Day 3 - Azure Management Groups, Subscriptions and Resource Groups


Azure’s structure offers a flexible and powerful way to manage resources. Understanding Azure Management Groups, Subscriptions and Resource Groups is crucial for efficient cloud management and security.

Azure Hierarchy
Azure Hierarchy. Source:

When you sign up to Azure, there’s a Microsoft Entra tenant (previously known as Azure AD tenant) created. For now, consider Microsoft Entra tenant as something that stores the authentication and authorization details for accessing Azure.

One tenant can have multiple Azure subscriptions. However, one Azure subscription can only be associated with one tenant.

Azure Management Groups offer a layered approach to manage Azure resources. They act as containers for one or more subscriptions, allowing for hierarchical organization up to six levels deep. This structure is pivotal for efficiently managing resource access, Azure policies, and compliance across the enterprise.

Each tenant will have one “root management group” and all subscriptions are made children of the root management group. This root management group can contain other (nested) management groups.

All subscriptions within a single management group must trust the same Microsoft Entra tenant.

Subscriptions in Azure are the fundamental building blocks for resource allocation and billing. They provide a clear separation of resources for different environments or organizational units. The design of subscriptions can be simple, like segregating production and non-production resources.

Resource Groups in Azure are critical for organizing resources that share a common lifecycle or purpose. They are the most granular level of resource organization and play a significant role in governance, especially with RBAC.

In a nutshell, the Azure’s top-down hierarchy looks like follows:

Azure Hierarchy
Azure Hierarchy

Subscribe here to get a weekly gist of Azure Security posts directly to your email.

Follow me on LinkedIn and X to be get my posts on Cloud Security and DevSecOps.