← Previous Chapter 07 — Azure Global Infrastructure
Chapter 8 of 20 AZ-900 (Azure Fundamentals Certification) ↑ Index
Next → Chapter 09 — Azure Compute Services
AZ-900 (Azure Fundamentals Certification) Chapter 8 of 20 by ClinuxTech

Chapter 08 — Azure Resources, Resource Groups, Subscriptions & Management Groups

Overview

Azure organizes everything into a clear hierarchy. Understanding this hierarchy helps you manage costs, access control, and policies at scale.

The hierarchy from bottom to top:

Resources
  └── Resource Groups
        └── Subscriptions
              └── Management Groups
                    └── Azure Active Directory (Entra ID) Tenant

Each level can contain policies, access controls, and billing settings that flow down to the levels below.

1. Resources

A resource is any individual service or component you create in Azure.

Examples of Azure resources:

  • A Virtual Machine

  • A Storage Account

  • A SQL Database

  • A Virtual Network

  • An App Service

  • A Key Vault

Key Facts

Fact

Detail

Every resource has a name

Must be unique within its scope

Every resource belongs to a resource group

Cannot exist outside a group

Every resource has a type

e.g., Microsoft.Compute/virtualMachines

Every resource has a location (region)

Where it physically runs

Resources can have tags

Key-value pairs for organization and billing

2. Resource Groups

A resource group is a logical container that holds related Azure resources for a project, application, or workload.

Think of it like a folder on your computer — it groups related files (resources) together.

Resource Group: "MyWebApp-RG"
├── Virtual Machine (Web Server)
├── SQL Database
├── Virtual Network
├── Storage Account
└── App Service Plan

Key Facts

Fact

Detail

Every resource must be in exactly one resource group

Cannot be in two groups simultaneously

Resource groups can contain resources from multiple regions

The group itself has a "location" for metadata only

Deleting a resource group deletes all resources inside it

Useful for cleanup

Resource groups are free to create

No cost for the container itself

You can apply access control (RBAC) at the group level

All resources inherit the permissions

You can apply tags to the group

Tags don't automatically apply to resources inside

Best Practices for Naming Resource Groups

Recommended naming convention:

{project}-{environment}-{region}-rg

Examples:
  ecommerce-prod-eastus-rg
  payroll-dev-westeurope-rg
  analytics-test-centralindia-rg

Grouping Strategies

Strategy

Example

By application

All resources for "HRSystem" in one group

By environment

All "production" resources in one group

By lifecycle

Resources you deploy and delete together

By department

All "Marketing" resources in one group

3. Subscriptions

An Azure subscription is a billing and access boundary — it's how you pay for Azure services.

Subscription: "Contoso Production"
├── Resource Group: "WebApp-RG"
│     ├── VM
│     └── Database
├── Resource Group: "Networking-RG"
│     └── Virtual Network
└── Resource Group: "Security-RG"
      └── Key Vault

Key Facts

Fact

Detail

Billing unit

Every resource in a subscription is billed to that subscription

Access boundary

You can control who can access the entire subscription

Trust boundary

A subscription trusts one Azure AD (Entra ID) tenant

Limits

Some Azure resources have per-subscription limits (e.g., max 980 resource groups)

Multiple subscriptions

An organization can have many subscriptions

Why Have Multiple Subscriptions?

Reason

Example

Separate billing

Different departments pay separately

Isolate environments

Dev, Test, Production each get their own subscription

Hit resource limits

If one subscription hits limits, use another

Compliance boundaries

Regulated workloads isolated in dedicated subscription

Subscription Types

Type

Description

Free trial

$200 credit for 30 days + 12 months of free services

Pay-as-you-go

No commitment, pay for what you use

Enterprise Agreement

Large organizations — volume discounts

CSP (Cloud Solution Provider)

Partner-managed subscriptions

Azure for Students

$100 credit, no credit card required

4. Management Groups

Management groups sit above subscriptions and allow you to organize and govern multiple subscriptions at once.

Root Management Group (Tenant-level)
├── Management Group: "Corp IT"
│     ├── Subscription: Production
│     ├── Subscription: Development
│     └── Subscription: Testing
├── Management Group: "Subsidiaries"
│     ├── Subsidiary A Subscription
│     └── Subsidiary B Subscription
└── Management Group: "Sandbox"
      └── Sandbox Subscription

Key Facts

Fact

Detail

Maximum depth

6 levels of management groups

Root group

Every tenant has one root management group

Policy inheritance

Policies applied to a group apply to all subscriptions within

RBAC inheritance

Access granted at group level flows down to all subscriptions

Subscription can belong to

Only one management group at a time

Why Use Management Groups?

  • Apply a security policy across all 50 subscriptions at once (instead of 50 times)

  • Grant a security team read access across all subscriptions from one place

  • Enforce compliance rules organization-wide consistently

The Full Hierarchy

Azure AD / Entra ID Tenant
  └── Root Management Group
        ├── Management Group A
        │     ├── Subscription 1
        │     │     ├── Resource Group 1
        │     │     │     ├── Resource (VM)
        │     │     │     └── Resource (DB)
        │     │     └── Resource Group 2
        │     │           └── Resource (Storage)
        │     └── Subscription 2
        └── Management Group B
              └── Subscription 3

What You Can Apply at Each Level

Level

Apply Policies?

Apply RBAC?

Apply Budgets?

Management Group

Subscription

Resource Group

Resource

Policies and permissions applied at a higher level automatically inherit down to all child levels.

Resource Tagging

Tags are name-value pairs you attach to resources for organization, filtering, and cost tracking.

Example tags on a VM:

Environment: Production
Department:  Finance
Owner:       jane.doe@company.com
CostCenter:  CC-2045
Project:     Payroll

Benefits of Tags

  • Filter resources by department, project, or environment

  • Track costs per team or project in billing reports

  • Automate operations based on tags (e.g., shut down all "Dev" VMs at night)

  • Enforce tagging with Azure Policy

Quick Recap

Resources       → Individual Azure services (VM, DB, etc.)
Resource Groups → Logical containers for related resources
Subscriptions   → Billing + access boundaries
Management Groups → Governance across multiple subscriptions

Hierarchy: Resource → Resource Group → Subscription → Management Group → Tenant
Policies and permissions flow DOWN the hierarchy.

Official References

Next Chapter → Chapter 09: Azure Compute Services

 

Tags: Azure Azure Tutorial Cloud Computing Azure Beginner Microsoft Azure Az900
← Previous Chapter Chapter 07 — Azure Global Infrastructure
View All Chapters
Next Chapter → Chapter 09 — Azure Compute Services