Azure Management Groups, Subscriptions, and Resource Groups are extremely powerful when utilised separately. However, when utilised collectively, they may construct Azure’s complete organisational structure.
Multiple Subscriptions are often used by organisations and individuals throughout their Azure environment. Depending on an organisation’s demands, they may be divided by department, life-cycle, business unit, and so on, resulting in one of the hundreds of Azure Subscriptions. The more Azure Subscriptions we have, the more difficult it is to manage each Subscription’s access restrictions and Azure Policy, which frequently leads to Subscription sprawl. We can now more effectively manage our Azure Subscriptions by grouping them into containers, similar to how we organise Azure Resources into Resource Groups, thanks to the advent of Azure Management Groups.
Azure Resource Manager
Subscriptions, Management Groups, and Resource Groups are all critical organisational elements in Azure. However, to grasp the purpose of Azure Subscriptions and Management Groups, you must first comprehend the Azure Resource Management hierarchy.
Microsoft Azure’s primary service is Azure Resource Manager. It is a necessary component of Azure deployment and offers a consistent management layer regardless of the toolset utilised. Your commands all use Azure Resource Manager, whether you use the Azure website, Azure CLI, Azure Powershell, or one of the many different methods for controlling Azure resources.
- Resource: A resource is a controllable thing that is accessible via Azure. Resources include virtual computers, storage accounts, web applications, databases, and virtual networks. Resources include resource groups, subscriptions, management groups, and tags.
- Resource Group: A resource group is a container that contains resources linked to an Azure solution. The resource group contains all of the resources you wish to manage as a group. Which resources belong in a resource group are determined by what makes the most sense for your company.
The advantages of Resource Manager
You may do the following with the Resource Manager:
- Rather than scripts, manage your infrastructure using declarative templates.
- Rather than managing individual resources for your solution, deploy, administer, and monitor them as a group.
- Redeploy your solution throughout the development lifecycle with confidence in the condition of your resources.
- Define resource dependencies to ensure that resources are distributed in the proper sequence.
- Control access to all services due to the native integration of Azure role-based access control (Azure RBAC) into the administration platform.
- Use tags to organise the materials in your subscription properly.
- Streamline your organization’s billing by examining the expenses associated with a set of resources that share a common tag.
Understanding the Hierarchy of Azure Resource Manager
The Azure Resource Manager architecture is divided into four tiers, or “scopes.” Each of these scopes is illustrated in the diagram below.
Azure Management Groups
What is an Azure management group?
A logical container that allows Azure Administrators to manage access, policy, and compliance across many Azure Subscriptions is an Azure Management group. Management groups enable you to create an Azure Subscription tree that can be utilised with other Azure services such as Azure Policy and Azure Role-Based Access Control. Azure Management Groups allow you to organise policy, access control, and compliance across many subscriptions with ease. We can stack Azure Management Groups up to six layers deep for effective resource management.
Management groups can be used effectively.
Azure Management Groups may be used in a variety of ways, including mirroring your billing structure. This is how many businesses begin to use management teams. The value of management groups, though, comes when you utilise them to model your company. Azure Subscriptions may be bundled based on the requirement for shared responsibilities, as well as Azure Policies and initiatives.
Organizing with management groups
Azure Management Groups go above and beyond Azure Subscriptions in terms of organisation. If your organisation has more than one or two Azure Subscriptions, you should actively manage access, policies, and compliance for those subscriptions. All subscription objects inside a management group receive a copy of the management group’s role-based access control and policy settings.
Each directory has its own root management group.
Each Azure Active Directory (AD) tenant has a top-level management group known as the “root” management group. Only an Azure AD Global Administrator has access to this root level group by default, and only after raising access. There are numerous critical facts that the root management group should be aware of:
- Tenant root group is the name of the root management group, although it may be modified.
- It is not possible to relocate or remove the root management group.
- The root management group oversees all management groups in Azure AD.
- The root management group is visible to all Azure users.
- There can only be one root management group.
- When a new subscription is established, it is immediately added to the root management group.
Key facts regarding Management Groups
- A single Azure AD tenancy may handle up to 10,000 management groups.
- Management group trees can have up to six layers of depth, excluding the root and subscription levels.
- Subscriptions and management groups can only support one parent.
- Many youngsters can be found in management groups.
- In each directory, all subscribers and management groups are organised into a single hierarchy.
Management Groups’ limitations
Management groups have one significant limitation: they cannot contain an Azure Resource. It is limited to other management groups or subscriptions.
What is Azure Subscription?
An Azure Subscription can be described in a variety of ways, but at its most basic level, a subscription refers to the logical entity that grants access to deploy and consume Azure resources. Other options to define an Azure Subscription include:
- A sensible grouping of Azure resources. Each Azure asset is assigned to a single subscription.
- A clearly defined administrative security barrier that allows for Role-Based Access Control.
- A deployment structure for organising and ensuring the consistency of Azure resources.
Azure Subscriptions include several considerations:
- • An Azure Subscription is free of charge.
- • Administrators are assigned to each Azure Subscription.
- • Azure Subscriptions are global in nature and can include resources from various regions.
- • Subscriptions can be purchased in a variety of ways
A subscription, according to Microsoft, is “an agreement with Microsoft to utilise one or more Microsoft cloud platforms or services, for which costs accumulate based on either a per-user licencing fee or cloud-based resource consumption.”
How do Subscriptions work?
Azure Subscriptions are fundamentally basic structures. As previously indicated, an Azure Subscription may be used to manage and store Azure resources, as well as to arrange resources in containers.
There are several ways to create a subscription with Microsoft Azure; We will attempt to highlight the most common.
- Enterprise Agreement (EA) – An Enterprise Agreement is a Microsoft bulk licencing scheme. The Enterprise Agreement is a three-year contract with Microsoft that is most commonly found in bigger businesses with 500 or more users. One of the most frequent forms of subscriptions is the EA. There is another type called Enterprise Dev/Test, which provides the same access as an Enterprise Agreement but at a lower cost for development and testing workloads.
- Pay as you go – The second most prevalent subscription type is paid as you go. Typically, the company will keep a credit card file. Although it is uncommon, a client will occasionally pay via invoice.
- Azure Free Trial – Anyone may join up for a 30-day free trial of Azure. The free trial subscription comes with $200 in Azure spending credits. Once a credit card is on file, a free trial is changed to Pay.
- Cloud Solutions Partner (CSP) – Cloud Solutions Partner (CSP) subscriptions are obtained through a Microsoft partner.
Azure features a plethora of limits per subscription, which are sometimes referred to as “quotas.” Many (but not all) membership limitations can be increased by submitting an online support request to Microsoft. Nonetheless, every limit has a maximum value. Once you’ve reached a maximum value, the only way to get around it is to buy additional memberships.
Subscriptions, in addition to Management Groups, enable several tiers for optimally organising Azure Resources to meet the needs of the organisation. Finally, it is up to the business to choose how to effectively arrange Azure Resources using Azure Subscriptions. In general, Platingnum recommends starting with two subscriptions: one for production resources and one for non-production resources like development and testing.
How many subscriptions are too many?
The management complexity and administrative overhead grow in lockstep with the number of Azure Subscriptions. Having said that, Begin as simply as possible and grow as your company’s demands dictate. As Azure (and your business) expand, expect to discover that the company has acquired a requirement that will demand a shift to additional subscriptions.
Azure Management Groups are an excellent method for your business to manage Azure Resources across subscriptions and also at the subscription level. They are also extremely adaptable, supporting various degrees of depth. However, one must carefully examine the impact of implementing any access restrictions or policy levels, thoroughly evaluate them, and proceed appropriately.
Get in touch with us to organise your resources and subscriptions effectively with Azure Management Groups.