The management infrastructure includes Azure resources, resource groups, subscriptions, and accounts.
Understanding the hierarchical organization will help you plan your projects and products in Azure.

Azure Resources and Resource Groups

A resource is the basic element of Azure.
Everything you create, provision, deploy, etc., is considered a resource.
Virtual machines (VMs), virtual networks, databases, cognitive services, and so on are all resources in Azure.

Resource Groups

Resource groups are simply collections of resources.
When you create a resource, you must place it in a resource group.
A resource group can contain multiple resources, but a resource can belong to only one group at a time.

Some resources can be moved from one group to another, but once moved, the resource is no longer associated with its previous group.
Additionally, resource groups cannot be nested, meaning you cannot place Group B inside Group A.

Resource groups provide a convenient way to organize resources.
When you apply an action to a resource group, that action applies to all resources within it.
For example:

• If you delete a resource group, all resources it contains will be deleted.
• If you grant or deny access to a resource group, you grant or deny access to all resources in that group.

When provisioning resources, it is helpful to think about the resource group structure that best fits your needs.
For example:

• If you set up a temporary development environment, grouping all resources together allows you to delete everything at once by deleting the resource group.
• If you provision compute resources with three different access patterns, it may be better to group resources by access pattern and then assign permissions at the resource group level.

There are no strict rules on how to use resource groups.
Consider the best organization to maximize their usefulness in your context.

Azure Subscriptions

In Azure, subscriptions are a unit of management, billing, and scale.
Just as resource groups allow you to logically organize resources, subscriptions allow you to logically organize resource groups and simplify billing.

Using Azure Requires an Azure Subscription

A subscription gives you authenticated and authorized access to Azure products and services.
It also allows you to provision resources.
An Azure subscription is linked to an Azure account, which corresponds to an identity in Microsoft Entra ID or in a directory trusted by Microsoft Entra ID.

An account can have multiple subscriptions, but only one subscription is required.
In an account with multiple subscriptions, you can:

• Configure different billing models
• Apply different access management policies

Azure subscriptions define boundaries around Azure products, services, and resources.
There are two types of subscription boundaries:

Billing Boundary

This type of subscription determines how an Azure account is billed for Azure usage.
You can create multiple subscriptions to meet different billing needs.
Azure generates separate reports and invoices for each subscription, allowing you to organize and manage costs.

Access Control Boundary

Azure enforces access management policies at the subscription level.
You can create separate subscriptions to reflect different organizational structures.
For example, in a company, you can apply subscription-specific policies to each department.
This model allows you to manage and control access to resources that users provision through specific subscriptions.

Creating Additional Azure Subscriptions

Just as you use resource groups to separate resources by function or access, you can create additional subscriptions to manage resources or billing.
For example, you can create separate subscriptions to separate:

• Environments: development, testing, security, or to isolate data for compliance purposes.
  This is useful because access control to resources occurs at the subscription level.
• Organizational structures: you can create subscriptions to reflect different teams.
  For example, limit one team to low-cost resources while allowing IT to access all resources.
• Billing: you can create subscriptions to track costs according to your needs.
  For example, one subscription for production workloads and another for development and testing workloads.

Azure Management Groups

The final element is the management group.
Resources are grouped into resource groups, which are themselves grouped into subscriptions.
If you are just starting with Azure, this may seem sufficient to organize your resources.
But imagine managing multiple applications, multiple development teams, across multiple geographic areas.

If you have many subscriptions, you will need an efficient way to manage access, policies, and compliance.
Azure management groups provide a scope level above subscriptions.
You can organize subscriptions into containers called management groups and apply governance conditions to them.

All subscriptions in a management group automatically inherit the conditions applied to that group,
in the same way that:

• Resource groups inherit settings from subscriptions
• Resources inherit settings from resource groups

Management groups enable enterprise-scale management, regardless of subscription type.
Management groups can be nested.

Hierarchy: Management Group, Subscriptions, and Resource Groups

You can build a flexible structure of management groups and subscriptions to organize your resources in a hierarchy,
ensuring unified management of policies and access.

A diagram can illustrate how to create a governance hierarchy using management groups.

Examples of Using Management Groups:

Create a hierarchy to apply a policy:
For example, you can restrict the location of virtual machines (VMs) to the US West region in a group called Production.
This policy will be inherited by all subscriptions under this management group and will apply to all VMs in those subscriptions.
This security policy cannot be modified by the resource or subscription owner, ensuring better governance.

Provide user access to multiple subscriptions:
By grouping multiple subscriptions under a management group, you can create a single Azure RBAC (role-based access control) role assignment at the management group level.
Assigning RBAC at this level means that all child management groups, subscriptions, resource groups, and resources under this group will automatically inherit the permissions.
A single assignment at the management group level can give users access to everything they need without manually configuring RBAC for each subscription.

Important Facts About Management Groups:

• A single directory can support up to 10,000 management groups.
• A management group tree can have up to six levels deep (not including the root level or the subscription level).
• Each management group and each subscription can have only one parent.

Next Unit: Exercise – Create an Azure Resource.