Azure management infrastructure

Natasha Ong
This is some text inside of a div block.
4 min read

In a nutshell:

Resources are like individual items (virtual machines, databases, etc.) and are organised into resource groups.
Subscriptions can hold multiple resource groups, used for access control, billing separation, and organisation.
Management groups categorise and managing subscriptions at a wider scale. Usually only large companies (think global companies with hundreds of departments and offices) would use management groups.

Azure has opened a whole new world of services to us, letting us create virtual machines, storage blobs, virtual networks and more in the cloud.

Hmmm... once we're creating heaps and heaps of these, how do we keep things organised?

Azure has a system that's like a well-organised library, where everything has its place. Let's break it down in simple terms.

Resources and Resource Groups

Everything you create with Azure is a resource. These resources can be virtual machines, databases, storage accounts, and anything else you create! They're like the basic building blocks of Azure.

Now, if we think of resources as books, a resource group is the single shelf you use to put together resources. Let's look at the key facts for resource groups:

Why do resource groups exist?

Aside from the handy organising that resource groups do for us, they also save us time:

  • If you delete a resource group, all the resources inside will be deleted.
  • If you grant or deny access to a resource group, you're doing it for all the resources in that group.
  • In general, when you do something to a resource group, it affects all the resources inside it.


Now, let's talk about subscriptions. If resource groups are single shelves, think of subscriptions as bookshelves that contain multiple rows of shelves inside.

Yup, that means subscriptions organise resource groups. Every Azure account needs to have at least one subscription to use Azure. When you apply rules or settings to a subscription, you're applying it to all the resource groups inside it too.

Why do subscriptions exist?

With multiple subscriptions, you can set different rules for each. Subscriptions are really helpful when it comes to billing and access management.

  1. Billing: Each subscription gets its own bill, so you can keep track of your spending across different projects. You can even set up different billing requirements (for example, spending limits, payment methods, who's responsible for paying) for different subscriptions.
  1. Access management: You can set security rules at the subscription level. For example, a business would use subscriptions to manage each department's access to different Azure resources.
  • Tip: You could also create different subscriptions like "Development," "Security," and "Compliance." Each subscription gives access to the required tools for each type of work, so only authorised team members can make changes. For example, the "Development" subscription gives access to Azure VMs, the "Security" subscription gives access to Azure Security Centre, while the "Compliance" subscription gives access to Azure Policy.

Management groups

The final piece of the puzzle is management groups. If subscriptions were bookshelves, think of management groups as entire sections of a library.

Now, you might think: aren't subscriptions enough? That is definitely the case for individuals and even smaller businesses that are managing smaller-scale projects. After all, not all of us need entire aisles of bookshelves at home!

But imagine if you’re dealing with multiple applications, multiple development teams, in multiple geographies. Think of management groups as the top level for the big companies that need it. This is similar to libraries being a unique case - they simply have so many books that it's necessary to divide their space into subscriptions.

When you apply rules or settings to a management group, you're applying it to all the subscriptions inside it too.

Why do management groups exist?

Management groups work super similarly to subscriptions, they're simply at a wider scale now.

  • Access management: If you want to give users access to several subscriptions, put those subscriptions under a management group. Then, assign access permissions at the management group level. This way, users get access to everything they need without the complexity of setting up access separately for each subscription.
  • Setting up policies: For example, you could set up a management group with the rule that all virtual machines (VMs) are only located in the US West Region. This rule will automatically apply to all the subscriptions, resource groups, and VMs under it, making sure the policy stays in place. Plus, this rule can't be changed by owners of the resources, resource groups of subscriptions inside it, so you can rest easy that this rule won't be broken.

A funky thing about management groups is that they can be nested to help with organisation. Here is an example of creating a hierarchy by using management groups.

Diagram showing an example of a management group hierarchy tree.

Fun facts about management groups

  • You can have up to 10,000 management groups in one account. That's a lot of organising!
  • You can have up to six levels of organisation in your management group tree. This limit doesn't include the Root Management Group at the top level.
  • Each management group and subscription can have only one parent. Remember how we said books can only be a part of one shelf at a time? It's the same idea here. A management group can only be in one management group at a time; a subscription can only be in one management group at a time.

And that's a wrap!

Here is a summary of Azure's management infrastructure: