Tutorial / Cram Notes
At the top of the hierarchy are management groups. These groups are containers that help you manage access, policy, and compliance for multiple subscriptions. A single management group can contain multiple subscriptions, and other management groups, allowing for a flexible and structured management architecture. This is particularly useful for large organizations with various departments, each requiring different policies and access controls.
Management groups enable you to apply governance conditions such as Azure policies and Role-Based Access Control (RBAC) across multiple subscriptions. You can have up to six levels of depth in the management group hierarchy, not including the Root level or tenant level. This enables a granular level of control over different organizational units.
Example:
A multinational corporation might set up a management group structure like this:
- Root Management Group (Tenant Level)
- Global Policies Management Group
- Europe Management Group
- France Subscription
- Germany Subscription
- America Management Group
- USA Subscription
- Canada Subscription
- Europe Management Group
- Global Policies Management Group
Subscriptions
Subscriptions are the next level in the hierarchy. A subscription is a logical container into which all Azure resources are deployed and managed. It is associated with an Azure account, and it is used to establish boundaries for resource usage. Each subscription can have its own billing and payment setup, which is helpful for keeping financial controls separate for different projects or departments within an organization.
Subscriptions provide an isolation boundary for resources, and you can use them to segregate environments for different projects or stages within a lifecycle, including production, development, and testing.
Example:
In a development workflow, an organization can maintain separate subscriptions for each environment:
- Development Subscription
- Testing Subscription
- Production Subscription
Each subscription will have its own set of resources, policies, and access controls, preventing accidental interference between environments.
Resource Groups
Below subscriptions, we find resource groups. A resource group is a container that holds related resources for an Azure solution. The resources in a resource group can include virtual machines, storage accounts, web apps, databases, and more, all of which are typically linked to a common lifecycle.
Resource groups allow you to manage and monitor resources together, as well as apply consistent policies and access rules. It is possible to add or remove resources to a resource group at any time, and resource groups can also span multiple regions.
Example:
An application might have the following structure within a resource group:
- Resource Group: MyApplication
- Virtual Machine: MyApplicationVM
- Storage Account: MyApplicationStorage
- SQL Database: MyApplicationDB
- Virtual Network: MyApplicationVNet
This logical grouping allows for simplified management as all related components of the application are located within the same resource group. It also makes it easier to delete all resources connected to an application when it’s no longer needed by deleting the resource group.
Hierarchy Overview and Comparison
To summarize, here’s an overview of the hierarchy:
Level | Container Purpose | Use Case |
---|---|---|
Management Groups | Manage access, policies, and compliance across multiple subscriptions. | Grouping subscriptions by organizational structure or governance needs. |
Subscriptions | Isolation boundary for resources, with separate billing and payment setups. | Separating resources for different projects, teams, or billing entities. |
Resource Groups | Hold related resources for an Azure solution with a common lifecycle. | Grouping resources that support a specific application or service. |
Understanding this hierarchy is essential for efficient Azure management and a critical aspect for those preparing for the AZ-900 Microsoft Azure Fundamentals exam. Properly leveraging the hierarchy allows for better organization, governance, and cost management across all resources deployed in the cloud environment.
Practice Test with Explanation
True or False: In Azure, a management group can contain multiple subscriptions.
- True
Management groups are a level above subscriptions, allowing you to organize subscriptions into containers and apply governance controls such as Azure policies at a broad level.
Resource groups within Azure are used to manage the lifecycle of resources collectively.
- True
Resource groups serve as containers for resources that share a common lifecycle, permissions, and policies, enabling easy management and organization of Azure resources.
How many levels of management groups can you have in a single hierarchy in Azure?
- A) 2
- B) 6
- C) 10
- D) Unlimited
B) 6
Azure allows up to six levels of depth when organizing management groups in a hierarchy, excluding the root level.
Which Azure entity is at the top of the management hierarchy?
- A) Subscription
- B) Resource Group
- C) Management Group
- D) Resource
C) Management Group
The management group is the top-most level of organization in the Azure hierarchy, used for access management, policy, and compliance across multiple subscriptions.
True or False: Every Azure subscription can only be associated with one management group.
- False
While a subscription can only be a child to a single management group at a given level, it can be part of a hierarchy under the management group, effectively being associated with multiple management groups up the hierarchy.
Multiple select: Which of the following statements are true about Azure Subscriptions?
