Table of Contents
At the top of the hierarchy are management groups. These groups are containers that help you manage access, policy, and compliance for multiple subscriptions. A single management group can contain multiple subscriptions, and other management groups, allowing for a flexible and structured management architecture. This is particularly useful for large organizations with various departments, each requiring different policies and access controls.
Management groups enable you to apply governance conditions such as Azure policies and Role-Based Access Control (RBAC) across multiple subscriptions. You can have up to six levels of depth in the management group hierarchy, not including the Root level or tenant level. This enables a granular level of control over different organizational units.
A multinational corporation might set up a management group structure like this:
Subscriptions are the next level in the hierarchy. A subscription is a logical container into which all Azure resources are deployed and managed. It is associated with an Azure account, and it is used to establish boundaries for resource usage. Each subscription can have its own billing and payment setup, which is helpful for keeping financial controls separate for different projects or departments within an organization.
Subscriptions provide an isolation boundary for resources, and you can use them to segregate environments for different projects or stages within a lifecycle, including production, development, and testing.
In a development workflow, an organization can maintain separate subscriptions for each environment:
Each subscription will have its own set of resources, policies, and access controls, preventing accidental interference between environments.
Below subscriptions, we find resource groups. A resource group is a container that holds related resources for an Azure solution. The resources in a resource group can include virtual machines, storage accounts, web apps, databases, and more, all of which are typically linked to a common lifecycle.
Resource groups allow you to manage and monitor resources together, as well as apply consistent policies and access rules. It is possible to add or remove resources to a resource group at any time, and resource groups can also span multiple regions.
An application might have the following structure within a resource group:
This logical grouping allows for simplified management as all related components of the application are located within the same resource group. It also makes it easier to delete all resources connected to an application when it’s no longer needed by deleting the resource group.
To summarize, here’s an overview of the hierarchy:
Level | Container Purpose | Use Case |
---|---|---|
Management Groups | Manage access, policies, and compliance across multiple subscriptions. | Grouping subscriptions by organizational structure or governance needs. |
Subscriptions | Isolation boundary for resources, with separate billing and payment setups. | Separating resources for different projects, teams, or billing entities. |
Resource Groups | Hold related resources for an Azure solution with a common lifecycle. | Grouping resources that support a specific application or service. |
Understanding this hierarchy is essential for efficient Azure management and a critical aspect for those preparing for the AZ-900 Microsoft Azure Fundamentals exam. Properly leveraging the hierarchy allows for better organization, governance, and cost management across all resources deployed in the cloud environment.
Management groups are a level above subscriptions, allowing you to organize subscriptions into containers and apply governance controls such as Azure policies at a broad level.
Resource groups serve as containers for resources that share a common lifecycle, permissions, and policies, enabling easy management and organization of Azure resources.
B) 6
Azure allows up to six levels of depth when organizing management groups in a hierarchy, excluding the root level.
C) Management Group
The management group is the top-most level of organization in the Azure hierarchy, used for access management, policy, and compliance across multiple subscriptions.
While a subscription can only be a child to a single management group at a given level, it can be part of a hierarchy under the management group, effectively being associated with multiple management groups up the hierarchy.
A) Subscriptions help with billing separation, B) Subscriptions can contain multiple resource groups, D) Subscriptions can be moved from one management group to another.
Subscriptions are used as a boundary for billing and resource management in Azure. They can contain multiple resource groups, and they can be moved from one management group to another for better organization and control.
Management groups allow for the application of governance policies and access controls across many subscriptions, streamlining compliance and management.
Resources must be contained within a resource group, and resource groups must be contained within a subscription. Management groups do not directly contain resources.
B) Resource Group
In the Azure hierarchy, resource groups come under a subscription and are used to organize and manage resources within that subscription.
RBAC policies can be defined at the management group level to consistently apply access control across multiple subscriptions.
Through the use of management groups, users can structure their subscriptions and view resources across these subscriptions without navigating to each one individually.
A) 10,000
An Azure environment can have up to 10,000 management groups, allowing extensive hierarchical organization and management of subscriptions.
Management groups in Azure allow you to manage access, policy, and compliance for a group of subscriptions, and apply consistent governance controls across your enterprise.
The hierarchy of resources in Azure is as follows management groups, subscriptions, resource groups, and resources.
Resources in Azure are organized into resource groups, which can be created and managed within a subscription.
A management group allows you to manage policies and access controls for a group of subscriptions, making it easier to maintain consistency across multiple environments.
Management groups can be created in the Azure portal, Azure PowerShell, or the Azure CLI.
A subscription in Azure is a logical container that provides access to Azure services and resources.
Resource groups allow you to organize resources and apply policies and tags to resources as a group.
Resource groups are used to organize resources and manage access control, monitoring, and cost management for a set of related resources.
Management groups provide a way to manage access, policy, and compliance for a group of subscriptions.
Policies and governance controls can be applied across multiple subscriptions using management groups.
Yes, resources can be moved between resource groups in Azure, and also between subscriptions.
A management group provides a way to manage access, policy, and compliance for a group of subscriptions, while a subscription provides access to Azure services and resources.
Costs can be managed across multiple subscriptions using resource groups and cost management tools in Azure.
No, a resource group can only belong to a single subscription in Azure.
Organizing resources into resource groups in Azure allows for easier management of policies, access control, monitoring, and cost management for related resources.
If this material is helpful, please leave a comment and support us to continue.