular Reviews

• Monthly cost reviews
• Quarterly access reviews
• Annual structure assessment
• Continuous policy updates

Optimization Actions

• Refine tagging strategy
• Adjust access permissions
• Update governance policies
• Optimize cost allocation

Session Summary & Key Takeaways

🎯 Azure Organization & Management: Building for Scale

💳 Azure Subscriptions:

• Billing boundary: One subscription = one bill per month
• Access control boundary: RBAC permissions scope
• Management boundary: Policies and compliance settings
• Scale boundary: Resource limits and quotas per subscription
• Azure AD trust: Each subscription trusts exactly one tenant

📁 Resource Groups:

• Logical container: Group resources by lifecycle and management
• Lifecycle management: Delete group = delete all resources
• Permission inheritance: RBAC roles apply to all resources
• Metadata location: RG location only affects metadata storage
• One-to-one relationship: Each resource belongs to exactly one RG

🏢 Management Groups:

• Enterprise governance: Organize subscriptions at scale
• Policy inheritance: Apply policies across multiple subscriptions
• Centralized access: RBAC roles at management group level
• Hierarchy depth: Maximum 6 levels of management groups
• Root group: Automatically created for each Azure AD tenant

🏷️ Resource Tagging:

• Financial tags: Cost center, department, project, budget tracking
• Operational tags: Environment, criticality, maintenance windows
• Ownership tags: Owner, team, contact information
• Compliance tags: Data classification, retention, regulatory requirements
• Automation enabler: Tags drive automated operations and policies

🔒 Resource Locks:

• CannotDelete lock: Prevents deletion, allows modifications
• ReadOnly lock: Prevents deletion and modifications
• Inheritance: Child resources inherit most restrictive lock
• Owner only: Only owners can create or remove locks
• Production protection: Essential for critical resource protection

⭐ Best Practices:

• Hierarchy design: Mirror business structure and requirements
• Naming conventions: Consistent, descriptive resource naming
• Environment separation: Clear boundaries between prod/test/dev
• Least privilege access: Minimal permissions for each role
• Automation: Use tags and policies to automate operations

🏗️ Azure Organization Decision Framework

1

Business Structure

How is your company organized?

2

Compliance Requirements

What regulations must you follow?

3

Scale & Growth

How will you grow over time?

4

Operational Model

How will you manage day-to-day?

🚀 Ready for Azure Compute Services?

Outstanding! You now understand how to organize and manage Azure resources at enterprise scale. With proper hierarchy, access control, and governance in place, you're ready to explore the compute services that will run your applications. Next, we'll dive into Azure Virtual Machines and compute options.

Test Your Knowledge - Quiz 10 Continue to Session 11: Azure VMs & Compute

AZ-900 Exam Tips for Azure Organization

🎯 Key Concepts to Remember:

• Subscription = billing boundary, resource groups = lifecycle boundary
• Management groups enable enterprise-scale governance
• Resource locks: CannotDelete vs ReadOnly
• Tags enable automation, cost tracking, and organization
• RBAC inheritance flows down the hierarchy

💡 Common Exam Scenarios:

• Company needs separate billing for departments → Multiple subscriptions
• Project resources managed together → Same resource group
• Enterprise policy across all subscriptions → Management groups
• Prevent accidental deletion → Resource locks
• Track costs by department → Tagging strategy