- A) Subscriptions help with billing separation.
- B) Subscriptions can contain multiple resource groups.
- C) Subscriptions are the smallest unit of management in Azure.
- D) Subscriptions can be moved from one management group to another.
A) Subscriptions help with billing separation, B) Subscriptions can contain multiple resource groups, D) Subscriptions can be moved from one management group to another.
Subscriptions are used as a boundary for billing and resource management in Azure. They can contain multiple resource groups, and they can be moved from one management group to another for better organization and control.
True or False: Management groups provide a way to apply policies and compliance requirements across several Azure subscriptions.
- True
Management groups allow for the application of governance policies and access controls across many subscriptions, streamlining compliance and management.
True or False: Resources can be directly assigned to a management group without a subscription.
- False
Resources must be contained within a resource group, and resource groups must be contained within a subscription. Management groups do not directly contain resources.
Single select: Which component is directly below the subscription in the Azure hierarchy?
- A) Resource
- B) Resource Group
- C) Management Group
- D) Directory
B) Resource Group
In the Azure hierarchy, resource groups come under a subscription and are used to organize and manage resources within that subscription.
True or False: You can define Role-Based Access Control (RBAC) policies at the management group level.
- True
RBAC policies can be defined at the management group level to consistently apply access control across multiple subscriptions.
True or False: To view resources across several subscriptions, you must navigate to each subscription individually.
- False
Through the use of management groups, users can structure their subscriptions and view resources across these subscriptions without navigating to each one individually.
Single select: What is the maximum number of management groups an Azure environment can include?
- A) 10,000
- B) 1,000
- C) 500
- D) There’s no limit
A) 10,000
An Azure environment can have up to 10,000 management groups, allowing extensive hierarchical organization and management of subscriptions.
Interview Questions
What is the purpose of management groups in Azure?
Management groups in Azure allow you to manage access, policy, and compliance for a group of subscriptions, and apply consistent governance controls across your enterprise.
What is the hierarchy of resources in Azure?
The hierarchy of resources in Azure is as follows management groups, subscriptions, resource groups, and resources.
How are resources organized in Azure?
Resources in Azure are organized into resource groups, which can be created and managed within a subscription.
What is the benefit of using a management group in Azure?
A management group allows you to manage policies and access controls for a group of subscriptions, making it easier to maintain consistency across multiple environments.
How are management groups created in Azure?
Management groups can be created in the Azure portal, Azure PowerShell, or the Azure CLI.
What is the purpose of a subscription in Azure?
A subscription in Azure is a logical container that provides access to Azure services and resources.
What is the benefit of using resource groups in Azure?
Resource groups allow you to organize resources and apply policies and tags to resources as a group.
How are resource groups used in Azure?
Resource groups are used to organize resources and manage access control, monitoring, and cost management for a set of related resources.
What is the relationship between management groups and subscriptions in Azure?
Management groups provide a way to manage access, policy, and compliance for a group of subscriptions.
How are policies and governance controls applied across multiple subscriptions in Azure?
Policies and governance controls can be applied across multiple subscriptions using management groups.
Can resources be moved between resource groups in Azure?
Yes, resources can be moved between resource groups in Azure, and also between subscriptions.
What is the difference between a management group and a subscription in Azure?
A management group provides a way to manage access, policy, and compliance for a group of subscriptions, while a subscription provides access to Azure services and resources.
How are costs managed across multiple subscriptions in Azure?
Costs can be managed across multiple subscriptions using resource groups and cost management tools in Azure.
Can a resource group belong to multiple subscriptions in Azure?
No, a resource group can only belong to a single subscription in Azure.
What is the benefit of organizing resources into resource groups in Azure?
Organizing resources into resource groups in Azure allows for easier management of policies, access control, monitoring, and cost management for related resources.
The hierarchy of resource groups, subscriptions, and management groups can be confusing at first. Can someone explain how they are organized in a simple way?
I believe Management Groups are mainly for policy management across multiple subscriptions. Is that right?
Can you nest Management Groups within each other?
How do Resource Groups relate to Subscriptions in Azure?
So Management Groups are at the top, then Subscriptions, and finally Resource Groups. Correct?
Can a resource belong to multiple Resource Groups?
Appreciate the insights everyone!
What are some best practices for organizing Resource Groups within a Subscription?